From 8d7b9198e3830bb1ae37ac3b3f44c60582c86f81 Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Tue, 16 Aug 2016 08:07:58 +0200
Subject: [PATCH] [lzw] Avoid buffer overrun.

Reported as

  https://bugzilla.mozilla.org/show_bug.cgi?id=1273283

* src/lzw/ftzopen.c (ft_lzwstate_refill): Ensure `buf_size' doesn't
underflow.
---
 ChangeLog         | 11 +++++++++++
 src/lzw/ftzopen.c |  7 ++++++-
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 3cf00026e..da002abce 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,14 @@
+2016-08-16  Werner Lemberg  <wl@gnu.org>
+
+	[lzw] Avoid buffer overrun.
+
+	Reported as
+
+	  https://bugzilla.mozilla.org/show_bug.cgi?id=1273283
+
+	* src/lzw/ftzopen.c (ft_lzwstate_refill): Ensure `buf_size' doesn't
+	underflow.
+
 2016-08-16  Werner Lemberg  <wl@gnu.org>
 
 	[truetype] Fix compiler warning.
diff --git a/src/lzw/ftzopen.c b/src/lzw/ftzopen.c
index e17b3c524..32839cc32 100644
--- a/src/lzw/ftzopen.c
+++ b/src/lzw/ftzopen.c
@@ -42,7 +42,12 @@
     state->buf_total += count;
     state->in_eof     = FT_BOOL( count < state->num_bits );
     state->buf_offset = 0;
-    state->buf_size   = ( state->buf_size << 3 ) - ( state->num_bits - 1 );
+
+    state->buf_size <<= 3;
+    if ( state->buf_size > state->num_bits )
+      state->buf_size -= state->num_bits - 1;
+    else
+      return -1; /* not enough data */
 
     if ( count == 0 )  /* end of file */
       return -1;