summaryrefslogtreecommitdiff
path: root/core
diff options
context:
space:
mode:
authorNicolas Pena <npm@chromium.org>2017-05-15 10:59:07 -0400
committerChromium commit bot <commit-bot@chromium.org>2017-05-15 15:54:13 +0000
commit34f8e1fd650883c8107d925a6c6b87090d52d278 (patch)
treeec7b90043be6d4ae00920dfe71a452174fc75b98 /core
parentd2afac1e9200478997e308eecc582a073185d7ab (diff)
downloadpdfium-34f8e1fd650883c8107d925a6c6b87090d52d278.tar.xz
Gif: error out on invalid code sizeschromium/3101
From the Gif spec: 'The output codes are of variable length, starting at <code size>+1 bits per code, up to 12 bits per code. This defines a maximum code value of 4095 (0xFFF).' 'Because the LZW compression used for GIF creates a series of variable length codes, of between 3 and 12 bits each' Bug: chromium:722115 Change-Id: Ic9cff99e6012195a6b5173693b029dc710285688 Reviewed-on: https://pdfium-review.googlesource.com/5490 Commit-Queue: dsinclair <dsinclair@chromium.org> Reviewed-by: dsinclair <dsinclair@chromium.org>
Diffstat (limited to 'core')
-rw-r--r--core/fxcodec/lgif/fx_gif.cpp9
1 files changed, 3 insertions, 6 deletions
diff --git a/core/fxcodec/lgif/fx_gif.cpp b/core/fxcodec/lgif/fx_gif.cpp
index dd80dc65f7..0b56f3a509 100644
--- a/core/fxcodec/lgif/fx_gif.cpp
+++ b/core/fxcodec/lgif/fx_gif.cpp
@@ -220,7 +220,7 @@ CGifLZWDecoder::~CGifLZWDecoder() {}
void CGifLZWDecoder::InitTable(uint8_t code_len) {
code_size = code_len;
- ASSERT(code_size < 32);
+ ASSERT(code_size < 13);
code_clear = 1 << code_size;
code_end = code_clear + 1;
bits_left = 0;
@@ -244,10 +244,7 @@ void CGifLZWDecoder::ClearTable() {
void CGifLZWDecoder::DecodeString(uint16_t code) {
stack_size = 0;
- while (true) {
- if (code < code_clear || code > code_next)
- break;
-
+ while (code >= code_clear && code <= code_next) {
stack[GIF_MAX_LZW_CODE - 1 - stack_size++] = code_table[code].suffix;
code = code_table[code].prefix;
}
@@ -553,7 +550,7 @@ GifDecodeStatus gif_load_frame(CGifContext* context, int32_t frame_num) {
return GifDecodeStatus::Error;
}
}
- if (gif_image_ptr->image_code_size >= 32) {
+ if (gif_image_ptr->image_code_size >= 13) {
gif_image_ptr->m_ImageRowBuf.clear();
context->ThrowError("Error Invalid Code Size");
NOTREACHED();