From 368f28c0034ecfb6dd4b3412af4cc589a56e0611 Mon Sep 17 00:00:00 2001
From: Matej Muzila <mmuzila@redhat.com>
Date: Mon, 30 May 2022 09:04:27 +0200
Subject: [PATCH] Fix heap-buffer overflow (CVE-2022-28506)

There is a heap buffer overflow in DumpScreen2RGB() in gif2rgb.c.  This
occurs when a crafted gif file, where size of color table is < 256 but
image data contains pixels with color code highier than size of color
table. This causes oferflow of ColorMap->Colors array.

Fix the issue by checking if value of each pixel is within bounds of
given color table. If the value is out of color table, print error
message and exit.

Fixes: #159

Upstream-Status: Backport [https://sourceforge.net/p/giflib/code/ci/5b74cdd9c1285514eaa4675347ba3eea81d32c65/]
Signed-off-by: nikhil r <nikhil.r@kpit.com>
---
 gif2rgb.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/gif2rgb.c b/gif2rgb.c
index 8d7c0ff..d9a469f 100644
--- a/gif2rgb.c
+++ b/gif2rgb.c
@@ -294,6 +294,11 @@ static void DumpScreen2RGB(char *FileName, int OneFileFlag,
             GifRow = ScreenBuffer[i];
             GifQprintf("\b\b\b\b%-4d", ScreenHeight - i);
             for (j = 0, BufferP = Buffer; j < ScreenWidth; j++) {
+                /* Check if color is within color palete */
+                if (GifRow[j] >= ColorMap->ColorCount)
+                {
+                   GIF_EXIT(GifErrorString(D_GIF_ERR_IMAGE_DEFECT));
+                }
                 ColorMapEntry = &ColorMap->Colors[GifRow[j]];
                 *BufferP++ = ColorMapEntry->Red;
                 *BufferP++ = ColorMapEntry->Green;
-- 
2.25.1