summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNicolas Pena <npm@chromium.org>2017-01-16 13:27:06 -0500
committerChromium commit bot <commit-bot@chromium.org>2017-01-16 22:24:15 +0000
commit6b71f22093fc4abb2da39f5a58b29c45c17ff99a (patch)
treead94c13914c59ad30191af043699485702c3c0cd
parentff920ae3e181de9275f1d4c9b4b54fe2a7a54560 (diff)
downloadpdfium-chromium/2984.tar.xz
Return early when gif_img_row_bytes is 0chromium/2984
We can get into a loop when gif_img_row_bytes is 0 since Decode will return 3 when the second parameter is 0, and there is a while(ret!=0). BUG=681170 Change-Id: I63502a8487c07030fce2373f74cec6b4f0c98297 Reviewed-on: https://pdfium-review.googlesource.com/2211 Reviewed-by: dsinclair <dsinclair@chromium.org> Commit-Queue: dsinclair <dsinclair@chromium.org>
-rw-r--r--core/fxcodec/lgif/fx_gif.cpp4
1 files changed, 4 insertions, 0 deletions
diff --git a/core/fxcodec/lgif/fx_gif.cpp b/core/fxcodec/lgif/fx_gif.cpp
index 43a6460428..93db181a98 100644
--- a/core/fxcodec/lgif/fx_gif.cpp
+++ b/core/fxcodec/lgif/fx_gif.cpp
@@ -841,6 +841,10 @@ int32_t gif_load_frame(gif_decompress_struct_p gif_ptr, int32_t frame_num) {
uint32_t skip_size_org = gif_ptr->skip_size;
GifImage* gif_image_ptr = (*gif_ptr->img_ptr_arr_ptr)[frame_num];
uint32_t gif_img_row_bytes = gif_image_ptr->image_info_ptr->width;
+ if (gif_img_row_bytes == 0) {
+ gif_error(gif_ptr, "Error Invalid Number of Row Bytes");
+ return 0;
+ }
if (gif_ptr->decode_status == GIF_D_STATUS_TAIL) {
if (gif_image_ptr->image_row_buf) {
FX_Free(gif_image_ptr->image_row_buf);