From 498d2fd6fcb70c37a127c603084d219e039c5973 Mon Sep 17 00:00:00 2001
From: bae <unknown>
Date: Fri, 6 Mar 2009 12:40:38 +0300
Subject: [PATCH] 6804997: JWS GIF Decoding Heap Corruption [V-r687oxuocp]
 Reviewed-by: prr

---
 src/share/native/sun/awt/giflib/dgif_lib.c | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/src/share/native/sun/awt/giflib/dgif_lib.c b/src/share/native/sun/awt/giflib/dgif_lib.c
index be91d3e78..f20372fe9 100644
--- a/src/share/native/sun/awt/giflib/dgif_lib.c
+++ b/src/share/native/sun/awt/giflib/dgif_lib.c
@@ -722,6 +722,10 @@ DGifSetupDecompress(GifFileType * GifFile) {
     GifFilePrivateType *Private = (GifFilePrivateType *)GifFile->Private;
 
     READ(GifFile, &CodeSize, 1);    /* Read Code size from file. */
+    if (CodeSize >= 12) {
+        /* Invalid initial code size: report failure */
+        return GIF_ERROR;
+    }
     BitsPerPixel = CodeSize;
 
     Private->Buf[0] = 0;    /* Input Buffer empty. */
@@ -964,10 +968,13 @@ DGifDecompressInput(GifFileType * GifFile,
 
     /* If code cannot fit into RunningBits bits, must raise its size. Note
      * however that codes above 4095 are used for special signaling.  */
-    if (++Private->RunningCode > Private->MaxCode1 &&
-        Private->RunningBits < LZ_BITS) {
-        Private->MaxCode1 <<= 1;
-        Private->RunningBits++;
+    if (++Private->RunningCode > Private->MaxCode1) {
+        if (Private->RunningBits < LZ_BITS) {
+            Private->MaxCode1 <<= 1;
+            Private->RunningBits++;
+        } else {
+            Private->RunningCode = Private->MaxCode1;
+        }
     }
     return GIF_OK;
 }
-- 
GitLab