From ac0ee77d630c4a692b02cad630a61e974b0c52ce Mon Sep 17 00:00:00 2001 From: Nigel Tao Date: Thu, 28 Apr 2016 19:01:48 +1000 Subject: [PATCH] image/gif: be stricter on parsing graphic control extensions. See Section 23. Graphic Control Extension of the spec: https://www.w3.org/Graphics/GIF/spec-gif89a.txt Change-Id: Ie78b4ff4aa97e1b332ade67ae4fa25f7c0770610 Reviewed-on: https://go-review.googlesource.com/22547 Reviewed-by: Rob Pike --- src/image/gif/reader.go | 6 ++++++ src/image/gif/reader_test.go | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/src/image/gif/reader.go b/src/image/gif/reader.go index 6bfc72e974..9a0852dbfd 100644 --- a/src/image/gif/reader.go +++ b/src/image/gif/reader.go @@ -349,6 +349,9 @@ func (d *decoder) readGraphicControl() error { if _, err := io.ReadFull(d.r, d.tmp[:6]); err != nil { return fmt.Errorf("gif: can't read graphic control: %s", err) } + if d.tmp[0] != 4 { + return fmt.Errorf("gif: invalid graphic control extension block size: %d", d.tmp[0]) + } flags := d.tmp[1] d.disposalMethod = (flags & gcDisposalMethodMask) >> 2 d.delayTime = int(d.tmp[2]) | int(d.tmp[3])<<8 @@ -356,6 +359,9 @@ func (d *decoder) readGraphicControl() error { d.transparentIndex = d.tmp[4] d.hasTransparentIndex = true } + if d.tmp[5] != 0 { + return fmt.Errorf("gif: invalid graphic control extension block terminator: %d", d.tmp[5]) + } return nil } diff --git a/src/image/gif/reader_test.go b/src/image/gif/reader_test.go index c294195b6f..ee78a40716 100644 --- a/src/image/gif/reader_test.go +++ b/src/image/gif/reader_test.go @@ -97,7 +97,7 @@ func TestTransparentIndex(t *testing.T) { for transparentIndex := 0; transparentIndex < 3; transparentIndex++ { if transparentIndex < 2 { // Write the graphic control for the transparent index. - b.WriteString("\x21\xf9\x00\x01\x00\x00") + b.WriteString("\x21\xf9\x04\x01\x00\x00") b.WriteByte(byte(transparentIndex)) b.WriteByte(0) } -- 2.48.1