decoding.c in android-gif-drawable before 1.2.24 does not limit the maximum length of comment,leading to denial of service

Question

decoding.c in android-gif-drawable before 1.2.24 does not limit the maximum length of comment,leading to denial of service

tubeuchiha opened this issue 3 years ago · 2 comments

What are the impact surfaces by comment length ?

Answer 1 · 2022-02-23T14:38:22.000Z

Look at the https://nvd.nist.gov/vuln/detail/CVE-2022-23435

Answer 2 · 2022-02-23T14:39:54.000Z

Parsing a GIF file in the native code of the android-gif-drawable library causes a timeout, resulting in the hosting application using CPU and becoming unresponsive.

Impact: An attacker can send a malicious GIF file to any application that uses the android-gif-drawable library, causing the app to become unresponsive until it is killed.