From 37a96801663b7b4cd3fbe56cc0eb8b6a17e766a8 Mon Sep 17 00:00:00 2001
From: Kim Woelders <kim@woelders.dk>
Date: Sun, 3 Apr 2016 19:40:25 +0200
Subject: [PATCH] GIF loader: Fix out-of-bound reads from colormap.

Bug-Debian: http://bugs.debian.org/785369
Note: removes all special-casing from the inner loop, optimize for common case.
Author: Yuriy M. Kaminskiy <yumkam+debian@gmail.com>
Reported-By: Jakub Wilk <jwilk@debian.org>

Thanks to Bernhard U:belacker <bernhardu@vr-web.de> for analysis.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
---
 src/modules/loaders/loader_gif.c | 31 +++++++++++++++++--------------
 1 file changed, 17 insertions(+), 14 deletions(-)

diff --git a/src/modules/loaders/loader_gif.c b/src/modules/loaders/loader_gif.c
index 638df59..4f08d64 100644
--- a/src/modules/loaders/loader_gif.c
+++ b/src/modules/loaders/loader_gif.c
@@ -141,8 +141,24 @@ load(ImlibImage * im, ImlibProgressFunction progress, char progress_granularity,
 
    if (im->loader || immediate_load || progress)
      {
+        DATA32 colormap[256];
+
         bg = gif->SBackGroundColor;
         cmap = (gif->Image.ColorMap ? gif->Image.ColorMap : gif->SColorMap);
+        memset (colormap, 0, sizeof(colormap));
+        if (cmap != NULL)
+           {
+              for (i = cmap->ColorCount > 256 ? 256 : cmap->ColorCount; i-- > 0;)
+                 {
+                    r = cmap->Colors[i].Red;
+                    g = cmap->Colors[i].Green;
+                    b = cmap->Colors[i].Blue;
+                    colormap[i] = (0xff << 24) | (r << 16) | (g << 8) | b;
+                 }
+              /* if bg > cmap->ColorCount, it is transparent black already */
+              if (transp >= 0 && transp < 256)
+                 colormap[transp] = bg >= 0 && bg < 256 ? colormap[bg] & 0x00ffffff : 0x00000000;
+           }
         im->data = (DATA32 *) malloc(sizeof(DATA32) * w * h);
         if (!im->data)
            goto quit;
@@ -161,20 +177,7 @@ load(ImlibImage * im, ImlibProgressFunction progress, char progress_granularity,
           {
              for (j = 0; j < w; j++)
                {
-                  if (rows[i][j] == transp)
-                    {
-                       r = cmap->Colors[bg].Red;
-                       g = cmap->Colors[bg].Green;
-                       b = cmap->Colors[bg].Blue;
-                       *ptr++ = 0x00ffffff & ((r << 16) | (g << 8) | b);
-                    }
-                  else
-                    {
-                       r = cmap->Colors[rows[i][j]].Red;
-                       g = cmap->Colors[rows[i][j]].Green;
-                       b = cmap->Colors[rows[i][j]].Blue;
-                       *ptr++ = (0xff << 24) | (r << 16) | (g << 8) | b;
-                    }
+                  *ptr++ = colormap[rows[i][j]];
                   per += per_inc;
                   if (progress && (((int)per) != last_per)
                       && (((int)per) % progress_granularity == 0))
-- 
2.7.3