VYPR
← All advisories
Unrated severityNVD Advisory· Published Sep 16, 2019· Updated Aug 5, 2024

CVE-2019-16347

CVE-2019-16347

Description

ngiflib 0.4 has a heap-based buffer overflow in WritePixels() in ngiflib.c when called from DecodeGifImg, because deinterlacing for small pictures is mishandled.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

ngiflib 0.4 heap-buffer-overflow in WritePixels() via crafted GIF due to mishandled deinterlacing for small pictures.

Vulnerability

A heap-based buffer overflow exists in WritePixels() in ngiflib.c when called from DecodeGifImg, because the deinterlacing logic for small pictures is mishandled [1]. The overflow occurs at line 213 of ngiflib.c when processing a specially crafted GIF file that triggers incorrect row calculations during deinterlacing passes [2]. Affected version is ngiflib 0.4 and possibly earlier releases.

Exploitation

An attacker can exploit this vulnerability by supplying a malicious GIF file to a program using the ngiflib library (e.g., gif2tga). No special network position is required; the attack vector is local—the victim must open the crafted file with an affected viewer or converter. The heap-buffer-overflow is triggered during the decoding process when WritePixels attempts to write pixel data at an out-of-bounds heap address [2].

Impact

Successful exploitation results in a heap buffer overflow, potentially causing a denial-of-service (crash) or, under some circumstances, arbitrary code execution [2]. The attacker can achieve memory corruption within the process, potentially leading to information disclosure or control flow hijacking.

Mitigation

The fix is available in commit 37d939a6f511d16d4c95678025c235fe62e6417a [1]. Users should update to a version that includes this patch (after 2019-09-16) or apply the patch manually. No workaround is publicly documented; avoiding processing of untrusted GIF files may reduce risk. The vulnerability is not known to be listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.

References
  1. fix deinterlacing for small pictures · miniupnp/ngiflib@37d939a
  2. heap-buffer-overflow at WritePixels() in ngiflib.c:213

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

1
37d939a6f511

fix deinterlacing for small pictures

https://github.com/miniupnp/ngiflibThomas BernardApr 16, 2019via osv
commit
2 files changed · +29 25
  • invalid_gif/issue_12.gif+0 0 added
  • ngiflib.c+29 25 modified
    @@ -6,7 +6,7 @@
 
 /* decodeur GIF en C portable (pas de pb big/little endian)
  * Thomas BERNARD. janvier 2004.
- * (c) 2004-2017 Thomas Bernard. All rights reserved
+ * (c) 2004-2019 Thomas Bernard. All rights reserved
  */
 
 /* Fonction de debug */
@@ -135,29 +135,31 @@ static void WritePixel(struct ngiflib_img * i, struct ngiflib_decode_context * c
 			break;
 		case 1:	/* 1st pass : every eighth row starting from 0 */
 			context->curY += 8;
-			if(context->curY >= p->height) {
-				context->pass++;
-				context->curY = i->posY + 4;
-			}
 			break;
 		case 2:	/* 2nd pass : every eighth row starting from 4 */
 			context->curY += 8;
-			if(context->curY >= p->height) {
-				context->pass++;
-				context->curY = i->posY + 2;
-			}
 			break;
 		case 3:	/* 3rd pass : every fourth row starting from 2 */
 			context->curY += 4;
-			if(context->curY >= p->height) {
-				context->pass++;
-				context->curY = i->posY + 1;
-			}
 			break;
 		case 4:	/* 4th pass : every odd row */
 			context->curY += 2;
 			break;
 		}
+		while(context->pass > 0 && context->pass < 4 &&
+		      context->curY >= p->height) {
+			switch(++context->pass) {
+			case 2:	/* 2nd pass : every eighth row starting from 4 */
+				context->curY = i->posY + 4;
+				break;
+			case 3:	/* 3rd pass : every fourth row starting from 2 */
+				context->curY = i->posY + 2;
+				break;
+			case 4:	/* 4th pass : every odd row */
+				context->curY = i->posY + 1;
+				break;
+			}
+		}
 #ifndef NGIFLIB_INDEXED_ONLY
 		if(p->mode & NGIFLIB_MODE_INDEXED) {
 #endif /* NGIFLIB_INDEXED_ONLY */
@@ -249,29 +251,31 @@ static void WritePixels(struct ngiflib_img * i, struct ngiflib_decode_context *
 				break;
 			case 1:	/* 1st pass : every eighth row starting from 0 */
 				context->curY += 8;
-				if(context->curY >= p->height) {
-					context->pass++;
-					context->curY = i->posY + 4;
-				}
 				break;
 			case 2:	/* 2nd pass : every eighth row starting from 4 */
 				context->curY += 8;
-				if(context->curY >= p->height) {
-					context->pass++;
-					context->curY = i->posY + 2;
-				}
 				break;
 			case 3:	/* 3rd pass : every fourth row starting from 2 */
 				context->curY += 4;
-				if(context->curY >= p->height) {
-					context->pass++;
-					context->curY = i->posY + 1;
-				}
 				break;
 			case 4:	/* 4th pass : every odd row */
 				context->curY += 2;
 				break;
 			}
+			while(context->pass > 0 && context->pass < 4 &&
+			      context->curY >= p->height) {
+				switch(++context->pass) {
+				case 2:	/* 2nd pass : every eighth row starting from 4 */
+					context->curY = i->posY + 4;
+					break;
+				case 3:	/* 3rd pass : every fourth row starting from 2 */
+					context->curY = i->posY + 2;
+					break;
+				case 4:	/* 4th pass : every odd row */
+					context->curY = i->posY + 1;
+					break;
+				}
+			}
 #ifndef NGIFLIB_INDEXED_ONLY
 			if(p->mode & NGIFLIB_MODE_INDEXED) {
 #endif /* NGIFLIB_INDEXED_ONLY */

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.