From 135609831bcad2da79d720cfdd3b55929b48b0ea Mon Sep 17 00:00:00 2001
From: Nicolas Pena <npm@chromium.org>
Date: Mon, 16 Jan 2017 13:12:15 -0500
Subject: Return error when bits_left is too big
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

BUG=680062

Change-Id: I9e2fd960915cd1de5e0cc15aeabf9ccf27e5a795
Reviewed-on: https://pdfium-review.googlesource.com/2212
Commit-Queue: Nicolás Peña <npm@chromium.org>
Reviewed-by: dsinclair <dsinclair@chromium.org>
---
 core/fxcodec/lgif/fx_gif.cpp | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/core/fxcodec/lgif/fx_gif.cpp b/core/fxcodec/lgif/fx_gif.cpp
index eb6bdd3bea..43a6460428 100644
--- a/core/fxcodec/lgif/fx_gif.cpp
+++ b/core/fxcodec/lgif/fx_gif.cpp
@@ -109,6 +109,11 @@ int32_t CGifLZWDecoder::Decode(uint8_t* des_buf, uint32_t& des_size) {
       return 0;
     }
     if (avail_in > 0) {
+      if (bits_left > 31) {
+        if (err_msg_ptr)
+          FXSYS_strncpy(err_msg_ptr, "Decode Error", GIF_MAX_ERROR_SIZE - 1);
+        return 0;
+      }
       code_store |= (*next_in++) << bits_left;
       avail_in--;
       bits_left += 8;
-- 
cgit v1.2.3