LibGfx: fix OOB access in LZW decoder on bad input

This fixes an issue where a corrupted LZW code can result in the first element of an empty buffer being accessed. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27863
Author: https://github.com/peterdn Commit: https://github.com/SerenityOS/serenity/commit/476911e1f90 Pull-request: https://github.com/SerenityOS/serenity/pull/4598
2024-11-22 15:40:19 +00:00 · 2020-12-28 12:31:09 +00:00 · 2020-12-28 12:31:09 +00:00 · 476911e1f9 · 2024-07-19 00:30:01 +09:00
commit 476911e1f9
parent be30dc2b18
1 changed files with 7 additions and 0 deletions
--- a/Libraries/LibGfx/GIFLoader.cpp
+++ b/Libraries/LibGfx/GIFLoader.cpp
@ -216,6 +216,12 @@ public:
 #ifdef GIF_DEBUG
            dbg() << "Corrupted LZW stream, invalid code: " << m_current_code << " at bit index: "
                  << m_current_bit_index << ", code table size: " << m_code_table.size();
+#endif
+            return {};
+        } else if (m_current_code == m_code_table.size() && m_output.is_empty()) {
+#ifdef GIF_DEBUG
+            dbg() << "Corrupted LZW stream, valid new code but output buffer is empty: " << m_current_code
+                  << " at bit index: " << m_current_bit_index << ", code table size: " << m_code_table.size();
 #endif
            return {};
        }
@ -234,6 +240,7 @@ public:
            new_entry.append(m_output[0]);
            extend_code_table(new_entry);
        } else if (m_current_code == m_code_table.size()) {
+            ASSERT(!m_output.is_empty());
            m_output.append(m_output[0]);
            extend_code_table(m_output);
        }