Created attachment 1060748 [details]
sample for reproducing crash
Description of problem:
Recently I reported an use-after-free issue in Decoder.cpp to upstream. And it's fixed by the upstream. The problem is due to lack of validation of ColorTableSize.
The bug was fixed by upstream:
Version-Release number of selected component (if applicable):
Versions before 6.15.32
In the upstream's repo, there is a proof-of-concept utility(https://sourceforge.net/p/libpgf/code/HEAD/tree/trunk/pgf , note: the bug is in the library, not in this utility). Issuing the following commands with the attached crash.pgf:
$ ./libpgf-code-136-trunk/pgf/build/src/pgf -d crash.pgf out.gif
libpgf-6.14.12-4.fc23 has been submitted as an update for Fedora 23.
libpgf-6.14.12-4.el7 has been submitted as an update for Fedora EPEL 7.
* should fix your issue,
* was pushed to the Fedora EPEL 7 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=epel-testing libpgf-6.14.12-4.el7'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
libpgf-6.14.12-4.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
libpgf-6.14.12-4.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.