From 34f8e1fd650883c8107d925a6c6b87090d52d278 Mon Sep 17 00:00:00 2001 From: Nicolas Pena Date: Mon, 15 May 2017 10:59:07 -0400 Subject: Gif: error out on invalid code sizes From the Gif spec: 'The output codes are of variable length, starting at +1 bits per code, up to 12 bits per code. This defines a maximum code value of 4095 (0xFFF).' 'Because the LZW compression used for GIF creates a series of variable length codes, of between 3 and 12 bits each' Bug: chromium:722115 Change-Id: Ic9cff99e6012195a6b5173693b029dc710285688 Reviewed-on: https://pdfium-review.googlesource.com/5490 Commit-Queue: dsinclair Reviewed-by: dsinclair --- core/fxcodec/lgif/fx_gif.cpp | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) (limited to 'core/fxcodec') diff --git a/core/fxcodec/lgif/fx_gif.cpp b/core/fxcodec/lgif/fx_gif.cpp index dd80dc65f7..0b56f3a509 100644 --- a/core/fxcodec/lgif/fx_gif.cpp +++ b/core/fxcodec/lgif/fx_gif.cpp @@ -220,7 +220,7 @@ CGifLZWDecoder::~CGifLZWDecoder() {} void CGifLZWDecoder::InitTable(uint8_t code_len) { code_size = code_len; - ASSERT(code_size < 32); + ASSERT(code_size < 13); code_clear = 1 << code_size; code_end = code_clear + 1; bits_left = 0; @@ -244,10 +244,7 @@ void CGifLZWDecoder::ClearTable() { void CGifLZWDecoder::DecodeString(uint16_t code) { stack_size = 0; - while (true) { - if (code < code_clear || code > code_next) - break; - + while (code >= code_clear && code <= code_next) { stack[GIF_MAX_LZW_CODE - 1 - stack_size++] = code_table[code].suffix; code = code_table[code].prefix; } @@ -553,7 +550,7 @@ GifDecodeStatus gif_load_frame(CGifContext* context, int32_t frame_num) { return GifDecodeStatus::Error; } } - if (gif_image_ptr->image_code_size >= 32) { + if (gif_image_ptr->image_code_size >= 13) { gif_image_ptr->m_ImageRowBuf.clear(); context->ThrowError("Error Invalid Code Size"); NOTREACHED(); -- cgit v1.2.3