File netpbm-CVE-2017-2579,2580.patch of Package netpbm.18206
Index: netpbm-10.80.1/converter/other/giftopnm.c
===================================================================
--- netpbm-10.80.1.orig/converter/other/giftopnm.c 2019-05-16 14:30:02.041306360 +0200
+++ netpbm-10.80.1/converter/other/giftopnm.c 2019-05-16 14:49:07.719059265 +0200
@@ -1138,8 +1138,21 @@ expandCodeOntoStack(Decompressor * const
/* LZW string, defined */
code = incode;
else if (incode == decompP->nextTableSlot) {
- /* It's a code that isn't in our translation table yet.
+ /* It's a code that isn't in our translation table yet
+
+ The only thing it could legally be is one higher than the
+ highest one we've seen so far.
*/
+ if (code > decompP->nextTableSlot) {
+ /* We just abort because we added this to stable code to fix
+ a bug and we don't want to disturb stable code more than we
+ have to.
+ */
+ pm_error("Error in GIF image: LZW string code %u "
+ "is neither a previously defined one nor the "
+ "next in sequence to define (%u)",
+ code, decompP->nextTableSlot);
+ }
if (decompP->fresh)
pm_asprintf(&gifError, "LZW string code encountered with "
"decompressor in fresh state");
@@ -2042,6 +2055,9 @@ convertImage(FILE * const ifP,
"color map either.");
}
+ if (imageHeader.cols == 0)
+ pm_error("Invalid GIF - width is zero");
+
if (!skipIt) {
readImageData(ifP, imageHeader.cols, imageHeader.rows,
*currentColorMapP,