From b8e00f24780335cdd068565f39d2874c81e799b9 Mon Sep 17 00:00:00 2001
From: Nicolas Pena <npm@chromium.org>
Date: Mon, 1 May 2017 11:26:41 -0400
Subject: Fix CGifLZWDecoder::Decode comparison
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Only use code_end to finish the decoding. Remove ASSERT from DecodeString since
it may be triggered. The following if statement handles that case anyways.

Bug: pdfium:707
Change-Id: Id6ec3c66d0e43c46308b4c3416da6c482ceafc69
Reviewed-on: https://pdfium-review.googlesource.com/4670
Reviewed-by: dsinclair <dsinclair@chromium.org>
Commit-Queue: Nicolás Peña <npm@chromium.org>
---
 core/fxcodec/lgif/fx_gif.cpp | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/core/fxcodec/lgif/fx_gif.cpp b/core/fxcodec/lgif/fx_gif.cpp
index 3d5d0e2325..8c9955f702 100644
--- a/core/fxcodec/lgif/fx_gif.cpp
+++ b/core/fxcodec/lgif/fx_gif.cpp
@@ -61,10 +61,9 @@ void CGifLZWDecoder::ClearTable() {
 void CGifLZWDecoder::DecodeString(uint16_t code) {
   stack_size = 0;
   while (true) {
-    ASSERT(code <= code_next);
-    if (code < code_clear || code > code_next) {
+    if (code < code_clear || code > code_next)
       break;
-    }
+
     stack[GIF_MAX_LZW_CODE - 1 - stack_size++] = code_table[code].suffix;
     code = code_table[code].prefix;
   }
@@ -135,7 +134,7 @@ int32_t CGifLZWDecoder::Decode(uint8_t* des_buf, uint32_t& des_size) {
       if (code == code_clear) {
         ClearTable();
         continue;
-      } else if (code >= code_end) {
+      } else if (code == code_end) {
         des_size = i;
         return 1;
       } else {
-- 
cgit v1.2.3