diff options
author | John-Mark Bell <jmb@netsurf-browser.org> | 2015-11-21 11:35:05 +0000 |
---|---|---|
committer | John-Mark Bell <jmb@netsurf-browser.org> | 2015-11-21 11:35:05 +0000 |
commit | 088fa0819f1aeaf212a95caf7393a38c1640b5f0 (patch) | |
tree | fc747052a553eb1ea117e285f5810a18975899d9 | |
parent | a268d2c15252ac58c19f1b19771822c66bcf73b2 (diff) | |
download | libnsgif-088fa0819f1aeaf212a95caf7393a38c1640b5f0.tar.gz |
Ensure code is valid before use.
Issue-reported-by: Hans Jerry Illikainen
-rw-r--r-- | src/libnsgif.c | 6 | ||||
-rw-r--r-- | test/data/lzwoob.gif | bin | 0 -> 40 bytes |
2 files changed, 4 insertions, 2 deletions
diff --git a/src/libnsgif.c b/src/libnsgif.c index 4e45c50..87371f2 100644 --- a/src/libnsgif.c +++ b/src/libnsgif.c @@ -1221,7 +1221,8 @@ static bool gif_next_LZW(gif_animation *gif) { * * Note: our stack is always big enough to hold a complete decompressed chunk. */ while (code >= clear_code) { - if (stack_pointer >= stack + ((1 << GIF_MAX_LZW) * 2)) { + if (stack_pointer >= stack + ((1 << GIF_MAX_LZW) * 2) || + code >= (1 << GIF_MAX_LZW)) { gif->current_error = GIF_FRAME_DATA_ERROR; return false; } @@ -1232,7 +1233,8 @@ static bool gif_next_LZW(gif_animation *gif) { break; } - if (stack_pointer >= stack + ((1 << GIF_MAX_LZW) * 2)) { + if (stack_pointer >= stack + ((1 << GIF_MAX_LZW) * 2) || + new_code >= (1 << GIF_MAX_LZW)) { gif->current_error = GIF_FRAME_DATA_ERROR; return false; } diff --git a/test/data/lzwoob.gif b/test/data/lzwoob.gif Binary files differnew file mode 100644 index 0000000..c0c03b5 --- /dev/null +++ b/test/data/lzwoob.gif |