1dc750
From: Jan Wielemaker <j.wielemaker@cs.vu.nl>
1dc750
Date: Thu, 18 Aug 2011 14:26:44 +0000 (+0200)
1dc750
Subject: SECURITY: Bug#7: More gif-read fixes.
1dc750
X-Git-Url: http://www.swi-prolog.org/packages/xpce.git/commitdiff_plain/30fbc4e030cbef5871e1b96c31458116ce3e2ee8
1dc750
1dc750
SECURITY: Bug#7: More gif-read fixes.
1dc750
1dc750
Incorporated additional patches from http://cups.org/str.php?L3914
1dc750
---
1dc750
1dc750
diff --git a/src/img/gifread.c b/src/img/gifread.c
1dc750
index a12a2d8..3b8a743 100644
1dc750
--- a/src/img/gifread.c
1dc750
+++ b/src/img/gifread.c
1dc750
@@ -466,7 +466,7 @@ LZWReadByte(IOSTREAM * fd, int flag, int input_code_size)
1dc750
       firstcode = oldcode = GetCode(fd, code_size, FALSE);
1dc750
     }
1dc750
     while (firstcode == clear_code);
1dc750
-    return firstcode;
1dc750
+    return (firstcode&255);
1dc750
   }
1dc750
   if (sp > stack)
1dc750
     return *--sp;
1dc750
@@ -505,11 +505,11 @@ LZWReadByte(IOSTREAM * fd, int flag, int input_code_size)
1dc750
     incode = code;
1dc750
 
1dc750
     if (code == max_code)
1dc750
-    {
1dc750
-      *sp++ = firstcode;
1dc750
+    { if ( sp < stack+sizeof(stack) )	/* stack is UCHAR */
1dc750
+	*sp++ = firstcode;
1dc750
       code = oldcode;
1dc750
     }
1dc750
-    while (code >= clear_code)
1dc750
+    while (code >= clear_code && sp < stack+sizeof(stack) )
1dc750
     {
1dc750
       *sp++ = vals[code];
1dc750
       if (code == (int) next[code])
1dc750
@@ -520,7 +520,8 @@ LZWReadByte(IOSTREAM * fd, int flag, int input_code_size)
1dc750
       code = next[code];
1dc750
     }
1dc750
 
1dc750
-    *sp++ = firstcode = vals[code];
1dc750
+    if ( sp < stack+sizeof(stack) )
1dc750
+      *sp++ = firstcode = vals[code];
1dc750
 
1dc750
     if ((code = max_code) < (1 << MAX_LZW_BITS))
1dc750
     {