From 6b71f22093fc4abb2da39f5a58b29c45c17ff99a Mon Sep 17 00:00:00 2001 From: Nicolas Pena Date: Mon, 16 Jan 2017 13:27:06 -0500 Subject: Return early when gif_img_row_bytes is 0 We can get into a loop when gif_img_row_bytes is 0 since Decode will return 3 when the second parameter is 0, and there is a while(ret!=0). BUG=681170 Change-Id: I63502a8487c07030fce2373f74cec6b4f0c98297 Reviewed-on: https://pdfium-review.googlesource.com/2211 Reviewed-by: dsinclair Commit-Queue: dsinclair --- core/fxcodec/lgif/fx_gif.cpp | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/core/fxcodec/lgif/fx_gif.cpp b/core/fxcodec/lgif/fx_gif.cpp index 43a6460428..93db181a98 100644 --- a/core/fxcodec/lgif/fx_gif.cpp +++ b/core/fxcodec/lgif/fx_gif.cpp @@ -841,6 +841,10 @@ int32_t gif_load_frame(gif_decompress_struct_p gif_ptr, int32_t frame_num) { uint32_t skip_size_org = gif_ptr->skip_size; GifImage* gif_image_ptr = (*gif_ptr->img_ptr_arr_ptr)[frame_num]; uint32_t gif_img_row_bytes = gif_image_ptr->image_info_ptr->width; + if (gif_img_row_bytes == 0) { + gif_error(gif_ptr, "Error Invalid Number of Row Bytes"); + return 0; + } if (gif_ptr->decode_status == GIF_D_STATUS_TAIL) { if (gif_image_ptr->image_row_buf) { FX_Free(gif_image_ptr->image_row_buf); -- cgit v1.2.3