Blob Blame Raw
From: Jan Wielemaker <J.Wielemaker@cs.vu.nl>
Date: Thu, 18 Aug 2011 14:26:44 +0000 (+0200)
Subject: SECURITY: Bug#7: More gif-read fixes.
X-Git-Url: http://www.swi-prolog.org/packages/xpce.git/commitdiff_plain/30fbc4e030cbef5871e1b96c31458116ce3e2ee8

SECURITY: Bug#7: More gif-read fixes.

Incorporated additional patches from http://cups.org/str.php?L3914
---

diff --git a/src/img/gifread.c b/src/img/gifread.c
index a12a2d8..3b8a743 100644
--- a/src/img/gifread.c
+++ b/src/img/gifread.c
@@ -466,7 +466,7 @@ LZWReadByte(IOSTREAM * fd, int flag, int input_code_size)
       firstcode = oldcode = GetCode(fd, code_size, FALSE);
     }
     while (firstcode == clear_code);
-    return firstcode;
+    return (firstcode&255);
   }
   if (sp > stack)
     return *--sp;
@@ -505,11 +505,11 @@ LZWReadByte(IOSTREAM * fd, int flag, int input_code_size)
     incode = code;
 
     if (code == max_code)
-    {
-      *sp++ = firstcode;
+    { if ( sp < stack+sizeof(stack) )	/* stack is UCHAR */
+	*sp++ = firstcode;
       code = oldcode;
     }
-    while (code >= clear_code)
+    while (code >= clear_code && sp < stack+sizeof(stack) )
     {
       *sp++ = vals[code];
       if (code == (int) next[code])
@@ -520,7 +520,8 @@ LZWReadByte(IOSTREAM * fd, int flag, int input_code_size)
       code = next[code];
     }
 
-    *sp++ = firstcode = vals[code];
+    if ( sp < stack+sizeof(stack) )
+      *sp++ = firstcode = vals[code];
 
     if ((code = max_code) < (1 << MAX_LZW_BITS))
     {