Bug 1413762. Check integer shift value is reasonable before using it in gif decoder. r=aosmond
authorTimothy Nikkel <tnikkel@gmail.com>
Thu, 23 Nov 2017 00:40:17 -0600
changeset 437793 fedc2d408840d81fdb3550c83121b400a2e63a0b
parent 437792 cfcbb8333389ccf2ff91176f1aecf50199be018b
child 437794 ad749012c057f562414ddac2b8d24cb1066dfd6f
child 437850 b6bed1b710c3e22cab49f22f1b5f44d80286bcb9
push id117
push userfmarier@mozilla.com
push dateTue, 28 Nov 2017 20:17:16 +0000
reviewersaosmond
bugs1413762
milestone59.0a1
Bug 1413762. Check integer shift value is reasonable before using it in gif decoder. r=aosmond
image/decoders/nsGIFDecoder2.cpp
image/decoders/nsGIFDecoder2.h
image/test/crashtests/1413762-1.gif
image/test/crashtests/crashtests.list
--- a/image/decoders/nsGIFDecoder2.cpp
+++ b/image/decoders/nsGIFDecoder2.cpp
@@ -955,18 +955,21 @@ nsGIFDecoder2::ReadImageDataBlock(const 
     if (mColormap == mGIFStruct.global_colormap) {
         mOldColor = mColormap[mGIFStruct.tpixel];
     }
     mColormap[mGIFStruct.tpixel] = 0;
   }
 
   // Initialize the LZW decoder.
   mGIFStruct.datasize = uint8_t(aData[0]);
+  if (mGIFStruct.datasize > MAX_LZW_BITS) {
+    return Transition::TerminateFailure();
+  }
   const int clearCode = ClearCode();
-  if (mGIFStruct.datasize > MAX_LZW_BITS || clearCode >= MAX_BITS) {
+  if (clearCode >= MAX_BITS) {
     return Transition::TerminateFailure();
   }
 
   mGIFStruct.avail = clearCode + 2;
   mGIFStruct.oldcode = -1;
   mGIFStruct.codesize = mGIFStruct.datasize + 1;
   mGIFStruct.codemask = (1 << mGIFStruct.codesize) - 1;
   mGIFStruct.datum = mGIFStruct.bits = 0;
--- a/image/decoders/nsGIFDecoder2.h
+++ b/image/decoders/nsGIFDecoder2.h
@@ -66,17 +66,20 @@ private:
   template <typename PixelSize> NextPixel<PixelSize>
   YieldPixel(const uint8_t* aData, size_t aLength, size_t* aBytesReadOut);
 
   /// Checks if we have transparency, either because the header indicates that
   /// there's alpha, or because the frame rect doesn't cover the entire image.
   bool CheckForTransparency(const gfx::IntRect& aFrameRect);
 
   // @return the clear code used for LZW decompression.
-  int ClearCode() const { return 1 << mGIFStruct.datasize; }
+  int ClearCode() const {
+    MOZ_ASSERT(mGIFStruct.datasize <= MAX_LZW_BITS);
+    return 1 << mGIFStruct.datasize;
+  }
 
   enum class State
   {
     FAILURE,
     SUCCESS,
     GIF_HEADER,
     SCREEN_DESCRIPTOR,
     GLOBAL_COLOR_TABLE,
new file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..5dd10b8f25a2d055cc9d6cfe38faf1a26ed88e6d
GIT binary patch
literal 7866
zc%1E+Wl$Sh+peK_aQBkn5TL=OSb{^K!GabK9wc}RE$&`|Td)Gfz1S}96t_Z)J1tP7
zrMvyQ_xs7bGv~)S`{$W&{e13q&$?%xYu2-7Y3XRn$=ieRz<5V^;&^y?`1tsD?%W|D
zARr_pBqAarCMG5!At5CtB_ksP0089V<P;PXl$4ZIR8-W|)HF0Sw6wHzbaeFe^b8CP
zjEsy-Oiawo%q%P{tgNhTY;5f8>>L~%oSd9@@80F&;sOGJAP|U~o12G+hnJU^kB^U^
zpI<;gKu}OnNJvOnSQrcji-?Gbii(PfiQT(*4+4RRi;GK0NJvUbN=ZpcOH0eh$jHjd
z%E`&e%gZY$DBQn)Ur|v}Nl8grSy@FzMO9T53WdU8Ff}zbb#-+O4Gm3AO)V`gZEbBG
z9UWa=T|GTLI2^98uWw*r@ZiA%1Oj1bXlP_)WNd6~Vq#)yYKlZ6&CJZq&CM+=EG#W8
zt*or9t*swEd}w21V{2<`XJ=<`Z|~sX;OOY+<m7}xp`4waU0hsTU0vPW+}z#WJv=--
zJw4HAw3nBcx3{;CkB_gfF9w70^Yiof_YVjN2n-Ai3JMAi4h{(kdGzSf<HwIfLqo&D
z!k#>N^7QG`@bK`6h=|C@$f&5O=;-K}n3&ku*tod3`1tsQgoMPz#H6I8<mBX(l$6xe
z)U>p;^z`(MjEv08%xBM@Wo2byvDobF?3|pO+}zx}yuAGU{DOjl!otF$qN3vB;*ye*
z($Z2K4p&xIR$g9SQBhG@Sy@$8_5Ats>gwv6nwr|$+7~Zg)YaA1*Vi{RG&D9gHZ?Uh
zH#fJmw6wOiwzajjx3_n6baZxhc6D{VeEG7wySt~Sr?<DaudlDazyFUv{&@B3)xf~O
z;NalU(9rPk@W{x>=;-L!*x2~^_{7A-<mBYk)YSC!^vul6?Ck98*RSX1=H}<;7Zw&4
z7Z;b7mX?>7S5{V5S6A28*4Ee8H#Rojym_;^xw*Bq_4e)CckkY9Z*TAH?CkFD?(OaE
z@9!TR92_1V9vvMWA0MBboSdGXo}HbYpPye`T)cn({=<h4mzS4US6A29*B?KA{PgM5
z=g*(NeEIVA>(`r`n{VH~egFRb_V)J2j~{>j`RC7{KY#uD1^Pv9pkZRH21RH{h(QSO
z4+-!<-w4U@@qXcn;QhV8c;Tc!@P3hTXg8G(M3K@9OS!`1hvM4ZMGNE8jZ!&aV(v?V
z8D(0@)N0O~!Oi7kQQXF{ym>?W6HniA2-B8TRL$gZTXa{*#U9R-$ojb_+n-l3mB_R&
znbhvP&c*R28Tfa%xtUg)KZS8_c-S{qm^C}2-2D#bVq{0$EvB;3#&yb_hw-#LptX+R
zkCtKG;-hTQ_E)L%66PN^S}<p9y>9}O_r}t$WK!;5J0x=?Ew_aAI>V1<Q~8Vo<V>z!
ziATskwi()xbn0}X?`hju6F+;?1!Y!F?vmJw7|mX>>2prKlJDZ_5q-1j?=v%;!KL!#
z{->R_3Q;}AJ4)SGO1FzItm2Yd+h`)BmN&%uiGLJ--Of0(v5~y`_VmP~Rk=TI?(u28
z4$>Cox0UnOD!P7@D-=&yi^+gz9%UEQDJn-2yn7*I5f;WOxM^9)IK~xT+WtAq`>RqM
z(7q(WmE&=}P^X!LIvE288c5g4l`IaBvvVUP$}UY^##VzI!VF;uusvnfhD(Dy*_-h7
znfA3fc~}*neG^Ed6iXyt$(m#JKARESkI%pF3``7kuq9o_tR{vOt+N-Bfnv(-+qPJD
z!a}M7OiQQ%C{~R}i4zZvY_j77%24<k%WxV8{}nxn6N`6M&TbXMdIYp(bkRlb`;^s0
zHBQx<EJiqY8UbL&7ZlZpuI_Yk%F5^$^}S_mH2+S?UzaJ#zf)p8-h>;9qv6pl)P7K)
zk@V?U-&6a6xrnYZES7iwWJ@z9nG||Ot6nh<e9Xdk-y)r^04V2o=zl^0C~%WH5eGy@
z3ucyU1YB?4@pq6A)XdOTs+HQOl-b|~fQ1<Wbd9!^?-|Gh&eVJn88C~Uz$vpP6W_#M
zLt<{8c0|Yi%nP#*8;$A*mZ-hCMZ-obI<QTloXA49pO831;;`u6FiOmf_<qN8otUoF
zFQ(R2Z70)-zlZ}vqA~`9qTh<i%*4)|j6AKGjrsVkRHhN#nbn|Q*mW}e@|h)NB-p;L
zv2}_jPHijLZ6xjJtq&H$V6|}DzSD#==>HP%hcD<Iu;R)teS5GnO~Cf;mylPH-kX>9
zE8CCzuVzTb?h+zhY~6ilMz~<VuB16a2;bXphdkmtj(S4gP4dp?j;<gs<ZC6-dJHR@
zKa1P-yvue(N@b_@Q=*sL?9M_+f#R_0gY0*dS#2(J$oP3dTi?T->@Cb7FE15`Jx;L1
zf2?xU;>qKi;5olJvJkeI;}aQX5II?tIjUl0jL%0bwoO9~$I-EhlJ6$Uv15*$NS8xZ
zYw$aIo@gIEq2{A!^m*4O?cyRU6|_?N$N;+(&nyhckkQl#Ft41PVVu&O=t2pZnI@Qw
zRtf0uB^Xr0P6^ogloq6D#2T^&=!&?TcM|0q*mzSR5@n~lB7FzK=S{;*9_LN?`2R1+
zG?$Geu?P`+j9le(CX@AHGbGgGbU1bLBSct4Cem{t5ArMgDR~v;A%3HZdAuy6&N`6*
z&eQ7y9adrR3Y#!rLROV|^n3LaKZkA!gI3M04XI-jRt9$Yu*Awb3lXEaOc8gZ*erj#
z_Tmwv!}G-k&4BUh?=;}`7StVb<umC<iYDrU03vH*eaErXvs%$j8Mh(i(-URQA^8@I
zUcS%#A=*NIE>akypzI$@9&bQC?8MTyaskCl7&#I#aC?0+k}B@UmWV*w)n=+nj~96_
z?vgiL{!M>MXpqTdT!CaECuci)xwyEoN3k}{9=Mp|YxZty<1#&sQYhu(iDl>Yfy5+l
zzus-L-NdsCUIICqZ_DqV2I$C`xGGT4&fkNgG*_ch?V5Qup&3jdOTViXMl1dkfehKz
zEo^o|srU`M#x?~l4#CA#wR?{#B5FiW{iQiWltOZ3hOFyx#WOg@DcDfdkSrvVLAqWF
z0m<4Q05YY_9q(h!oof!VtpiUEu>YW6lJ1*bv^HJ##jxwa(RsTXsAb`extmk+b637!
z;*TAF4+1Q>=!We1)x(-B%|g-u4E<4Q5X+7zK!ITrfs^+A4t4iM8Vj1YQl)fbXnPZ<
zjT9ove)p?hJ!M<Obbisi)n_I(rgkNczLvJUlGiFQ`Q0C=W+v>8+iq>M)1Unoy=&ff
z-O5hMJFLDmwxWse#xoX!lbN2Yn@#$_Bz9f;lVo2!*<<lHVO2)zNDT(T-Br5eTc1p0
zFFosWji;_!^V(gS8^g3hlh!*<cT+P~O{sioKTdZCl^C$ElTF9_zi9b_^86w4b^J-c
z=5R;nhj+&%AT4L`)fRBrcPEmn4+Gcu0>cktLR#(Y4?&o&Fj!=R?}6GQW}%xUW0~cH
zD2`x0QX*qF#)BwY8#F@-m!*j-jy~#=Zt?zFq0<g~5~SP)F16yimm+sqy_c%^<p!bp
zPr5MvdkUw_Ax`qjT{3&q2nP6A2Ql%fInP!?vc`mTr?T$__~Wk{KFH)X3@3hgVx&b^
z%oe0!(cLz+P$FX6A)j~UlJnx>q;*)gQCx~0D-^%avZ`+7g}UuVsk`9=h8Fa0hdjGf
zEhU1b$R_2!i-C2$+QSW+XkSm(ex4(*i`sJiozA#hez7-1wPs_?Z+d4osy@7v(7P}g
zJZ8GKZ%w*@4GDU9B9~lQsVBM`QV?}Xi&W6Wc`HN}9LF?LC%%TLR*#$7KfZNd$|*!N
z(65giq)Uh!y1$$4>-qYDe0wN~>p_3-xA*@HQFB8srLa4nBN*gq_Ej?Y!5xdMsl|$E
z%fS&FgaBk)_V*6-SycmfA8PjJ+WO+5ZaUDcjZmC^pM(z)<4L9`WLN~zmBuXDaUW`=
z03S9&CVYq0Da7I3ro2ILU5ZX<?y#$4oL(}I$`fFSFQEpd3*++DWUYp7L9=z^@LcWJ
z7;B-i(Bg&by>X*Hhke%?TAtCgv3m{GErKL7X+Z4_!i?Q&#3GkdUT^yKAXQ)D8zxZ)
zj7BOeFTCxXtc+-aTGVk1(D=o0SK@w#rB<RkgFd@xU@iwOefg-(&h2BFniN6L`A_;q
z3sLzN<MYMSS{}VLtu7BL-08^4=-RYqxpa$4Np!=r-~!r)=%vmv?r^1wG{vWF5z#Ep
zm&kb5KtxLdPX@xs4is|^iswW_ZqgOrkn(8Iyr~IPH-wj7k<c5JLUq_(;|E6WN@uam
zpvea+lE9HafTLU(2rVHq95|o>+5qj4rf2~N$~j8odD0YBxe1?%HmqetamH}O<_E5U
ze1~Zxfxa48^e`|^^wW|K7HV7DqD`SU({-2+y@^$)2?XL8V&LOAgQ6L}PkbUtrTkj#
zMke3ZUCgv2qTQT_OS4!bIfjmlh{D{agpBqtdFk@xlcim2^%D#Un5A8DM10F_PS0U?
z*LT4pXcKMg7am?%0yf)apeB{&kBG(U-UYwp##52KcvjbO+zBm)$PjER{o~SEHlSGD
zsO?ia4~^0Vha(BwrKP}V?+0H{ER($Z)$0a|kfj6F>-g4WNcXGVL~sWM#gfd$_@cpm
z0c=nDFx%CXVS0s4-PI^Z(D~IEFizxpoPvn(A7DD%)mSF)b)qon@in7B#{FnxKyUTE
zO;64xzx&=YF(6B2=nElPrqgr@k2$~ePDJ%mvC306${v#Dhcz<n23^}ek~&0Gpl+!e
zA7Z^287tYfCg=gHx?f$jXZWC_TDrWB4DU{b4w_z&@o<|{0UywtN;M;D{CJ;&QN7&L
z=U5`qIG$42+OygM>JbAx%*WhswIAZR8^~`@nc+B>K*=E&jP#J#>W;rf)W~H<t7XDK
zo`v5ebu^A<{i;pgo?4d47n_)5QPC1+i0gx_Uuo9|1;=oNbH%a`fk>$tZ#`&=!snwG
zOX#7gKI4X464Z{3TrCTPvf3eCI-aU0Wo0_-3xR9fOcacl;pAdFZF_TqLo7p6kSUfZ
zasdVzqj9#BCJZ5C%zk<lz%0dgI|3j^NG&!hQobwkx^0bHO00IA44eaB&}M$zG)R7r
zWb`>gPO*$TNu+L^ZU;gM8`_lwvpG^^4xJ04oXIYDSh&%bbK1-@`{9$oz-iosWDI;z
zS9Iz;*iN+N+?-sXJ^C4q;@t5;q<@YS?I4+~E>VoQmi8*4*fZXNp}RV-Adc(;J}`Yf
zlFFe;mQzDtGVr6=balGN`~!M4AayfckW96mmQ{WeW|Zu<(#O#NPFxuUs1&mv)Dz9?
z#;dKWTk{!gjAtl=(FFRBCWz=a<r^q8G4Y<UBvML@3l{!-6bS%vh>sURqD#rV%-3*i
zg#wp|sg@Z!-ZR$30leQYx>r7TNEDrVNc;-9B}hqjFm`IS!gipk7Wl}9W;V!tQWq@`
zCmLx&uOZ)X>^g{(kchcnYmw$O5!MW#t7SEXS~!~VsUd}Rg_f%rAI)K=BN}zll*^`R
zB_76e5n=Q&V<g~Vbvr$YR-v65J$n}r$mm$NtVtxsa81H^c;5P2X}zWg&Rz+`L_AeF
zz*D0tT!(NP3BSVAAXRL`-=+PtIa(TajEt3}5U6xr(B{dvHi{2f_$f{*mUB)k;_c#^
z1mG4EFZir_q4<+p_BEoFB6>*iV}&@sC_&1>W?OlR%waUa%<{=`?>x+`@%{I+rZKVG
z^R`v59*uuA27YK6Y)E>4{kg@Xm1*6Ru@CEzOvrT7j{7P@bTWt2#09oR9#g<bR-XaW
zD%|iNdAiVurj1L7^50R7p)$}y-%({$P1mQyTPh_oC9kiwV83y@Nj$~Mnw-Fiwg+EV
zn^}MrPrsX<71Tj(ghf0)XE2Etthl><O+zB_%!KhSb)~iWMifc!g%UHqqPGOCu2e@)
zK}<)I&J<!rEOz>|O7Gveb!OKxb(ua)dO`uj3_WfP4sB@bAV91&vszW6ALC>dypOGM
z-zzdL(u*H*Fe!Hjo<w)GD6dzr9DjU#Tih;1xs`hp5S`V|WVBgW8xQts{cd4UeDQ4b
z5q(E_V;2m!;yI5T=dmCoVdA6;*(0G=lv<q?_s#|3xVqHilcfA}n-iqybZ<2Ibd{E7
zb=a}N8L|r%f-|~8kxQwGx&cdNs)7xIJoaDPa!X_t=awSK%Uz+*$X_dR-_d`v=@^>^
z4fh{OYn+>pAT9X8qfaTVqn0kaCp|YH2t_QbrknQ78&H}C_)IHxr??TDrkSs2k-zm^
zHzC5#aqH*0ooFtzTO&;ez@B%u`3o`brbns~ftM6op_T`*yfIax4W5|00M){`aLb`G
zDVgP0jQ$KnNP@V&9aic&i@fziL2s|g3@>Oji+g@!w8en^USIP{W_-p+_c~vI2e$qf
z;YK)Xnj(D_`Cc<1oHYhvI$oiuEh$oVu^BWHkfN+R+xo;Em&??AU7AZe<_SJinsRG)
zH0IofrOMi`sB&>0y=8t=`u@9prY&~*te9M4Su+lI28umwp;p;_p9byrA!><0ejX1?
z#aHDsfx>I~Eh&3(Rzyvs$ONwvx@arA2qm>C{<h$c*)s*b+{=R0#4GFk<-vXw)9kbG
z>I7|p`cDgR*^5t$ME_`d{4d@AU()^bf9d|4?lG!DS^sZ84;-~Ji+VH8VUz!&`&%%+
zWh?OmaL6>?2_bKy1-EM3E9jkkv;a`MZB6=9M{Htll|$rJ84L>m+B~e@wqIeOYpu25
zDs|6IuH|`PqM=_YL1NnEWHB=Lo9-9S>%#w{8_UG2-Ma$I{F-Kg6iyvRT<J2>h>e7j
z-gDBGrfp64xY~Ab&aK@Y3E))Au7hyZzxF^(Sm`m+ZPwPSsZ`OuwC{HcRot`eAwKq4
zORk@7=%XnTd{D+=I*MX)I+BlzN~+RVus>4oWgtKoH%eAi-IlUbH>Rey=#M1i8e8m*
zqmd?)L#_Ht=H9T7E5;<Zk^GBuWSbKshk2P?G?j4ZWk#{$dT``KR5fG|D7hUUNp^2r
z@upOuOYn2Lq5ztASK~O`ky{R&N1CZ9AiSKBcn2H5n-qOeUKVzI30-9KBmBsj_I6r>
zUih0`3l9(|Kj<h?Ha9$_vb}9cFGq+YuwnKfBp@|?cw>$gxZXBgW?SEXW|fnR&>+v!
zpNTNQBGAOM*=`4#SOFxGPgBC#D55Ig)BW?IYDmKlrIx>?^jOZiYNd0@Q=?{ng`{0^
z*JS;Gop?cwh~*LcV*gPsq+Ky9JU<hY#SR>~>!9E)VU_615?ow|;&nLBO+3wiX}Nr=
z5)v3eCi>P>o+P;3C_)Ep(%vG-wS5ezR{SJy^bi-<;#gOdE=WvP8!D(-)mC#@&cQ1u
z(@rdTUfRlc_bOpmG_2`DM@*RiTZ~?}$(0~Iy6k2>(IGWnsBWMweX2aoPwv{I*mNFN
z;&^tozyM6jOh7Uh?=vyhn(Sm2R1$76ncKaE43SG7_byA^o6u&Yh>GwX)q@;6`ANhI
zf0W;Stx6*LX-=IP?GOED&k?iNMLi(|X9;z2X^u(}H`@6Otj%v4Em|=aLt5{1W^Cui
zX>YMJTeHQoPidzDGjTnZHFo?&tD@LNlRvs&>SB{N>r95nm5NRQmTL9pMe;E#S;A62
z`&F}(fzmG)t!Jx#em~6;5O>&`qyy)z2sL-uh1mRQiox}~FrOe3DFCy-?AQ5|*qOZj
z5;m!W+W~_^P8Wv*gy;j!7f&`?T7zLvPMK<5r^t?=e#9xc?>wJCzswxGY~P-wxZUMU
zW`FU%W;i`EP>DrmaLA;-UDPINZM~+Q?~iuMc98P>TQe7nJvg?d-E(}v>+=SpV+MD#
zDQ~5zaukYrUn+Wbn5rD+q7IEt^J8a}n^(LWl9j0i966fT;S?97iF_|&j#H(hlX|TO
zIk+=xEB^ACz9=N5odRAH@yX0|ZrVss_E*<4y?8d^qe+qNAG=v#F69FX<(G=mN%wyp
zkMBtspy+vwUWQA}DQefpl%zTu<|RrZ05!Q8+rYfUOfAEM{b)lvi!|&XgeO^&bD%2T
z92;Tz2kH7NxryMFmyVU-(1!KZd&Yl~x@2;k+~^rPx!3H86bl`}Ed(3_4vQYrDV*Q}
zyIUv_CPE~x!c*pZS<=v-WdfDHKR<FJW1CR&PB;_8Z_G%W{w!V5=XZ6ERXS*m(_ic_
zwSr7H+v6F763Y~rbk-?8zreKb@6wsfZ3=NBq3-!;nJE4PkoZfQsACli<>fk$&Ok}?
zbhX5TM9CzidqZjfow|Wd$V<O_@*hi=y=C_yL<XTDN-LCdq`On^`iW)EFNbKfM6QMz
z*ctwh|Mgn`7vD%}K(#~;otBD;XM)DH))Ot2Q#laF$wHmhs+j^gzthbLKL=Gj(9aJh
zu5NxnEgemuvzsRh7-a7UwD<Evp&dL?PQV~Hf7ib?HE%CJe@uX5sGGMJ&=}<pbjEn2
z6#xLJr=u$h9Rk#M^KuIE#(4Mvb-WzK00^-MVnCR8Fi;u-0l-iwe{U}l-~%szdyJbm
z01nXtibEj)HK+kp9V!L@{GGtj8;wSJ`2!t1y&XM%AMEJ~^z!xx+WYvR>@h$$ufOB{
z-iATh`~ObX@K-W>AO_{)=I4*X{H_F|Fn)if^LGBX#Qy)87!UM|{C8dLfq|EUxESOP
zAs!U~?+zXT-hV9s3<`&fi~Zh%M@9ZyA^LBH{BH&NFX=B6$-kQ<{>Mc2yB7XGCW(KU
H@b3QyvgPp>
--- a/image/test/crashtests/crashtests.list
+++ b/image/test/crashtests/crashtests.list
@@ -23,16 +23,17 @@ load 1235605.gif
 load 1241728-1.html
 load 1241729-1.html
 load 1242093-1.html
 load 1242778-1.png
 load 1249576-1.png
 load 1253362-1.html
 load 1355898-1.html
 load 1375842-1.html
+load 1413762-1.gif
 load colormap-range.gif
 HTTP load delayedframe.sjs # A 3-frame animated GIF with an inordinate delay between the second and third frame
 
 # Animated gifs with a very large canvas, but tiny actual content.
 load delaytest.html?523528-1.gif
 load delaytest.html?523528-2.gif
 
 # Bug 1160801 - Ensure that we handle invalid disposal types.