diff options
author | John-Mark Bell <jmb@netsurf-browser.org> | 2015-11-21 11:35:05 +0000 |
---|---|---|
committer | John-Mark Bell <jmb@netsurf-browser.org> | 2015-11-21 11:35:05 +0000 |
commit | 088fa0819f1aeaf212a95caf7393a38c1640b5f0 (patch) | |
tree | fc747052a553eb1ea117e285f5810a18975899d9 /src | |
parent | a268d2c15252ac58c19f1b19771822c66bcf73b2 (diff) | |
download | libnsgif-088fa0819f1aeaf212a95caf7393a38c1640b5f0.tar.gz libnsgif-088fa0819f1aeaf212a95caf7393a38c1640b5f0.tar.bz2 |
Ensure code is valid before use.
Issue-reported-by: Hans Jerry Illikainen
Diffstat (limited to 'src')
-rw-r--r-- | src/libnsgif.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/src/libnsgif.c b/src/libnsgif.c index 4e45c50..87371f2 100644 --- a/src/libnsgif.c +++ b/src/libnsgif.c @@ -1221,7 +1221,8 @@ static bool gif_next_LZW(gif_animation *gif) { * * Note: our stack is always big enough to hold a complete decompressed chunk. */ while (code >= clear_code) { - if (stack_pointer >= stack + ((1 << GIF_MAX_LZW) * 2)) { + if (stack_pointer >= stack + ((1 << GIF_MAX_LZW) * 2) || + code >= (1 << GIF_MAX_LZW)) { gif->current_error = GIF_FRAME_DATA_ERROR; return false; } @@ -1232,7 +1233,8 @@ static bool gif_next_LZW(gif_animation *gif) { break; } - if (stack_pointer >= stack + ((1 << GIF_MAX_LZW) * 2)) { + if (stack_pointer >= stack + ((1 << GIF_MAX_LZW) * 2) || + new_code >= (1 << GIF_MAX_LZW)) { gif->current_error = GIF_FRAME_DATA_ERROR; return false; } |