From 5c1673db6deae2e1858c4ffc3b3a0b79901dd827 Mon Sep 17 00:00:00 2001
From: Nicolas Pena <npm@chromium.org>
Date: Wed, 25 Jan 2017 11:09:09 -0500
Subject: Calculate code_store safely in CGifLZWDecoder::Decode
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

BUG=682628

Change-Id: I8e88cc0c8392b078afb73f9549ea4dea9a5717fd
Reviewed-on: https://pdfium-review.googlesource.com/2390
Commit-Queue: Nicolás Peña <npm@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
---
 core/fxcodec/lgif/fx_gif.cpp | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/core/fxcodec/lgif/fx_gif.cpp b/core/fxcodec/lgif/fx_gif.cpp
index 93db181a98..d62dacb36c 100644
--- a/core/fxcodec/lgif/fx_gif.cpp
+++ b/core/fxcodec/lgif/fx_gif.cpp
@@ -114,7 +114,17 @@ int32_t CGifLZWDecoder::Decode(uint8_t* des_buf, uint32_t& des_size) {
           FXSYS_strncpy(err_msg_ptr, "Decode Error", GIF_MAX_ERROR_SIZE - 1);
         return 0;
       }
-      code_store |= (*next_in++) << bits_left;
+      pdfium::base::CheckedNumeric<uint32_t> safe_code = *next_in++;
+      safe_code <<= bits_left;
+      safe_code |= code_store;
+      if (!safe_code.IsValid()) {
+        if (err_msg_ptr) {
+          FXSYS_strncpy(err_msg_ptr, "Code Store Out Of Range",
+                        GIF_MAX_ERROR_SIZE - 1);
+        }
+        return 0;
+      }
+      code_store = safe_code.ValueOrDie();
       avail_in--;
       bits_left += 8;
     }
-- 
cgit v1.2.3