From 7f5fb63f7f2ef5ff3f234e0653412d8f4a439c0d Mon Sep 17 00:00:00 2001 From: Shailesh Mistry Date: Tue, 25 Apr 2017 21:05:27 +0100 Subject: Bug 694150 : Fix SEGV in s_LZWD_process. Prevent using prev_code < 0 which would make an entry before the table. This in turn means that when a length of 4 is decoded, the decoder fails to find the eod and continues to write off the end of the memory segment. --- base/slzwd.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'base/slzwd.c') diff --git a/base/slzwd.c b/base/slzwd.c index a3ece825e..9caf2152e 100644 --- a/base/slzwd.c +++ b/base/slzwd.c @@ -242,10 +242,10 @@ s_LZWD_process(stream_state * st, stream_cursor_read * pr, * equal to next_code. */ if (code >= next_code) { - if (code > next_code) { + if ((code > next_code) || (prev_code < 0)) { #ifdef DEBUG - mlprintf2(ss->memory, "[W]code = %d > next_code = %d\n", - code, next_code); + mlprintf3(ss->memory, "[W]code = %d > next_code = %d or prev_code = %d < 0\n", + code, next_code, prev_code); #endif status = ERRC; goto out; -- cgit v1.2.1