Calculate code_store safely in CGifLZWDecoder::Decode

BUG=682628 Change-Id: I8e88cc0c8392b078afb73f9549ea4dea9a5717fd Reviewed-on: https://pdfium-review.googlesource.com/2390 Commit-Queue: Nicolás Peña <npm@chromium.org> Reviewed-by: Tom Sepez <tsepez@chromium.org>
author: Nicolas Pena <npm@chromium.org> 2017-01-25 11:09:09 -0500
committer: Chromium commit bot <commit-bot@chromium.org> 2017-01-25 23:25:24 +0000
commit: 5c1673db6deae2e1858c4ffc3b3a0b79901dd827 (patch)
tree: 51541b0c1af8f127eed6a4f8e75d5916793565a8
parent: 4fc34fa8376dd5cd119606ba6e0dd7e08d23ac38 (diff)
download: pdfium-5c1673db6deae2e1858c4ffc3b3a0b79901dd827.tar.xz
1 files changed, 11 insertions, 1 deletions
diff --git a/core/fxcodec/lgif/fx_gif.cpp b/core/fxcodec/lgif/fx_gif.cpp
index 93db181a98..d62dacb36c 100644
--- a/core/fxcodec/lgif/fx_gif.cpp
+++ b/core/fxcodec/lgif/fx_gif.cpp
@@ -114,7 +114,17 @@ int32_t CGifLZWDecoder::Decode(uint8_t* des_buf, uint32_t& des_size) {
           FXSYS_strncpy(err_msg_ptr, "Decode Error", GIF_MAX_ERROR_SIZE - 1);
         return 0;
       }
-      code_store |= (*next_in++) << bits_left;
+      pdfium::base::CheckedNumeric<uint32_t> safe_code = *next_in++;
+      safe_code <<= bits_left;
+      safe_code |= code_store;
+      if (!safe_code.IsValid()) {
+        if (err_msg_ptr) {
+          FXSYS_strncpy(err_msg_ptr, "Code Store Out Of Range",
+                        GIF_MAX_ERROR_SIZE - 1);
+        }
+        return 0;
+      }
+      code_store = safe_code.ValueOrDie();
       avail_in--;
       bits_left += 8;
     }
author	Nicolas Pena <npm@chromium.org>	2017-01-25 11:09:09 -0500
committer	Chromium commit bot <commit-bot@chromium.org>	2017-01-25 23:25:24 +0000
commit	5c1673db6deae2e1858c4ffc3b3a0b79901dd827 (patch)
tree	51541b0c1af8f127eed6a4f8e75d5916793565a8
parent	4fc34fa8376dd5cd119606ba6e0dd7e08d23ac38 (diff)
download	pdfium-5c1673db6deae2e1858c4ffc3b3a0b79901dd827.tar.xz