[wxWidgets/wxWidgets] a676a0: Validate ANI frame indices against loaded icon count
0 views
Skip to first unread message
dxbjavid
May 25, 2026, 1:11:12 PMMay 25
to wx-co...@googlegroups.com
Branch: refs/heads/master
Home: https://github.com/wxWidgets/wxWidgets
Commit: a676a0f1f51f5c94036d64df3863664586937aa6
https://github.com/wxWidgets/wxWidgets/commit/a676a0f1f51f5c94036d64df3863664586937aa6
Author: dxbjavid <dxbj...@gmail.com>
Date: 2026-05-25 (Mon, 25 May 2026)
Changed paths:
M src/common/anidecod.cpp
M tests/image/image.cpp
Log Message:
-----------
Validate ANI frame indices against loaded icon count
The SEQ chunk of an ANI file gives a 32-bit image index per animation
step. These values were stored into wxANIFrameInfo::m_imageIndex
verbatim, without any check against the number of icon chunks actually
loaded into m_images. wxANIDecoder::ConvertToImage() and
GetTransparentColour() then used the value as an index into m_images
directly, so a malformed ANI file could trigger an out-of-bounds vector
access when the file is displayed.
Reject the file in Load() if any of the indices is negative or points
past the end of m_images, and also reject files that produced no icon
chunks at all so the subsequent m_images[0] reference is safe.
Closes #26492.
To unsubscribe from these emails, change your notification settings at https://github.com/wxWidgets/wxWidgets/settings/notifications
Home: https://github.com/wxWidgets/wxWidgets
Commit: a676a0f1f51f5c94036d64df3863664586937aa6
https://github.com/wxWidgets/wxWidgets/commit/a676a0f1f51f5c94036d64df3863664586937aa6
Author: dxbjavid <dxbj...@gmail.com>
Date: 2026-05-25 (Mon, 25 May 2026)
Changed paths:
M src/common/anidecod.cpp
M tests/image/image.cpp
Log Message:
-----------
Validate ANI frame indices against loaded icon count
The SEQ chunk of an ANI file gives a 32-bit image index per animation
step. These values were stored into wxANIFrameInfo::m_imageIndex
verbatim, without any check against the number of icon chunks actually
loaded into m_images. wxANIDecoder::ConvertToImage() and
GetTransparentColour() then used the value as an index into m_images
directly, so a malformed ANI file could trigger an out-of-bounds vector
access when the file is displayed.
Reject the file in Load() if any of the indices is negative or points
past the end of m_images, and also reject files that produced no icon
chunks at all so the subsequent m_images[0] reference is safe.
Closes #26492.
To unsubscribe from these emails, change your notification settings at https://github.com/wxWidgets/wxWidgets/settings/notifications
Reply all
Reply to author
Forward
0 new messages