commit ab207b05b269e25ac5475fb75d410aef53e793a1
author Tom Taylor <tomtaylor@google.com> Thu Dec 01 12:20:44 2016 -0800
committer gitbuildkicker <android-build@google.com> Thu Dec 15 16:32:35 2016 -0800
tree 467a3350caccde3d8bfb51ce5f7e157c3530eaa3
parent 8f919967cf6369a5d25abf237819320fd4bd2c8f

32322450 Security Vulnerability - heap buffer overflow in libgiftranscode.so

* No range checking was done on the background color index. Add range
checking and bail if the color index is out of range.

* Test
Manual
- tested sending the gif attached in the bug.
- tested sending a 3.5mb gif to verify the gif transcoding was taking place.
- tested on arm64, arm, and x86 devices.

Change-Id: Id16ddccf05c8472ddebc1284b2a928dafd1be551
Fixes: 32322450
(cherry picked from commit bcc1f62715f8005684ac6b798d0d54224394e975)

jni/GifTranscoder.cpp

diff --git a/jni/GifTranscoder.cpp b/jni/GifTranscoder.cpp
index 1f329f7..a7f5c74 100644
--- a/jni/GifTranscoder.cpp
+++ b/jni/GifTranscoder.cpp
@@ -274,6 +274,11 @@
                     // matches what libframesequence (Rastermill) does.
                     if (imageIndex == 0 && gifIn->SColorMap) {
                         if (gcb.TransparentColor == NO_TRANSPARENT_COLOR) {
+                            if (gifIn->SBackGroundColor < 0 ||
+                                gifIn->SBackGroundColor >= gifIn->SColorMap->ColorCount) {
+                                LOGE("SBackGroundColor overflow");
+                                return false;
+                            }
                             GifColorType bgColorIndex =
                                     gifIn->SColorMap->Colors[gifIn->SBackGroundColor];
                             bgColor = gifColorToColorARGB(bgColorIndex);