49 lines
1.5 KiB
Diff
49 lines
1.5 KiB
Diff
From: Jan Wielemaker <J.Wielemaker@cs.vu.nl>
|
|
Date: Thu, 18 Aug 2011 14:26:44 +0000 (+0200)
|
|
Subject: SECURITY: Bug#7: More gif-read fixes.
|
|
X-Git-Url: http://www.swi-prolog.org/packages/xpce.git/commitdiff_plain/30fbc4e030cbef5871e1b96c31458116ce3e2ee8
|
|
|
|
SECURITY: Bug#7: More gif-read fixes.
|
|
|
|
Incorporated additional patches from http://cups.org/str.php?L3914
|
|
---
|
|
|
|
diff --git a/src/img/gifread.c b/src/img/gifread.c
|
|
index a12a2d8..3b8a743 100644
|
|
--- a/src/img/gifread.c
|
|
+++ b/src/img/gifread.c
|
|
@@ -466,7 +466,7 @@ LZWReadByte(IOSTREAM * fd, int flag, int input_code_size)
|
|
firstcode = oldcode = GetCode(fd, code_size, FALSE);
|
|
}
|
|
while (firstcode == clear_code);
|
|
- return firstcode;
|
|
+ return (firstcode&255);
|
|
}
|
|
if (sp > stack)
|
|
return *--sp;
|
|
@@ -505,11 +505,11 @@ LZWReadByte(IOSTREAM * fd, int flag, int input_code_size)
|
|
incode = code;
|
|
|
|
if (code == max_code)
|
|
- {
|
|
- *sp++ = firstcode;
|
|
+ { if ( sp < stack+sizeof(stack) ) /* stack is UCHAR */
|
|
+ *sp++ = firstcode;
|
|
code = oldcode;
|
|
}
|
|
- while (code >= clear_code)
|
|
+ while (code >= clear_code && sp < stack+sizeof(stack) )
|
|
{
|
|
*sp++ = vals[code];
|
|
if (code == (int) next[code])
|
|
@@ -520,7 +520,8 @@ LZWReadByte(IOSTREAM * fd, int flag, int input_code_size)
|
|
code = next[code];
|
|
}
|
|
|
|
- *sp++ = firstcode = vals[code];
|
|
+ if ( sp < stack+sizeof(stack) )
|
|
+ *sp++ = firstcode = vals[code];
|
|
|
|
if ((code = max_code) < (1 << MAX_LZW_BITS))
|
|
{
|
