Commit bdd3acbd authored by Robert Ancell's avatar Robert Ancell
Browse files

gif: Fix LZW decoder accepting invalid LZW code.

The code value after a reset wasn't being validated, which means we would
accept invalid codes. This could cause an infinite loop in the decoder.

Fixes CVE-2020-29385

Fixes #164
parent 3c6779c3
......@@ -195,19 +195,20 @@ lzw_decoder_feed (LZWDecoder *self,
if (self->last_code != self->clear_code && self->code_table_size < MAX_CODES) {
if (self->code < self->code_table_size)
add_code (self, self->code);
else if (self->code == self->code_table_size)
else
add_code (self, self->last_code);
else {
/* Invalid code received - just stop here */
self->last_code = self->eoi_code;
return output_length;
}
/* When table is full increase code size */
if (self->code_table_size == (1 << self->code_size) && self->code_size < LZW_CODE_MAX)
self->code_size++;
}
/* Invalid code received - just stop here */
if (self->code >= self->code_table_size) {
self->last_code = self->eoi_code;
return output_length;
}
/* Convert codeword into indexes */
n_written += write_indexes (self, output + n_written, output_length - n_written);
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment