From 088fa0819f1aeaf212a95caf7393a38c1640b5f0 Mon Sep 17 00:00:00 2001
From: John-Mark Bell <jmb@netsurf-browser.org>
Date: Sat, 21 Nov 2015 11:35:05 +0000
Subject: Ensure code is valid before use.

Issue-reported-by: Hans Jerry Illikainen
---
 src/libnsgif.c       |   6 ++++--
 test/data/lzwoob.gif | Bin 0 -> 40 bytes
 2 files changed, 4 insertions(+), 2 deletions(-)
 create mode 100644 test/data/lzwoob.gif

diff --git a/src/libnsgif.c b/src/libnsgif.c
index 4e45c50..87371f2 100644
--- a/src/libnsgif.c
+++ b/src/libnsgif.c
@@ -1221,7 +1221,8 @@ static bool gif_next_LZW(gif_animation *gif) {
 	 *
 	 * Note: our stack is always big enough to hold a complete decompressed chunk. */
 	while (code >= clear_code) {
-		if (stack_pointer >= stack + ((1 << GIF_MAX_LZW) * 2)) {
+		if (stack_pointer >= stack + ((1 << GIF_MAX_LZW) * 2) ||
+				code >= (1 << GIF_MAX_LZW)) {
 			gif->current_error = GIF_FRAME_DATA_ERROR;
 			return false;
 		}
@@ -1232,7 +1233,8 @@ static bool gif_next_LZW(gif_animation *gif) {
 			break;
 		}
 
-		if (stack_pointer >= stack + ((1 << GIF_MAX_LZW) * 2)) {
+		if (stack_pointer >= stack + ((1 << GIF_MAX_LZW) * 2) ||
+				new_code >= (1 << GIF_MAX_LZW)) {
 			gif->current_error = GIF_FRAME_DATA_ERROR;
 			return false;
 		}
diff --git a/test/data/lzwoob.gif b/test/data/lzwoob.gif
new file mode 100644
index 0000000..c0c03b5
Binary files /dev/null and b/test/data/lzwoob.gif differ
-- 
cgit v1.2.3