diff options
author | Nicolas Pena <npm@chromium.org> | 2017-05-15 10:59:07 -0400 |
---|---|---|
committer | Chromium commit bot <commit-bot@chromium.org> | 2017-05-15 15:54:13 +0000 |
commit | 34f8e1fd650883c8107d925a6c6b87090d52d278 (patch) | |
tree | ec7b90043be6d4ae00920dfe71a452174fc75b98 | |
parent | d2afac1e9200478997e308eecc582a073185d7ab (diff) | |
download | pdfium-34f8e1fd650883c8107d925a6c6b87090d52d278.tar.xz |
Gif: error out on invalid code sizeschromium/3101
From the Gif spec:
'The output codes are of variable length, starting at <code size>+1 bits per
code, up to 12 bits per code. This defines a maximum code value of 4095
(0xFFF).'
'Because the LZW compression used for GIF creates a series of variable length
codes, of between 3 and 12 bits each'
Bug: chromium:722115
Change-Id: Ic9cff99e6012195a6b5173693b029dc710285688
Reviewed-on: https://pdfium-review.googlesource.com/5490
Commit-Queue: dsinclair <dsinclair@chromium.org>
Reviewed-by: dsinclair <dsinclair@chromium.org>
-rw-r--r-- | core/fxcodec/lgif/fx_gif.cpp | 9 |
1 files changed, 3 insertions, 6 deletions
diff --git a/core/fxcodec/lgif/fx_gif.cpp b/core/fxcodec/lgif/fx_gif.cpp index dd80dc65f7..0b56f3a509 100644 --- a/core/fxcodec/lgif/fx_gif.cpp +++ b/core/fxcodec/lgif/fx_gif.cpp @@ -220,7 +220,7 @@ CGifLZWDecoder::~CGifLZWDecoder() {} void CGifLZWDecoder::InitTable(uint8_t code_len) { code_size = code_len; - ASSERT(code_size < 32); + ASSERT(code_size < 13); code_clear = 1 << code_size; code_end = code_clear + 1; bits_left = 0; @@ -244,10 +244,7 @@ void CGifLZWDecoder::ClearTable() { void CGifLZWDecoder::DecodeString(uint16_t code) { stack_size = 0; - while (true) { - if (code < code_clear || code > code_next) - break; - + while (code >= code_clear && code <= code_next) { stack[GIF_MAX_LZW_CODE - 1 - stack_size++] = code_table[code].suffix; code = code_table[code].prefix; } @@ -553,7 +550,7 @@ GifDecodeStatus gif_load_frame(CGifContext* context, int32_t frame_num) { return GifDecodeStatus::Error; } } - if (gif_image_ptr->image_code_size >= 32) { + if (gif_image_ptr->image_code_size >= 13) { gif_image_ptr->m_ImageRowBuf.clear(); context->ThrowError("Error Invalid Code Size"); NOTREACHED(); |