From a268d2c15252ac58c19f1b19771822c66bcf73b2 Mon Sep 17 00:00:00 2001
From: John-Mark Bell <jmb@netsurf-browser.org>
Date: Sat, 21 Nov 2015 11:24:56 +0000
Subject: Ensure LZW decode stack does not overflow.

Issue-reported-by: Hans Jerry Illikainen
---
 src/libnsgif.c      |  17 +++++++++++++++++
 test/data/lzwof.gif | Bin 0 -> 40 bytes
 2 files changed, 17 insertions(+)
 create mode 100644 test/data/lzwof.gif

diff --git a/src/libnsgif.c b/src/libnsgif.c
index 0047ee0..4e45c50 100644
--- a/src/libnsgif.c
+++ b/src/libnsgif.c
@@ -1208,6 +1208,10 @@ static bool gif_next_LZW(gif_animation *gif) {
 
 	incode = code;
 	if (code >= max_code) {
+		if (stack_pointer >= stack + ((1 << GIF_MAX_LZW) * 2)) {
+			gif->current_error = GIF_FRAME_DATA_ERROR;
+			return false;
+		}
 		*stack_pointer++ = firstcode;
 		code = oldcode;
 	}
@@ -1217,12 +1221,21 @@ static bool gif_next_LZW(gif_animation *gif) {
 	 *
 	 * Note: our stack is always big enough to hold a complete decompressed chunk. */
 	while (code >= clear_code) {
+		if (stack_pointer >= stack + ((1 << GIF_MAX_LZW) * 2)) {
+			gif->current_error = GIF_FRAME_DATA_ERROR;
+			return false;
+		}
 		*stack_pointer++ = table[1][code];
 		new_code = table[0][code];
 		if (new_code < clear_code) {
 			code = new_code;
 			break;
 		}
+
+		if (stack_pointer >= stack + ((1 << GIF_MAX_LZW) * 2)) {
+			gif->current_error = GIF_FRAME_DATA_ERROR;
+			return false;
+		}
 		*stack_pointer++ = table[1][new_code];
 		code = table[0][new_code];
 		if (code == new_code) {
@@ -1231,6 +1244,10 @@ static bool gif_next_LZW(gif_animation *gif) {
 		}
 	}
 
+	if (stack_pointer >= stack + ((1 << GIF_MAX_LZW) * 2)) {
+		gif->current_error = GIF_FRAME_DATA_ERROR;
+		return false;
+	}
 	*stack_pointer++ = firstcode = table[1][code];
 
 	if ((code = max_code) < (1 << GIF_MAX_LZW)) {
diff --git a/test/data/lzwof.gif b/test/data/lzwof.gif
new file mode 100644
index 0000000..43081ea
Binary files /dev/null and b/test/data/lzwof.gif differ
-- 
cgit v1.2.3