summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/libnsgif.c17
-rw-r--r--test/data/lzwof.gifbin0 -> 40 bytes
2 files changed, 17 insertions, 0 deletions
diff --git a/src/libnsgif.c b/src/libnsgif.c
index 0047ee0..4e45c50 100644
--- a/src/libnsgif.c
+++ b/src/libnsgif.c
@@ -1208,6 +1208,10 @@ static bool gif_next_LZW(gif_animation *gif) {
incode = code;
if (code >= max_code) {
+ if (stack_pointer >= stack + ((1 << GIF_MAX_LZW) * 2)) {
+ gif->current_error = GIF_FRAME_DATA_ERROR;
+ return false;
+ }
*stack_pointer++ = firstcode;
code = oldcode;
}
@@ -1217,12 +1221,21 @@ static bool gif_next_LZW(gif_animation *gif) {
*
* Note: our stack is always big enough to hold a complete decompressed chunk. */
while (code >= clear_code) {
+ if (stack_pointer >= stack + ((1 << GIF_MAX_LZW) * 2)) {
+ gif->current_error = GIF_FRAME_DATA_ERROR;
+ return false;
+ }
*stack_pointer++ = table[1][code];
new_code = table[0][code];
if (new_code < clear_code) {
code = new_code;
break;
}
+
+ if (stack_pointer >= stack + ((1 << GIF_MAX_LZW) * 2)) {
+ gif->current_error = GIF_FRAME_DATA_ERROR;
+ return false;
+ }
*stack_pointer++ = table[1][new_code];
code = table[0][new_code];
if (code == new_code) {
@@ -1231,6 +1244,10 @@ static bool gif_next_LZW(gif_animation *gif) {
}
}
+ if (stack_pointer >= stack + ((1 << GIF_MAX_LZW) * 2)) {
+ gif->current_error = GIF_FRAME_DATA_ERROR;
+ return false;
+ }
*stack_pointer++ = firstcode = table[1][code];
if ((code = max_code) < (1 << GIF_MAX_LZW)) {
diff --git a/test/data/lzwof.gif b/test/data/lzwof.gif
new file mode 100644
index 0000000..43081ea
--- /dev/null
+++ b/test/data/lzwof.gif
Binary files differ