summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorJohn-Mark Bell <jmb@netsurf-browser.org>2015-11-21 11:24:56 +0000
committerJohn-Mark Bell <jmb@netsurf-browser.org>2015-11-21 11:24:56 +0000
commita268d2c15252ac58c19f1b19771822c66bcf73b2 (patch)
tree32145dce45e7698004313e5a7be9ce547f5307dc /src
parent5446c3c056f30d98c725e1899a92e104ad70c7e0 (diff)
downloadlibnsgif-a268d2c15252ac58c19f1b19771822c66bcf73b2.tar.gz
libnsgif-a268d2c15252ac58c19f1b19771822c66bcf73b2.tar.bz2
Ensure LZW decode stack does not overflow.
Issue-reported-by: Hans Jerry Illikainen
Diffstat (limited to 'src')
-rw-r--r--src/libnsgif.c17
1 files changed, 17 insertions, 0 deletions
diff --git a/src/libnsgif.c b/src/libnsgif.c
index 0047ee0..4e45c50 100644
--- a/src/libnsgif.c
+++ b/src/libnsgif.c
@@ -1208,6 +1208,10 @@ static bool gif_next_LZW(gif_animation *gif) {
incode = code;
if (code >= max_code) {
+ if (stack_pointer >= stack + ((1 << GIF_MAX_LZW) * 2)) {
+ gif->current_error = GIF_FRAME_DATA_ERROR;
+ return false;
+ }
*stack_pointer++ = firstcode;
code = oldcode;
}
@@ -1217,12 +1221,21 @@ static bool gif_next_LZW(gif_animation *gif) {
*
* Note: our stack is always big enough to hold a complete decompressed chunk. */
while (code >= clear_code) {
+ if (stack_pointer >= stack + ((1 << GIF_MAX_LZW) * 2)) {
+ gif->current_error = GIF_FRAME_DATA_ERROR;
+ return false;
+ }
*stack_pointer++ = table[1][code];
new_code = table[0][code];
if (new_code < clear_code) {
code = new_code;
break;
}
+
+ if (stack_pointer >= stack + ((1 << GIF_MAX_LZW) * 2)) {
+ gif->current_error = GIF_FRAME_DATA_ERROR;
+ return false;
+ }
*stack_pointer++ = table[1][new_code];
code = table[0][new_code];
if (code == new_code) {
@@ -1231,6 +1244,10 @@ static bool gif_next_LZW(gif_animation *gif) {
}
}
+ if (stack_pointer >= stack + ((1 << GIF_MAX_LZW) * 2)) {
+ gif->current_error = GIF_FRAME_DATA_ERROR;
+ return false;
+ }
*stack_pointer++ = firstcode = table[1][code];
if ((code = max_code) < (1 << GIF_MAX_LZW)) {