|
From: Ellen J. <el...@ma...> - 2021-05-11 17:16:42
|
Hi giflib developers!
I hope you are well!
I'm trying to verify whether CVE-2020-23922 (heap overflow in DumpScreen2RGB in gif2rgb.c) is fixed in giflib 5.2.1.
The CVE was found in giflib <= 5.1.4, but the CVE database links to open giflib bug ticket #151.
But the giflib NEWS for 5.1.5 say similar bug was fixed: #105: heap buffer overflow in DumpScreen2RGB in gif2rgb.c:317 - but I can't find ticket #105 in list of your open or closed tickets.
So I'm not sure if CVE-2020-23922 is fixed or not.
Looks like you redid the giflib folder structure between 5.1.4 and 5.2.1 so it's hard to compare diffs, but I manually diff'ed gif2rgb.c between 5.1.4 and 5.2.1 and I don't see a fix yet.
Can you please confirm? If fixed, can you point me to the change?
Thank you!
Ellen Johnson
Senior Software Engineer
MathWorks
|
