diff options
author | Vincent Sanders <vince@kyllikki.org> | 2017-01-25 00:48:51 +0000 |
---|---|---|
committer | Vincent Sanders <vince@kyllikki.org> | 2017-01-25 00:48:51 +0000 |
commit | abc6a95ad6a8fd14cce943b4f9643b0a2ad175b4 (patch) | |
tree | b77e8053b8e5bd0844a39cb6d27500cd67f33fd2 | |
parent | a5ff5ae14c6aff6398187c22e92c2136b9861f2e (diff) | |
download | libnsgif-abc6a95ad6a8fd14cce943b4f9643b0a2ad175b4.tar.gz libnsgif-abc6a95ad6a8fd14cce943b4f9643b0a2ad175b4.tar.bz2 |
when searching previous frames for disposal type stay in bounds
When searching back through frames looking for a non restore frame
disposal type the array index would go out of bounds off the front of
the frames block causing a segfault.
Fixes issue #2515 reported in bugtracker
-rw-r--r-- | src/libnsgif.c | 16 |
1 files changed, 10 insertions, 6 deletions
diff --git a/src/libnsgif.c b/src/libnsgif.c index 081ea9f..412c67a 100644 --- a/src/libnsgif.c +++ b/src/libnsgif.c @@ -793,7 +793,6 @@ gif_internal_decode_frame(gif_animation *gif, unsigned int save_buffer_position; unsigned int return_value = 0; unsigned int x, y, decode_y, burst_bytes; - int last_undisposed_frame = (frame - 1); register unsigned char colour; /* Ensure this frame is supposed to be decoded */ @@ -980,20 +979,25 @@ gif_internal_decode_frame(gif_animation *gif, if (return_value != GIF_OK) { goto gif_decode_frame_exit; } + + } else if ((frame != 0) && + (gif->frames[frame - 1].disposal_method == GIF_FRAME_RESTORE)) { /* * If the previous frame's disposal method requires we * restore the previous image, find the last image set * to "do not dispose" and get that frame data */ - } else if ((frame != 0) && - (gif->frames[frame - 1].disposal_method == GIF_FRAME_RESTORE)) { - while ((last_undisposed_frame != -1) && - (gif->frames[--last_undisposed_frame].disposal_method == GIF_FRAME_RESTORE)); + int last_undisposed_frame = frame - 2; + while ((last_undisposed_frame >= 0) && + (gif->frames[last_undisposed_frame].disposal_method == GIF_FRAME_RESTORE)) { + last_undisposed_frame--; + } /* If we don't find one, clear the frame data */ if (last_undisposed_frame == -1) { /* see notes above on transparency - * vs. background color */ + * vs. background color + */ memset((char*)frame_data, GIF_TRANSPARENT_COLOUR, gif->width * gif->height * sizeof(int)); |