summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJohn-Mark Bell <jmb@netsurf-browser.org>2015-11-21 11:35:05 (GMT)
committer John-Mark Bell <jmb@netsurf-browser.org>2015-11-21 11:35:05 (GMT)
commit088fa0819f1aeaf212a95caf7393a38c1640b5f0 (patch)
treefc747052a553eb1ea117e285f5810a18975899d9
parenta268d2c15252ac58c19f1b19771822c66bcf73b2 (diff)
downloadlibnsgif-088fa0819f1aeaf212a95caf7393a38c1640b5f0.tar.gz
libnsgif-088fa0819f1aeaf212a95caf7393a38c1640b5f0.tar.bz2
Ensure code is valid before use.
Issue-reported-by: Hans Jerry Illikainen
-rw-r--r--src/libnsgif.c6
-rw-r--r--test/data/lzwoob.gifbin0 -> 40 bytes
2 files changed, 4 insertions, 2 deletions
diff --git a/src/libnsgif.c b/src/libnsgif.c
index 4e45c50..87371f2 100644
--- a/src/libnsgif.c
+++ b/src/libnsgif.c
@@ -1221,7 +1221,8 @@ static bool gif_next_LZW(gif_animation *gif) {
*
* Note: our stack is always big enough to hold a complete decompressed chunk. */
while (code >= clear_code) {
- if (stack_pointer >= stack + ((1 << GIF_MAX_LZW) * 2)) {
+ if (stack_pointer >= stack + ((1 << GIF_MAX_LZW) * 2) ||
+ code >= (1 << GIF_MAX_LZW)) {
gif->current_error = GIF_FRAME_DATA_ERROR;
return false;
}
@@ -1232,7 +1233,8 @@ static bool gif_next_LZW(gif_animation *gif) {
break;
}
- if (stack_pointer >= stack + ((1 << GIF_MAX_LZW) * 2)) {
+ if (stack_pointer >= stack + ((1 << GIF_MAX_LZW) * 2) ||
+ new_code >= (1 << GIF_MAX_LZW)) {
gif->current_error = GIF_FRAME_DATA_ERROR;
return false;
}
diff --git a/test/data/lzwoob.gif b/test/data/lzwoob.gif
new file mode 100644
index 0000000..c0c03b5
--- a/dev/null
+++ b/test/data/lzwoob.gif
Binary files differ