gif: If decompression fails, don't rely on uninitialized buffer data.

author: Sebastian Rasmussen <sebras@gmail.com> 2016-09-26 02:17:52 +0800
committer: Sebastian Rasmussen <sebras@gmail.com> 2016-09-26 18:47:26 +0800
commit: 0ec9f9221b8801bfc62b5cb13f21a5628f681fa9 (patch)
tree: 5ab73b3fae319ebbafdfb0697c7449f27f58ecc3 /source/fitz/load-gif.c
parent: 6c6c5c6601f53859d9422ab715c8907dacb4ffc0 (diff)
download: mupdf-0ec9f9221b8801bfc62b5cb13f21a5628f681fa9.tar.xz
1 files changed, 3 insertions, 1 deletions
diff --git a/source/fitz/load-gif.c b/source/fitz/load-gif.c
index 096fa12f..3d8a7354 100644
--- a/source/fitz/load-gif.c
+++ b/source/fitz/load-gif.c
@@ -248,7 +248,8 @@ gif_read_tbid(fz_context *ctx, struct info *info, unsigned char *dest, unsigned
 		lzwstm = fz_open_lzwd(ctx, stm, 0, mincodesize + 1, 1, 0);
 
 		uncompressed = fz_read_all(ctx, lzwstm, info->image_width * info->image_height);
-		sp = uncompressed->data;
+		if (uncompressed->len < info->image_width * info->image_height)
+			fz_throw(ctx, FZ_ERROR_GENERIC, "premature end in compressed table based image data in gif image");
 
 		if (info->has_lct)
 			ct = info->lct;
@@ -257,6 +258,7 @@ gif_read_tbid(fz_context *ctx, struct info *info, unsigned char *dest, unsigned
 		else
 			ct = dct;
 
+		sp = uncompressed->data;
 		if (info->image_interlaced)
 		{
 			for (y = 0; y < info->image_height; y += 8, sp += info->image_width)
author	Sebastian Rasmussen <sebras@gmail.com>	2016-09-26 02:17:52 +0800
committer	Sebastian Rasmussen <sebras@gmail.com>	2016-09-26 18:47:26 +0800
commit	0ec9f9221b8801bfc62b5cb13f21a5628f681fa9 (patch)
tree	5ab73b3fae319ebbafdfb0697c7449f27f58ecc3 /source/fitz/load-gif.c
parent	6c6c5c6601f53859d9422ab715c8907dacb4ffc0 (diff)
download	mupdf-0ec9f9221b8801bfc62b5cb13f21a5628f681fa9.tar.xz