32764144 Security Vulnerability - heap buffer overflow in libgiftranscode.so in colorMap->Colors[colorIndex] am: 6f763fef7a am: 9f00add2fb am: 71d4913462 am: 82fa311e9a am: cc649e4e1e am: 657379f51c am: fb324f89bf am: eece1bd759 Change-Id: I5b978323dc12e67a3ea2b27a71d1bf1de27e1c0a

commit: 8495e582a1ae64747005a267902b16051474458b [log] [tgz]
author: Tom Taylor <tomtaylor@google.com> Tue Jan 17 19:59:54 2017 +0000
committer: android-build-merger <android-build-merger@google.com> Tue Jan 17 19:59:54 2017 +0000
tree: 7ce2676e717bffb7d4c3450e4c6f75ff85989c12
parent: f07dfd0a1956b250a0b710887471ad67f5104351 [diff]
parent: eece1bd759770f2c44a4b60ed79e705b44df0223 [diff]
diff --git a/jni/GifTranscoder.cpp b/jni/GifTranscoder.cpp
index 6245538..112feca 100644
--- a/jni/GifTranscoder.cpp
+++ b/jni/GifTranscoder.cpp

@@ -384,6 +384,11 @@
     for (int y = 0; y < gifIn->Image.Height; y++) {
         for (int x = 0; x < gifIn->Image.Width; x++) {
             GifByteType colorIndex = *getPixel(rasterBits, gifIn->Image.Width, x, y);
+            if (colorIndex >= colorMap->ColorCount) {
+                LOGE("Color Index %d is out of bounds (count=%d)", colorIndex,
+                    colorMap->ColorCount);
+                return false;
+            }
 
             // This image may be smaller than the GIF's "logical screen"
             int renderX = x + gifIn->Image.Left;
commit	8495e582a1ae64747005a267902b16051474458b	[log] [tgz]
author	Tom Taylor <tomtaylor@google.com>	Tue Jan 17 19:59:54 2017 +0000
committer	android-build-merger <android-build-merger@google.com>	Tue Jan 17 19:59:54 2017 +0000
tree	7ce2676e717bffb7d4c3450e4c6f75ff85989c12
parent	f07dfd0a1956b250a0b710887471ad67f5104351 [diff]
parent	eece1bd759770f2c44a4b60ed79e705b44df0223 [diff]