Gif: error out on invalid code sizeschromium/3101

From the Gif spec:
'The output codes are of variable length, starting at <code size>+1 bits per
code, up to 12 bits per code. This defines a maximum code value of 4095
(0xFFF).'
'Because the LZW compression used for GIF creates a series of variable length
codes, of between 3 and 12 bits each'

Bug: chromium:722115
Change-Id: Ic9cff99e6012195a6b5173693b029dc710285688
Reviewed-on: https://pdfium-review.googlesource.com/5490
Commit-Queue: dsinclair <dsinclair@chromium.org>
Reviewed-by: dsinclair <dsinclair@chromium.org>

1 files changed, 3 insertions, 6 deletions

diff --git a/core/fxcodec/lgif/fx_gif.cpp b/core/fxcodec/lgif/fx_gif.cpp
index dd80dc65f7..0b56f3a509 100644
--- a/core/fxcodec/lgif/fx_gif.cpp
+++ b/core/fxcodec/lgif/fx_gif.cpp
@@ -220,7 +220,7 @@ CGifLZWDecoder::~CGifLZWDecoder() {}
 
 void CGifLZWDecoder::InitTable(uint8_t code_len) {
   code_size = code_len;
-  ASSERT(code_size < 32);
+  ASSERT(code_size < 13);
   code_clear = 1 << code_size;
   code_end = code_clear + 1;
   bits_left = 0;
@@ -244,10 +244,7 @@ void CGifLZWDecoder::ClearTable() {
 
 void CGifLZWDecoder::DecodeString(uint16_t code) {
   stack_size = 0;
-  while (true) {
-    if (code < code_clear || code > code_next)
-      break;
-
+  while (code >= code_clear && code <= code_next) {
     stack[GIF_MAX_LZW_CODE - 1 - stack_size++] = code_table[code].suffix;
     code = code_table[code].prefix;
   }
@@ -553,7 +550,7 @@ GifDecodeStatus gif_load_frame(CGifContext* context, int32_t frame_num) {
         return GifDecodeStatus::Error;
       }
     }
-    if (gif_image_ptr->image_code_size >= 32) {
+    if (gif_image_ptr->image_code_size >= 13) {
       gif_image_ptr->m_ImageRowBuf.clear();
       context->ThrowError("Error Invalid Code Size");
       NOTREACHED();