diff options
author | John-Mark Bell <jmb@netsurf-browser.org> | 2015-11-21 11:24:56 +0000 |
---|---|---|
committer | John-Mark Bell <jmb@netsurf-browser.org> | 2015-11-21 11:24:56 +0000 |
commit | a268d2c15252ac58c19f1b19771822c66bcf73b2 (patch) | |
tree | 32145dce45e7698004313e5a7be9ce547f5307dc /src | |
parent | 5446c3c056f30d98c725e1899a92e104ad70c7e0 (diff) | |
download | libnsgif-a268d2c15252ac58c19f1b19771822c66bcf73b2.tar.gz libnsgif-a268d2c15252ac58c19f1b19771822c66bcf73b2.tar.bz2 |
Ensure LZW decode stack does not overflow.
Issue-reported-by: Hans Jerry Illikainen
Diffstat (limited to 'src')
-rw-r--r-- | src/libnsgif.c | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/src/libnsgif.c b/src/libnsgif.c index 0047ee0..4e45c50 100644 --- a/src/libnsgif.c +++ b/src/libnsgif.c @@ -1208,6 +1208,10 @@ static bool gif_next_LZW(gif_animation *gif) { incode = code; if (code >= max_code) { + if (stack_pointer >= stack + ((1 << GIF_MAX_LZW) * 2)) { + gif->current_error = GIF_FRAME_DATA_ERROR; + return false; + } *stack_pointer++ = firstcode; code = oldcode; } @@ -1217,12 +1221,21 @@ static bool gif_next_LZW(gif_animation *gif) { * * Note: our stack is always big enough to hold a complete decompressed chunk. */ while (code >= clear_code) { + if (stack_pointer >= stack + ((1 << GIF_MAX_LZW) * 2)) { + gif->current_error = GIF_FRAME_DATA_ERROR; + return false; + } *stack_pointer++ = table[1][code]; new_code = table[0][code]; if (new_code < clear_code) { code = new_code; break; } + + if (stack_pointer >= stack + ((1 << GIF_MAX_LZW) * 2)) { + gif->current_error = GIF_FRAME_DATA_ERROR; + return false; + } *stack_pointer++ = table[1][new_code]; code = table[0][new_code]; if (code == new_code) { @@ -1231,6 +1244,10 @@ static bool gif_next_LZW(gif_animation *gif) { } } + if (stack_pointer >= stack + ((1 << GIF_MAX_LZW) * 2)) { + gif->current_error = GIF_FRAME_DATA_ERROR; + return false; + } *stack_pointer++ = firstcode = table[1][code]; if ((code = max_code) < (1 << GIF_MAX_LZW)) { |