Mercurial Mercurial > jdk-sandbox / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
6804997: JWS GIF Decoding Heap Corruption [V-r687oxuocp]
authorbae
Fri, 06 Mar 2009 12:40:38 +0300
changeset 2611 c22bf553c819
parent 2610 9856ea68e32b
child 2612 d7fb0809c7e4
child 2613 9e48ff9b5638
child 2615 be2f497eb537
child 2617 4e94fb04861b
child 2619 cc0bbd192d1a
child 2621 78567495e352
6804997: JWS GIF Decoding Heap Corruption [V-r687oxuocp] Reviewed-by: prr
jdk/src/share/native/sun/awt/giflib/dgif_lib.c file | annotate | diff | comparison | revisions 
--- a/jdk/src/share/native/sun/awt/giflib/dgif_lib.c	Thu Mar 05 19:36:51 2009 +0300
+++ b/jdk/src/share/native/sun/awt/giflib/dgif_lib.c	Fri Mar 06 12:40:38 2009 +0300
@@ -722,6 +722,10 @@
     GifFilePrivateType *Private = (GifFilePrivateType *)GifFile->Private;
 
     READ(GifFile, &CodeSize, 1);    /* Read Code size from file. */
+    if (CodeSize >= 12) {
+        /* Invalid initial code size: report failure */
+        return GIF_ERROR;
+    }
     BitsPerPixel = CodeSize;
 
     Private->Buf[0] = 0;    /* Input Buffer empty. */
@@ -964,10 +968,13 @@
 
     /* If code cannot fit into RunningBits bits, must raise its size. Note
      * however that codes above 4095 are used for special signaling.  */
-    if (++Private->RunningCode > Private->MaxCode1 &&
-        Private->RunningBits < LZ_BITS) {
-        Private->MaxCode1 <<= 1;
-        Private->RunningBits++;
+    if (++Private->RunningCode > Private->MaxCode1) {
+        if (Private->RunningBits < LZ_BITS) {
+            Private->MaxCode1 <<= 1;
+            Private->RunningBits++;
+        } else {
+            Private->RunningCode = Private->MaxCode1;
+        }
     }
     return GIF_OK;
 }
jdk-sandbox