--- tetex-src-3.0/libs/gd/gd_gif_in.c.cve-2006-2906 2004-11-01 11:28:56.000000000 -0700
+++ tetex-src-3.0/libs/gd/gd_gif_in.c 2006-06-27 05:12:57.806998845 -0600
@@ -118,6 +118,7 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFro
char version[4];
/* 2.0.28: threadsafe storage */
int ZeroDataBlock = FALSE;
+ int maxcount = 1024;
gdImagePtr im = 0;
if (! ReadOK(fd,buf,6)) {
@@ -164,6 +165,8 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFro
}
if (c != ',') { /* Not a valid start character */
+ if (--maxcount < 0)
+ goto terminated; /* Looping */
continue;
}
@@ -242,6 +245,7 @@ static int
DoExtension(gdIOCtx *fd, int label, int *Transparent, int *ZeroDataBlockP)
{
static unsigned char buf[256];
+ int maxcount = 1024;
switch (label) {
case 0xf9: /* Graphic Control Extension */
@@ -254,13 +258,13 @@ DoExtension(gdIOCtx *fd, int label, int
if ((buf[0] & 0x1) != 0)
*Transparent = buf[3];
- while (GetDataBlock(fd, (unsigned char*) buf, ZeroDataBlockP) != 0)
+ while (GetDataBlock(fd, (unsigned char*) buf, ZeroDataBlockP) != 0 && --maxcount >= 0)
;
return FALSE;
default:
break;
}
- while (GetDataBlock(fd, (unsigned char*) buf, ZeroDataBlockP) != 0)
+ while (GetDataBlock(fd, (unsigned char*) buf, ZeroDataBlockP) != 0 && --maxcount >= 0)
;
return FALSE;
@@ -419,14 +423,15 @@ LWZReadByte_(gdIOCtx *fd, int flag, int
} else if (code == end_code) {
int count;
unsigned char buf[260];
+ int maxcount = 1024;
if (*ZeroDataBlockP)
return -2;
- while ((count = GetDataBlock(fd, buf, ZeroDataBlockP)) > 0)
+ while ((count = GetDataBlock(fd, buf, ZeroDataBlockP)) > 0 && --maxcount >= 0)
;
- if (count != 0)
+ if (count != 0 || maxcount < 0)
return -2;
}
