6804997: JWS GIF Decoding Heap Corruption [V-r687oxuocp]

Reviewed-by: prr

6804997: JWS GIF Decoding Heap Corruption [V-r687oxuocp]
Reviewed-by: prr
498d2fd6 · bae · 1447a514 · 498d2fd6
隐藏空白更改
内联并排

Showing with 11 addition and 4 deletion

src/share/native/sun/awt/giflib/dgif_lib.c src/share/native/sun/awt/giflib/dgif_lib.c +11 -4

未找到文件。
--- a/src/share/native/sun/awt/giflib/dgif_lib.c
+++ b/src/share/native/sun/awt/giflib/dgif_lib.c
@@ -722,6 +722,10 @@ DGifSetupDecompress(GifFileType * GifFile) {
    GifFilePrivateType *Private = (GifFilePrivateType *)GifFile->Private;
    READ(GifFile, &CodeSize, 1);    /* Read Code size from file. */
+    if (CodeSize >= 12) {
+        /* Invalid initial code size: report failure */
+        return GIF_ERROR;
+    }
    BitsPerPixel = CodeSize;
    Private->Buf[0] = 0;    /* Input Buffer empty. */
@@ -964,10 +968,13 @@ DGifDecompressInput(GifFileType * GifFile,
    /* If code cannot fit into RunningBits bits, must raise its size. Note
     * however that codes above 4095 are used for special signaling.  */
-    if (++Private->RunningCode > Private->MaxCode1 &&
+    if (++Private->RunningCode > Private->MaxCode1) {
-        Private->RunningBits < LZ_BITS) {
+        if (Private->RunningBits < LZ_BITS) {
-        Private->MaxCode1 <<= 1;
+            Private->MaxCode1 <<= 1;
-        Private->RunningBits++;
+            Private->RunningBits++;
+        } else {
+            Private->RunningCode = Private->MaxCode1;
+        }
    }
    return GIF_OK;
 }