From 476911e1f90742c4bf67e9b3d1815c8211f40bdd Mon Sep 17 00:00:00 2001
From: Peter Nelson <peter@peterdn.com>
Date: Mon, 28 Dec 2020 12:31:09 +0000
Subject: [PATCH] LibGfx: fix OOB access in LZW decoder on bad input

This fixes an issue where a corrupted LZW code can result in the first
element of an empty buffer being accessed.

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27863
---
 Libraries/LibGfx/GIFLoader.cpp | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/Libraries/LibGfx/GIFLoader.cpp b/Libraries/LibGfx/GIFLoader.cpp
index d50bd73a60..7a0480379d 100644
--- a/Libraries/LibGfx/GIFLoader.cpp
+++ b/Libraries/LibGfx/GIFLoader.cpp
@@ -216,6 +216,12 @@ public:
 #ifdef GIF_DEBUG
             dbg() << "Corrupted LZW stream, invalid code: " << m_current_code << " at bit index: "
                   << m_current_bit_index << ", code table size: " << m_code_table.size();
+#endif
+            return {};
+        } else if (m_current_code == m_code_table.size() && m_output.is_empty()) {
+#ifdef GIF_DEBUG
+            dbg() << "Corrupted LZW stream, valid new code but output buffer is empty: " << m_current_code
+                  << " at bit index: " << m_current_bit_index << ", code table size: " << m_code_table.size();
 #endif
             return {};
         }
@@ -234,6 +240,7 @@ public:
             new_entry.append(m_output[0]);
             extend_code_table(new_entry);
         } else if (m_current_code == m_code_table.size()) {
+            ASSERT(!m_output.is_empty());
             m_output.append(m_output[0]);
             extend_code_table(m_output);
         }