112099 2013-03-11 20:09:39 -0700 GIF decoder can read off end of buffer 2013-03-19 16:10:48 -0700 1 1 1 Unclassified WebKit Images 528+ (Nightly build) Unspecified Unspecified RESOLVED FIXED P2 Normal --- 111144 1 pkasting hclam hclam oldest_to_newest 853025 0 pkasting 2013-03-11 20:09:39 -0700 Noticed while reviewing various GIF decoder patches. hclam -- want to fix this while you're touching this stuff? The bug is that the GIFNetscapeExtensionBlock state of the parser reads the block length from the image file, but then the GIFConsumeNetscapeExtension assumes the block length is at least the 3 that the spec requires. Therefore, an image can specify "1" or "2" here and then end after that many more bytes, and the parser will happily read another two or one bytes off the end of the buffer. I believe the correct fix is that the GIFNetscapeExtensionBlock state should call GETN(std::max(3, *currentComponent), GIFConsumeNetscapeExtension);. A comment explaining this wouldn't be amiss. I suspect Gecko has the same problem. The Chrome security guys looked at this and declared it not a security bug, since there seems to be no way to use this OOB read to malicious effect (since it just controls the image loop count). 853027 1 hclam 2013-03-11 20:14:19 -0700 Okay, I'll fix it. 858844 2 hclam 2013-03-19 16:10:38 -0700 The fix is landed in https://bugs.webkit.org/show_bug.cgi?id=111144