fix CVE-2026-23868: double free in GifMakeSavedImage (RHEL-154864)

Resolves: RHEL-154864
This commit is contained in:
Michal Hlavinka 2026-03-24 10:37:07 +01:00
parent 9f9b03695a
commit 833c4ccf48
2 changed files with 28 additions and 1 deletions

View File

@ -0,0 +1,18 @@
--- a/gifalloc.c
+++ b/gifalloc.c
@@ -349,6 +349,14 @@
* problems.
*/
+ /* Null out aliased pointers before any allocations
+ * so that FreeLastSavedImage won't free CopyFrom's
+ * data if an allocation fails partway through. */
+ sp->ImageDesc.ColorMap = NULL;
+ sp->RasterBits = NULL;
+ sp->ExtensionBlocks = NULL;
+ sp->ExtensionBlockCount = 0;
+
/* first, the local color map */
if (CopyFrom->ImageDesc.ColorMap != NULL) {
sp->ImageDesc.ColorMap = GifMakeMapObject(

View File

@ -1,7 +1,7 @@
Name: giflib
Summary: A library and utilities for processing GIFs
Version: 5.2.1
Release: 9%{?dist}
Release: 10%{?dist}
License: MIT
URL: http://www.sourceforge.net/projects/%{name}/
@ -12,6 +12,9 @@ Patch0: giflib_quantize.patch
Patch1: giflib_coverity.patch
# Generate HTML docs with consistent section IDs to avoid multilib difference
Patch2: giflib_html-docs-consistent-ids.patch
# from upstream, for <= 6.1.1, RHEL-154864
# https://sourceforge.net/p/giflib/code/ci/f5b7267aed3665ef025c13823e454170d031c106/
Patch3: giflib-5.2.1-cve-2026-23868.patch
BuildRequires: gcc
BuildRequires: make
@ -47,6 +50,9 @@ format image files.
%build
%make_build CFLAGS="%{optflags} -fPIC" LDFLAGS="%{__global_ldflags}"
# remove extra index.html.in
rm doc/index.html.in
%install
%make_install PREFIX="%{_prefix}" LIBDIR="%{_libdir}"
@ -74,6 +80,9 @@ rm -f %{buildroot}%{_libdir}/libgif.a
%changelog
* Tue Mar 24 2026 Michal Hlavinka <mhlavink@redhat.com> - 5.2.1-10
- fix CVE-2026-23868: double free in GifMakeSavedImage (RHEL-154864)
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 5.2.1-9
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688