[SECURITY] Verify LZW code fits in 12 bits before we use it

ctrlcctrlv · saitoha · commit f39d6dafe895 · 2025-08-07T00:11:44.000+09:00
The type `unsigned short`, which is the type of the LZW code, is much larger than the max of an LZW code, causing a wild pointer. That causes an array overflow. Long term, this library should jettison this unnecessary GIF code, and use a better maintained library for it. In the meantime, however, the issue is simple enough to solve, so I've done so. Resolves CVE-2020-19668. Closes #136. Closes #7.
diff --git a/src/fromgif.c b/src/fromgif.c
@@ -69,9 +69,8 @@ typedef struct
    unsigned char suffix;
 } gif_lzw;
 
-enum {
-   gif_lzw_max_code_size = 12
-};
+#define GIF_LZW_MAX_CODE_SIZE 12
+#define GIF_LZW_MAX 0xFFF // 0b1111_1111_1111
 
 typedef struct
 {
@@ -80,7 +79,7 @@ typedef struct
    int flags, bgindex, ratio, transparent, eflags;
    unsigned char pal[256][3];
    unsigned char lpal[256][3];
-   gif_lzw codes[1 << gif_lzw_max_code_size];
+   gif_lzw codes[1 << GIF_LZW_MAX_CODE_SIZE];
    unsigned char *color_table;
    int parse, step;
    int lflags;
@@ -272,20 +271,25 @@ gif_init_frame(
 }
 
 
-static void
+static SIXELSTATUS
 gif_out_code(
     gif_t           /* in */ *g,
     unsigned short  /* in */ code
 )
 {
+    if (code > GIF_LZW_MAX) {
+        sixel_helper_set_additional_message("gif_out_code() failed; GIF file corrupt");
+        return SIXEL_RUNTIME_ERROR;
+    }
+
     /* recurse to decode the prefixes, since the linked-list is backwards,
        and working backwards through an interleaved image would be nasty */
     if (g->codes[code].prefix >= 0) {
         gif_out_code(g, (unsigned short)g->codes[code].prefix);
     }
 
     if (g->cur_y >= g->max_y) {
-        return;
+        return SIXEL_OK;
     }
 
     g->out[g->cur_x + g->cur_y * g->max_x] = g->codes[code].suffix;
@@ -308,6 +312,8 @@ gif_out_code(
             --g->parse;
         }
     }
+
+    return SIXEL_OK;
 }
 
 
@@ -325,7 +331,7 @@ gif_process_raster(
 
     /* LZW Minimum Code Size */
     lzw_cs = gif_get8(s);
-    if (lzw_cs > gif_lzw_max_code_size) {
+    if (lzw_cs > GIF_LZW_MAX_CODE_SIZE) {
         sixel_helper_set_additional_message(
             "Unsupported GIF (LZW code size)");
         status = SIXEL_RUNTIME_ERROR;
@@ -377,7 +383,7 @@ gif_process_raster(
                 return SIXEL_OK;
             } else if (code <= avail) {
                 if (oldcode >= 0) {
-                    if (avail < (1 << gif_lzw_max_code_size)) {
+                    if (avail < (1 << GIF_LZW_MAX_CODE_SIZE)) {
                         p = &g->codes[avail++];
                         p->prefix = (signed short) oldcode;
                         p->first = g->codes[oldcode].first;
@@ -390,7 +396,10 @@ gif_process_raster(
                     goto end;
                 }
 
-                gif_out_code(g, (unsigned short) code);
+                status = gif_out_code(g, (unsigned short) code);
+                if (status != SIXEL_OK) {
+                    goto end;
+                }
 
                 if ((avail & codemask) == 0 && avail <= 0x0FFF) {
                     codesize++;
