diff options
author | Nicolas Pena <npm@chromium.org> | 2017-01-16 13:27:06 -0500 |
---|---|---|
committer | Chromium commit bot <commit-bot@chromium.org> | 2017-01-16 22:24:15 +0000 |
commit | 6b71f22093fc4abb2da39f5a58b29c45c17ff99a (patch) | |
tree | ad94c13914c59ad30191af043699485702c3c0cd | |
parent | ff920ae3e181de9275f1d4c9b4b54fe2a7a54560 (diff) | |
download | pdfium-chromium/2984.tar.xz |
Return early when gif_img_row_bytes is 0chromium/2984
We can get into a loop when gif_img_row_bytes is 0 since Decode will
return 3 when the second parameter is 0, and there is a while(ret!=0).
BUG=681170
Change-Id: I63502a8487c07030fce2373f74cec6b4f0c98297
Reviewed-on: https://pdfium-review.googlesource.com/2211
Reviewed-by: dsinclair <dsinclair@chromium.org>
Commit-Queue: dsinclair <dsinclair@chromium.org>
-rw-r--r-- | core/fxcodec/lgif/fx_gif.cpp | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/core/fxcodec/lgif/fx_gif.cpp b/core/fxcodec/lgif/fx_gif.cpp index 43a6460428..93db181a98 100644 --- a/core/fxcodec/lgif/fx_gif.cpp +++ b/core/fxcodec/lgif/fx_gif.cpp @@ -841,6 +841,10 @@ int32_t gif_load_frame(gif_decompress_struct_p gif_ptr, int32_t frame_num) { uint32_t skip_size_org = gif_ptr->skip_size; GifImage* gif_image_ptr = (*gif_ptr->img_ptr_arr_ptr)[frame_num]; uint32_t gif_img_row_bytes = gif_image_ptr->image_info_ptr->width; + if (gif_img_row_bytes == 0) { + gif_error(gif_ptr, "Error Invalid Number of Row Bytes"); + return 0; + } if (gif_ptr->decode_status == GIF_D_STATUS_TAIL) { if (gif_image_ptr->image_row_buf) { FX_Free(gif_image_ptr->image_row_buf); |