#59 DGifOpen can segfault if DGifGetScreenDesc fails

v1.0_(example)
closed
nobody
None
1
2015-01-09
2014-05-19
No

The DGifOpen(void *userData, InputFunc readFunc, int *Error) function allows Error to be NULL, and in most cases checks if (Error != NULL) before attempting to assign to *Error. However, it fails to do so in this case:

if (DGifGetScreenDesc(GifFile) == GIF_ERROR) {
    free((char *)Private);
    free((char *)GifFile);
    *Error = D_GIF_ERR_NO_SCRN_DSCR;
    return NULL;
}

Thus, if one calls DGifOpen passing NULL for Error, and if DGifGetScreenDesc fails, then the program will crash.

Here's a simple test case that runs into this bug:

#include <stdio.h>
#include "gif_lib.h"

int ReadFunc(GifFileType* gif, GifByteType* data, int length) {
  FILE* file = (FILE*)(gif->UserData);
  return fread(data, sizeof(GifByteType), length, file);
}

int main(int argc, char** argv) {
  FILE* tmp = tmpfile();
  fwrite("GIF89a\x01", sizeof(char), 7, tmp);
  rewind(tmp);
  GifFileType* gif = DGifOpen(tmp, ReadFunc, NULL);  // segfaults
  DGifCloseFile(gif, NULL);
  fclose(tmp);
  return 0;
}

Changing the third parameter to DGifOpen in the above test to a valid int* avoids the segfault, but DGifOpen is supposed to allow that parameter to be NULL.

Discussion

  • Eric S. Raymond

    Eric S. Raymond - 2014-12-22

    Fixed in the repository; it will issue in the next point release.

     
  • Eric S. Raymond

    Eric S. Raymond - 2014-12-22
    • status: open --> closed
     

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks