diff options
| author | Nicolas Pena <npm@chromium.org> | 2017-01-16 13:12:15 -0500 |
|---|---|---|
| committer | Chromium commit bot <commit-bot@chromium.org> | 2017-01-16 18:32:51 +0000 |
| commit | 135609831bcad2da79d720cfdd3b55929b48b0ea (patch) | |
| tree | 2cc987bdf9505e51dd5787521de2e3b928b075e1 | |
| parent | 38c8660228ccedcae079c277eaf0f4bbb5eae65b (diff) | |
| download | pdfium-135609831bcad2da79d720cfdd3b55929b48b0ea.tar.xz | |
Return error when bits_left is too big
BUG=680062
Change-Id: I9e2fd960915cd1de5e0cc15aeabf9ccf27e5a795
Reviewed-on: https://pdfium-review.googlesource.com/2212
Commit-Queue: Nicolás Peña <npm@chromium.org>
Reviewed-by: dsinclair <dsinclair@chromium.org>
| -rw-r--r-- | core/fxcodec/lgif/fx_gif.cpp | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/core/fxcodec/lgif/fx_gif.cpp b/core/fxcodec/lgif/fx_gif.cpp index eb6bdd3bea..43a6460428 100644 --- a/core/fxcodec/lgif/fx_gif.cpp +++ b/core/fxcodec/lgif/fx_gif.cpp @@ -109,6 +109,11 @@ int32_t CGifLZWDecoder::Decode(uint8_t* des_buf, uint32_t& des_size) { return 0; } if (avail_in > 0) { + if (bits_left > 31) { + if (err_msg_ptr) + FXSYS_strncpy(err_msg_ptr, "Decode Error", GIF_MAX_ERROR_SIZE - 1); + return 0; + } code_store |= (*next_in++) << bits_left; avail_in--; bits_left += 8; |