X-Git-Url: http://www.privoxy.org/gitweb/?p=privoxy.git;a=blobdiff_plain;f=deanimate.c;h=ae0d96a8ec527b6f9dc180a5860a72b64fe7e929;hp=4e4aaacaa9cacf02e4ebdaaac40b73ea575eacb0;hb=5c3ff0e8f3caf7ebef4c60f1092f41b1d8c5460f;hpb=aefee06517eff81ae0d4e104e78355b0ca10029f diff --git a/deanimate.c b/deanimate.c index 4e4aaaca..ae0d96a8 100644 --- a/deanimate.c +++ b/deanimate.c @@ -1,4 +1,3 @@ -const char deanimate_rcs[] = "$Id: deanimate.c,v 1.16 2007/07/14 08:01:58 fabiankeil Exp $"; /********************************************************************* * * File : $Source: /cvsroot/ijbswa/current/deanimate.c,v $ @@ -6,11 +5,6 @@ const char deanimate_rcs[] = "$Id: deanimate.c,v 1.16 2007/07/14 08:01:58 fabian * Purpose : Declares functions to manipulate binary images on the * fly. High-level functions include: * - Deanimation of GIF images - * - Fixup of malformed comment block in JPEG headers - * - * Functions declared include: gif_deanimate, buf_free, - * buf_copy, buf_getbyte, gif_skip_data_block, - * gif_extract_image and jpeg_inspect * * Copyright : Written by and Copyright (C) 2001 - 2004, 2006 by the * SourceForge Privoxy team. http://www.privoxy.org/ @@ -20,7 +14,7 @@ const char deanimate_rcs[] = "$Id: deanimate.c,v 1.16 2007/07/14 08:01:58 fabian * and ideas from the Image::DeAnim Perl module by * Ken MacFarlane, * - * This program is free software; you can redistribute it + * This program is free software; you can redistribute it * and/or modify it under the terms of the GNU General * Public License as published by the Free Software * Foundation; either version 2 of the License, or (at @@ -38,68 +32,8 @@ const char deanimate_rcs[] = "$Id: deanimate.c,v 1.16 2007/07/14 08:01:58 fabian * or write to the Free Software Foundation, Inc., 59 * Temple Place - Suite 330, Boston, MA 02111-1307, USA. * - * Revisions : - * $Log: deanimate.c,v $ - * Revision 1.16 2007/07/14 08:01:58 fabiankeil - * s@failiure@failure@ - * - * Revision 1.15 2007/01/03 14:39:19 fabiankeil - * Fix a gcc43 warning and mark the binbuffer - * as immutable for buf_getbyte(). - * - * Revision 1.14 2006/07/18 14:48:45 david__schmidt - * Reorganizing the repository: swapping out what was HEAD (the old 3.1 branch) - * with what was really the latest development (the v_3_0_branch branch) - * - * Revision 1.12.2.1 2004/10/03 12:53:32 david__schmidt - * Add the ability to check jpeg images for invalid - * lengths of comment blocks. Defensive strategy - * against the exploit: - * Microsoft Security Bulletin MS04-028 - * Buffer Overrun in JPEG Processing (GDI+) Could - * Allow Code Execution (833987) - * Enabled with +inspect-jpegs in actions files. - * - * Revision 1.12 2002/05/12 21:36:29 jongfoster - * Correcting function comments - * - * Revision 1.11 2002/03/26 22:29:54 swa - * we have a new homepage! - * - * Revision 1.10 2002/03/24 13:25:43 swa - * name change related issues - * - * Revision 1.9 2002/03/13 00:27:04 jongfoster - * Killing warnings - * - * Revision 1.8 2002/03/09 19:42:47 jongfoster - * Fixing more warnings - * - * Revision 1.7 2002/03/08 17:46:04 jongfoster - * Fixing int/size_t warnings - * - * Revision 1.6 2002/03/07 03:46:17 oes - * Fixed compiler warnings - * - * Revision 1.5 2001/09/10 10:16:06 oes - * Silenced compiler warnings - * - * Revision 1.4 2001/07/18 12:28:49 oes - * - Added feature for extracting the first frame - * to gif_deanimate - * - Separated image buffer extension into buf_extend - * - Extended gif deanimation to GIF87a (untested!) - * - Cosmetics - * - * Revision 1.3 2001/07/15 13:57:50 jongfoster - * Adding #includes string.h and miscutil.h - * - * Revision 1.2 2001/07/13 13:46:20 oes - * Introduced GIF deanimation feature - * - * **********************************************************************/ - + #include "config.h" @@ -111,10 +45,8 @@ const char deanimate_rcs[] = "$Id: deanimate.c,v 1.16 2007/07/14 08:01:58 fabian #include "deanimate.h" #include "miscutil.h" -const char deanimate_h_rcs[] = DEANIMATE_H_VERSION; - /********************************************************************* - * + * * Function : buf_free * * Description : Safely frees a struct binbuffer @@ -140,7 +72,7 @@ void buf_free(struct binbuffer *buf) /********************************************************************* - * + * * Function : buf_extend * * Description : Ensure that a given binbuffer can hold a given amount @@ -151,7 +83,7 @@ void buf_free(struct binbuffer *buf) * Parameters : * 1 : buf = Pointer to the binbuffer * 2 : length = Desired minimum size - * + * * * Returns : 0 on success, 1 on failure. * @@ -182,7 +114,7 @@ static int buf_extend(struct binbuffer *buf, size_t length) /********************************************************************* - * + * * Function : buf_copy * * Description : Safely copies a given amount of bytes from one @@ -203,7 +135,7 @@ static int buf_copy(struct binbuffer *src, struct binbuffer *dst, size_t length) /* * Sanity check: Can't copy more data than we have */ - if (src->offset + length > src->size) + if (src->offset + length > src->size) { return 1; } @@ -211,7 +143,7 @@ static int buf_copy(struct binbuffer *src, struct binbuffer *dst, size_t length) /* * Ensure that dst can hold the new data */ - if (buf_extend(dst, length)) + if (buf_extend(dst, length)) { return 1; } @@ -230,7 +162,7 @@ static int buf_copy(struct binbuffer *src, struct binbuffer *dst, size_t length) /********************************************************************* - * + * * Function : buf_getbyte * * Description : Safely gets a byte from a given binbuffer at a @@ -258,7 +190,7 @@ static unsigned char buf_getbyte(const struct binbuffer *src, size_t offset) /********************************************************************* - * + * * Function : gif_skip_data_block * * Description : Safely advances the offset of a given struct binbuffer @@ -276,7 +208,7 @@ static int gif_skip_data_block(struct binbuffer *buf) { unsigned char c; - /* + /* * Data blocks are sequences of chunks, which are headed * by a one-byte length field, with the last chunk having * zero length. @@ -297,12 +229,12 @@ static int gif_skip_data_block(struct binbuffer *buf) /********************************************************************* - * + * * Function : gif_extract_image * * Description : Safely extracts an image data block from a given * struct binbuffer that contains a GIF image and whose - * offset is positioned at the start of a data block + * offset is positioned at the start of a data block * into a given destination binbuffer. * * Parameters : @@ -330,10 +262,17 @@ static int gif_extract_image(struct binbuffer *src, struct binbuffer *dst) */ if (c & 0x80) { - if (buf_copy(src, dst, (size_t) 3 * (1 << ((c & 0x07) + 1)))) + int map_length = 3 * (1 << ((c & 0x07) + 1)); + if (map_length <= 0) + { + log_error(LOG_LEVEL_DEANIMATE, + "colormap length = %d (%c)?", map_length, c); + return 1; + } + if (buf_copy(src, dst, (size_t)map_length)) { return 1; - } + } } if (buf_copy(src, dst, 1)) return 1; @@ -358,7 +297,7 @@ static int gif_extract_image(struct binbuffer *src, struct binbuffer *dst) } /********************************************************************* - * + * * Function : gif_deanimate * * Description : Deanimate a given GIF image, i.e. given a GIF with @@ -390,9 +329,9 @@ int gif_deanimate(struct binbuffer *src, struct binbuffer *dst, int get_first_im c = buf_getbyte(src, 10); /* - * Check & copy GIF header + * Check & copy GIF header */ - if (strncmp(src->buffer, "GIF89a", 6) && strncmp(src->buffer, "GIF87a", 6)) + if (strncmp(src->buffer, "GIF89a", 6) && strncmp(src->buffer, "GIF87a", 6)) { return 1; } @@ -407,9 +346,16 @@ int gif_deanimate(struct binbuffer *src, struct binbuffer *dst, int get_first_im /* * Look for global colormap and copy if found. */ - if(c & 0x80) + if (c & 0x80) { - if (buf_copy(src, dst, (size_t) 3 * (1 << ((c & 0x07) + 1)))) + int map_length = 3 * (1 << ((c & 0x07) + 1)); + if (map_length <= 0) + { + log_error(LOG_LEVEL_DEANIMATE, + "colormap length = %d (%c)?", map_length, c); + return 1; + } + if (buf_copy(src, dst, (size_t)map_length)) { return 1; } @@ -418,10 +364,7 @@ int gif_deanimate(struct binbuffer *src, struct binbuffer *dst, int get_first_im /* * Reserve a buffer for the current image block */ - if (NULL == (image = (struct binbuffer *)zalloc(sizeof(*image)))) - { - return 1; - } + image = zalloc_or_die(sizeof(*image)); /* * Parse the GIF block by block and copy the relevant @@ -437,7 +380,7 @@ int gif_deanimate(struct binbuffer *src, struct binbuffer *dst, int get_first_im case 0x3b: goto write; - /* + /* * Image block: Extract to current image buffer. */ case 0x2c: @@ -497,13 +440,13 @@ int gif_deanimate(struct binbuffer *src, struct binbuffer *dst, int get_first_im */ default: goto failed; - + } } /* -END- while src */ /* * Either we got here by goto, or because the GIF is - * bogus and EOF was reached before an end-of-gif marker + * bogus and EOF was reached before an end-of-gif marker * was found. */ @@ -525,113 +468,6 @@ write: } -/********************************************************************* - * - * Function : jpeg_inspect - * - * Description : Checks a jpeg image for an invalid length in a - * comment block (0xFFFE0000 or 0xFFFE0001) and - * changes it to 0xFFFE0002. Defensive strategy - * against the exploit: - * Microsoft Security Bulletin MS04-028 - * Buffer Overrun in JPEG Processing (GDI+) Could - * Allow Code Execution (833987) - * - * Parameters : - * 1 : src = Pointer to the image binbuffer - * - * Returns : 0 on success, or 1 on failure - * - *********************************************************************/ -int jpeg_inspect(struct binbuffer *src, struct binbuffer *dst) -{ - long i; - /* - * We process the image using a simple finite state machine, - * searching for byte patterns. - */ - enum { J_INIT, /* The initial state */ - J_FF, /* Found byte 0xFF */ - J_FE, /* Found bytes 0xFF 0xFE */ - J_00, /* Found bytes 0xFF 0xFE 0x00 */ - J_DA /* - * Found bytes 0xFF 0xDA; short-circuit to done-ness - * since this signals the beginning end of headers. - */ - }; - short state = J_INIT; - unsigned char c; - - if (NULL == src || NULL == dst) - { - return 1; - } - - if (buf_copy(src, dst, src->size)) - { - return 1; - } - - /* Need to search the jpg for patterns: - * 0xFF 0xFE 0x00 0x00 - * or - * 0xFF 0xFE 0x00 0x01 - * from beginning until: - * 0xFF 0xDA - * (or the end of the buffer) - * If found, change the pattern to 0xFF 0xFE 0x00 0x02 - */ - - for (i = 0; i < dst->size; i++) - { - c = dst->buffer[i]; - switch (state) - { - case J_INIT: - if (c == 0xFF) - state = J_FF; - break; - case J_FF: - if (c == 0xDA) - state = J_DA; /* End of headers - we're done with this image. */ - else if (c == 0xFE) - state = J_FE; - else - state = J_INIT; - break; - case J_FE: - if (c == 0x00) - state = J_00; - else - state = J_INIT; - break; - case J_00: - if ((c == 0x00) || (c == 0x01)) - { - dst->buffer[i] = 2; /* Reset comment block size to 2. */ - log_error(LOG_LEVEL_INFO, "JPEG comment exploit removed."); - /* TODO: - * I'm unsure if we can have more than one comment block. Just in case, - * we'll scan the rest of the header for more by going back to J_INIT - * state. If there is no possibility of >1 comment block, we could - * short-circuit to done-ness here. - */ - state = J_INIT; - } - else - state = J_INIT; - break; - default: - break; - } - if (state == J_DA) - break; - } - - return 0; -} - - /* Local Variables: tab-width: 3