--- tetex-src-3.0/libs/gd/gd_gif_in.c.cve-2006-2906 2004-11-01 11:28:56.000000000 -0700 +++ tetex-src-3.0/libs/gd/gd_gif_in.c 2006-06-27 05:12:57.806998845 -0600 @@ -118,6 +118,7 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFro char version[4]; /* 2.0.28: threadsafe storage */ int ZeroDataBlock = FALSE; + int maxcount = 1024; gdImagePtr im = 0; if (! ReadOK(fd,buf,6)) { @@ -164,6 +165,8 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFro } if (c != ',') { /* Not a valid start character */ + if (--maxcount < 0) + goto terminated; /* Looping */ continue; } @@ -242,6 +245,7 @@ static int DoExtension(gdIOCtx *fd, int label, int *Transparent, int *ZeroDataBlockP) { static unsigned char buf[256]; + int maxcount = 1024; switch (label) { case 0xf9: /* Graphic Control Extension */ @@ -254,13 +258,13 @@ DoExtension(gdIOCtx *fd, int label, int if ((buf[0] & 0x1) != 0) *Transparent = buf[3]; - while (GetDataBlock(fd, (unsigned char*) buf, ZeroDataBlockP) != 0) + while (GetDataBlock(fd, (unsigned char*) buf, ZeroDataBlockP) != 0 && --maxcount >= 0) ; return FALSE; default: break; } - while (GetDataBlock(fd, (unsigned char*) buf, ZeroDataBlockP) != 0) + while (GetDataBlock(fd, (unsigned char*) buf, ZeroDataBlockP) != 0 && --maxcount >= 0) ; return FALSE; @@ -419,14 +423,15 @@ LWZReadByte_(gdIOCtx *fd, int flag, int } else if (code == end_code) { int count; unsigned char buf[260]; + int maxcount = 1024; if (*ZeroDataBlockP) return -2; - while ((count = GetDataBlock(fd, buf, ZeroDataBlockP)) > 0) + while ((count = GetDataBlock(fd, buf, ZeroDataBlockP)) > 0 && --maxcount >= 0) ; - if (count != 0) + if (count != 0 || maxcount < 0) return -2; }