microsoft · jslobodzian · Oct 18, 2024 · Oct 15, 2024
@@ -0,0 +1,30 @@
+From 006158597ac945d1992c9411f393eb228fb9c7bc Mon Sep 17 00:00:00 2001
+From: Suresh Thelkar <[email protected]>
+Date: Fri, 11 Oct 2024 10:39:07 +0530
+Subject: [PATCH] Patch for CVE-2022-28506
+
+Upstream patch details are given below.
+https://sourceforge.net/u/mmuzila/giflib/ci/5b74cdd9c1285514eaa4675347ba3eea81d32c65/
+---
+ gif2rgb.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/gif2rgb.c b/gif2rgb.c
+index 9d16664..82f1130 100644
+--- a/gif2rgb.c
++++ b/gif2rgb.c
+@@ -294,6 +294,11 @@ static void DumpScreen2RGB(char *FileName, int OneFileFlag,
+             GifRow = ScreenBuffer[i];
+             GifQprintf("\b\b\b\b%-4d", ScreenHeight - i);
+             for (j = 0, BufferP = Buffer; j < ScreenWidth; j++) {
++                /* Check if color is within color palete */
++                if (GifRow[j] >= ColorMap->ColorCount)
++                {
++                   GIF_EXIT(GifErrorString(D_GIF_ERR_IMAGE_DEFECT));
++                }
+                 ColorMapEntry = &ColorMap->Colors[GifRow[j]];
+                 *BufferP++ = ColorMapEntry->Red;
+                 *BufferP++ = ColorMapEntry->Green;
+-- 
+2.34.1
+
@@ -0,0 +1,43 @@
+From e9ed0342ff3da16c646e355c1bb8a37ab0c93240 Mon Sep 17 00:00:00 2001
+From: Bogdan Codres <[email protected]>
+Date: Fri, 8 Mar 2024 01:30:45 +0800
+Subject: [PATCH] Free Buffers from DumpScreen2RGB in error case
+
+==581==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000002bfc at pc 0x557cbdc9b28d bp 0x7ffde35804b0 sp 0x7ffde35804a0
+READ of size 1 at 0x602000002bfc thread T0
+    #0 0x557cbdc9b28c in DumpScreen2RGB ../../giflib-5.1.4/util/gif2rgb.c:323
+    #1 0x557cbdc9b28c in GIF2RGB ../../giflib-5.1.4/util/gif2rgb.c:480
+    #2 0x557cbdc9b28c in main ../../giflib-5.1.4/util/gif2rgb.c:538
+    #3 0x7fb09ad8214a in __libc_start_main (/lib64/libc.so.6+0x391602414a)
+    #4 0x557cbdc9bb19 in _start (/usr/bin/gif2rgb+0x5b19)
+
+0x602000002bfc is located 0 bytes to the right of 12-byte region [0x602000002bf0,0x602000002bfc)
+allocated by thread T0 here:
+    #0 0x7fb09b021138 in __interceptor_calloc (/usr/lib64/libasan.so.5+0xee138)
+    #1 0x7fb09af2ab1e in GifMakeMapObject ../../giflib-5.1.4/lib/gifalloc.c:55
+
+SUMMARY: AddressSanitizer: heap-buffer-overflow ../../giflib-5.1.4/util/gif2rgb.c:323 in DumpScreen2RGB
+
+Signed-off-by: Bogdan Codres <[email protected]>
+---
+ util/gif2rgb.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/gif2rgb.c b/gif2rgb.c
+index bdc861f..9916fde 100644
+--- a/gif2rgb.c
++++ b/gif2rgb.c
+@@ -327,6 +327,9 @@ static void DumpScreen2RGB(char *FileName, int OneFileFlag,
+             if (fwrite(Buffers[0], ScreenWidth, 1, rgbfp[0]) != 1 ||
+                 fwrite(Buffers[1], ScreenWidth, 1, rgbfp[1]) != 1 ||
+                 fwrite(Buffers[2], ScreenWidth, 1, rgbfp[2]) != 1)
++		free((char *) Buffers[0]);
++		free((char *) Buffers[1]);
++		free((char *) Buffers[2]);
+                 GIF_EXIT("Write to file(s) failed.");
+         }
+
+-- 
+2.26.1
+
+
@@ -1,14 +1,16 @@
 Name:           giflib
 Summary:        A library and utilities for processing GIFs
 Version:        5.2.1
-Release:        6%{?dist}
+Release:        7%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 URL:            http://www.sourceforge.net/projects/giflib/
 Source0:        http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz
 # Move quantize.c back into libgif.so (#1750122)
 Patch0:         giflib_quantize.patch
+Patch1:         CVE-2023-48161.patch
+Patch2:         CVE-2022-28506.patch
 BuildRequires:  gcc
 BuildRequires:  make
 BuildRequires:  xmlto
@@ -59,6 +61,9 @@ find %{buildroot} -name '*.a' -print -delete
 %{_mandir}/man1/*.1*
 
 %changelog
+* Fri Oct 11 2024 Suresh Thelkar <[email protected]> - 5.2.1-7
+- Patch CVE-2023-48161 and CVE-2022-28506
+
 * Mon Jul 11 2022 Olivia Crain <[email protected]> - 5.2.1-6
 - Promote to mariner-official-base repo
 - Lint spec