32764144 Security Vulnerability - heap buffer overflow in libgiftranscode.so in colorMap->Colors[colorIndex] am: 6f763fef7a am: 9f00add2fb am: 71d4913462 am: 82fa311e9a am: cc649e4e1e am: 657379f51c am: fb324f89bf Change-Id: I8e57243cac35d74a28e5af1fd23800d5cb7cb080

commit: eece1bd759770f2c44a4b60ed79e705b44df0223 [log] [tgz]
author: Tom Taylor <[email protected]> Tue Jan 17 19:57:24 2017 +0000
committer: android-build-merger <[email protected]> Tue Jan 17 19:57:24 2017 +0000
tree: 7ce2676e717bffb7d4c3450e4c6f75ff85989c12
parent: 0d9e6a3cf5c60b100e2dc1b38ffb8505d2adce6f [diff]
parent: fb324f89bfe7973432b6c1c8b7a2ec949b6d5615 [diff]
diff --git a/jni/GifTranscoder.cpp b/jni/GifTranscoder.cpp
index 6245538..112feca 100644
--- a/jni/GifTranscoder.cpp
+++ b/jni/GifTranscoder.cpp

@@ -384,6 +384,11 @@
     for (int y = 0; y < gifIn->Image.Height; y++) {
         for (int x = 0; x < gifIn->Image.Width; x++) {
             GifByteType colorIndex = *getPixel(rasterBits, gifIn->Image.Width, x, y);
+            if (colorIndex >= colorMap->ColorCount) {
+                LOGE("Color Index %d is out of bounds (count=%d)", colorIndex,
+                    colorMap->ColorCount);
+                return false;
+            }
 
             // This image may be smaller than the GIF's "logical screen"
             int renderX = x + gifIn->Image.Left;
commit	eece1bd759770f2c44a4b60ed79e705b44df0223	[log] [tgz]
author	Tom Taylor <[email protected]>	Tue Jan 17 19:57:24 2017 +0000
committer	android-build-merger <[email protected]>	Tue Jan 17 19:57:24 2017 +0000
tree	7ce2676e717bffb7d4c3450e4c6f75ff85989c12
parent	0d9e6a3cf5c60b100e2dc1b38ffb8505d2adce6f [diff]
parent	fb324f89bfe7973432b6c1c8b7a2ec949b6d5615 [diff]