oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE-2025-31344: giflib: The giflib open-source component has a buffer overflow vulnerability.

From: Mingcong Bai <jeffbai () aosc io>
Date: Mon, 7 Apr 2025 23:07:55 +0800
Hi,

在 2025/4/7 21:15, 李亚杰 写道:

Affected Versions:
- giflib 5.2.2 and below

Description:
In the function DumpScreen2RGB of the giflib software, an attempt is made to access the color map through ColorMapEntry. The 
size of ColorMap is 6 bytes (from 0x602000000030 to 0x602000000036). However, when accessing ColorMap->Colors[GifRow[j]], 
the value of GifRow[j] exceeds the actual number of colors stored. The address pointed to by ColorMapEntry, 0x602000000039, 
goes beyond the allocated memory range for color data. As a result, accessing ColorMapEntry->Red leads to out-of-bounds 
access, causing a heap-buffer-overflow.
Thanks for the disclosure, but any pointer to potential fixes or maybe a new release? I'm confused (because we distributions should now be working to mitigate, as it is now disclosed)... 

Best Regards,
Mingcong Bai>

Credits:
JiaXuan Song(m202372152 () hust edu cn)
bale.cen(cenxianlong () huawei com)

Best Regards,
Yajie Li
Previous By Date Next
Previous By Thread Next

Current thread: