sergiotarxz/libvips
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

fix fuzzer error

Browse Source 
see https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32638
This commit is contained in:
John Cupitt 2021-03-29 09:19:14 +01:00
parent 77ccd04cbe
commit 9f15567f2c
2 changed files with 29 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
libvips/foreign/libnsgif/lzw.c
View File

@ -160,6 +160,7 @@ static inline lzw_result lzw__next_code(
uint32_t code = 0;
uint8_t current_bit = ctx->sb_bit & 0x7;
uint8_t byte_advance = (current_bit + code_size) >> 3;
uint32_t new_code;
assert(byte_advance <= 2);
@ -209,7 +210,11 @@ static inline lzw_result lzw__next_code(
}
}
*code_out = (code >> current_bit) & ((1 << code_size) - 1);
new_code = (code >> current_bit) & ((1 << code_size) - 1);
if (new_code > ((1 << LZW_CODE_MAX) - 1))
return LZW_BAD_CODE;
*code_out = new_code;
return LZW_OK;
}

23
libvips/foreign/libnsgif/patches/lzw-decode.patch Normal file
View File

@ -0,0 +1,23 @@
--- lzw-orig.c 2021-03-29 09:16:40.730562757 +0100
+++ lzw.c 2021-03-29 09:16:30.390679354 +0100
@@ -160,6 +160,7 @@
uint32_t code = 0;
uint8_t current_bit = ctx->sb_bit & 0x7;
uint8_t byte_advance = (current_bit + code_size) >> 3;
+ uint32_t new_code;
assert(byte_advance <= 2);
@@ -209,7 +210,11 @@
}
}
- *code_out = (code >> current_bit) & ((1 << code_size) - 1);
+ new_code = (code >> current_bit) & ((1 << code_size) - 1);
+ if (new_code > ((1 << LZW_CODE_MAX) - 1))
+ return LZW_BAD_CODE;
+ *code_out = new_code;
+
return LZW_OK;
}