32764144 Security Vulnerability - heap buffer overflow in libgiftranscode.so in colorMap->Colors[colorIndex] * No range checking was done on a color index. Add range checking and bail if the color index is out of range. Test: tested sending a large gif that would invoke the GifTranscoder library to make the gif smaller. Bug: 32764144 Change-Id: I44f36274ec333ae1960fa8fc96b2dbde35fbaa66 (cherry picked from commit 6f763fef7ab16e28f6c43496e0f866e7803b4dc8)

commit: 6994c837119eeaeaa9673bc865bc8e309f74b6fb [log] [tgz]
author: Tom Taylor <tomtaylor@google.com> Wed Jan 11 09:17:01 2017 -0800
committer: Feng Yu <feny@google.com> Fri Jan 20 00:37:19 2017 +0000
tree: 14c8617f5b231b20c89c17538b26faaf20f15524
parent: 6dd9f6a1516974f533bd04fba3b8b19d8722711b [diff]
diff --git a/jni/GifTranscoder.cpp b/jni/GifTranscoder.cpp
index a7f5c74..a3fb5f5 100644
--- a/jni/GifTranscoder.cpp
+++ b/jni/GifTranscoder.cpp

@@ -384,6 +384,11 @@
     for (int y = 0; y < gifIn->Image.Height; y++) {
         for (int x = 0; x < gifIn->Image.Width; x++) {
             GifByteType colorIndex = *getPixel(rasterBits, gifIn->Image.Width, x, y);
+            if (colorIndex >= colorMap->ColorCount) {
+                LOGE("Color Index %d is out of bounds (count=%d)", colorIndex,
+                    colorMap->ColorCount);
+                return false;
+            }
 
             // This image may be smaller than the GIF's "logical screen"
             int renderX = x + gifIn->Image.Left;
commit	6994c837119eeaeaa9673bc865bc8e309f74b6fb	[log] [tgz]
author	Tom Taylor <tomtaylor@google.com>	Wed Jan 11 09:17:01 2017 -0800
committer	Feng Yu <feny@google.com>	Fri Jan 20 00:37:19 2017 +0000
tree	14c8617f5b231b20c89c17538b26faaf20f15524
parent	6dd9f6a1516974f533bd04fba3b8b19d8722711b [diff]