diff options
| author | Nicolas Pena <npm@chromium.org> | 2017-01-10 14:00:16 -0500 |
|---|---|---|
| committer | Chromium commit bot <commit-bot@chromium.org> | 2017-01-10 19:49:11 +0000 |
| commit | 29a9f87a8bcd1b6913bb070c5a1514af41fab3ef (patch) | |
| tree | 434e77b043407957a4c244541d2affa00d50fd60 | |
| parent | d18b8674378b104a9b5bb1f015e3f92fc174673e (diff) | |
| download | pdfium-29a9f87a8bcd1b6913bb070c5a1514af41fab3ef.tar.xz | |
Restrict code size in CGifLZWDecoderchromium/2978
The code_size variable is the number of bits. We should make sure that
the size is at most 31 to avoid having undefined shifts etc.
BUG=620661
Change-Id: Ia533386d01de93a55048cfd63d63989b2731a210
Reviewed-on: https://pdfium-review.googlesource.com/2161
Reviewed-by: dsinclair <dsinclair@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Nicolás Peña <npm@chromium.org>
| -rw-r--r-- | core/fxcodec/lgif/fx_gif.cpp | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/core/fxcodec/lgif/fx_gif.cpp b/core/fxcodec/lgif/fx_gif.cpp index 0e2626984b..87525b25b7 100644 --- a/core/fxcodec/lgif/fx_gif.cpp +++ b/core/fxcodec/lgif/fx_gif.cpp @@ -37,6 +37,7 @@ CGifLZWDecoder::~CGifLZWDecoder() {} void CGifLZWDecoder::InitTable(uint8_t code_len) { code_size = code_len; + ASSERT(code_size < 32); code_clear = 1 << code_size; code_end = code_clear + 1; bits_left = 0; @@ -230,6 +231,7 @@ void CGifLZWEncoder::Start(uint8_t code_len, uint8_t*& dst_buf, uint32_t& offset) { code_size = code_len + 1; + ASSERT(code_size < 32); src_bit_cut = code_size; if (code_len == 0) { src_bit_cut = 1; @@ -889,6 +891,12 @@ int32_t gif_load_frame(gif_decompress_struct_p gif_ptr, int32_t frame_num) { return 0; } } + if (gif_image_ptr->image_code_size >= 32) { + FX_Free(gif_image_ptr->image_row_buf); + gif_image_ptr->image_row_buf = nullptr; + gif_error(gif_ptr, "Error Invalid Code Size"); + return 0; + } if (!gif_ptr->img_decoder_ptr) gif_ptr->img_decoder_ptr = new CGifLZWDecoder(gif_ptr->err_ptr); gif_ptr->img_decoder_ptr->InitTable(gif_image_ptr->image_code_size); @@ -1156,6 +1164,8 @@ static bool gif_write_data(gif_compress_struct_p gif_ptr, GifGF& gf = (GifGF&)gif_ptr->lsd_ptr->global_flag; code_bit = gf.pal_bits; } + if (code_bit >= 31) + return false; gif_ptr->img_encoder_ptr->Start(code_bit, gif_ptr->src_buf, dst_buf, gif_ptr->cur_offset); uint32_t i; |