© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
Tomas Hoger writes:
Value of code_size is read from GIF image, but not properly validated
before use to initialize table array in gif_read_lzw(). clear_code
used as upper bound in for loop is short, hence overflow is limited to
~16k - 4k short int values. Moreover, attacker has limited control
over the values written past the end of the buffer.