CVE-2026-8454: Imager::File::GIF versions through 1.002 for Perl allow a heap out of bounds (OOB) write on crafted multi-frame GIF files

[Timothy Legge <timlegge () cpansec org>]

========================================================================
CVE-2026-8454                                        CPAN Security Group
========================================================================

        CVE ID:  CVE-2026-8454
  Distribution:  Imager-File-GIF
      Versions:  through 1.002

      MetaCPAN:  https://metacpan.org/dist/Imager-File-GIF
      VCS Repo:  https://github.com/tonycoz/imager


Imager::File::GIF versions through 1.002 for Perl allow a heap out of
bounds (OOB) write on crafted multi-frame GIF files

Description
-----------
Imager::File::GIF versions through 1.002 for Perl allow a heap out of
bounds (OOB) write on crafted multi-frame GIF files.

Imager::File::GIF's i_readgif_multi_low allocates a single per-row
buffer GifRow sized for the GIF's global screen width 'SWidth' and
reuses it across every image in the file.

The page-match branch validates Image.Width + Image.Left > SWidth
before each DGifGetLine write, but the parallel skip-image branch at
imgif.c:790-805 calls DGifGetLine(GifFile, GifRow, Width) with no such
check.

Problem types
-------------
- CWE-787 Out-of-bounds Write

Solutions
---------
Upgrade to Imager::File::GIF 1.003.


References
----------
https://metacpan.org/release/TONYC/Imager-File-GIF-1.003/source/Changes
https://github.com/tonycoz/imager/commit/782e9c06cc75a0f7eed383f39522f51f44598b04.patch

Timeline
--------
- 2026-05-12: Issue identified
- 2026-05-13: Issue reported to maintainer
- 2026-05-14: Maintainer acknowledged the report
- 2026-05-15: Fixed version released