A buffer overflow vulnerability using specially crafted gif file in optipng 0.7.5 was found. CVE request (includes crash report and reproducer): http://seclists.org/oss-sec/2015/q3/632
Created optipng tracking bugs for this issue: Affects: fedora-all [bug 1265961] Affects: epel-5 [bug 1265962] Affects: epel-6 [bug 1265963]
I believe this is a problem in LZWGetCode() in src/gifread/gifread.c > if ((curbit + code_size) >= lastbit) > { > if (done) > { > if (curbit >= lastbit) > GIFError("GIF/LZW error: ran off the end of my bits"); > return -1; > } > if > buffer[0] = buffer[last_byte-2]; // out of bounds of last_byte = 0 > buffer[1] = buffer[last_byte-1]; > > if ((count = GIFReadDataBlock(&buffer[2], stream)) == 0) > done = LZW_TRUE; > > last_byte = 2 + count; > curbit = (curbit - lastbit) + 16; > lastbit = (2 + count) * 8; > } If last_byte is 0, "buffer[0] = buffer[last_byte-2];" will effectively read 2 bytes before the real start of the "buffer" array. It's an out-of-bounds read of a global buffer, so I don't see any reason for concern here. It probably won't even cause a crash.