summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorVincent Sanders <vince@kyllikki.org>2017-01-25 00:48:51 (GMT)
committer Vincent Sanders <vince@kyllikki.org>2017-01-25 00:48:51 (GMT)
commitabc6a95ad6a8fd14cce943b4f9643b0a2ad175b4 (patch)
treeb77e8053b8e5bd0844a39cb6d27500cd67f33fd2
parenta5ff5ae14c6aff6398187c22e92c2136b9861f2e (diff)
downloadlibnsgif-abc6a95ad6a8fd14cce943b4f9643b0a2ad175b4.tar.gz
libnsgif-abc6a95ad6a8fd14cce943b4f9643b0a2ad175b4.tar.bz2
when searching previous frames for disposal type stay in bounds
When searching back through frames looking for a non restore frame disposal type the array index would go out of bounds off the front of the frames block causing a segfault. Fixes issue #2515 reported in bugtracker
-rw-r--r--src/libnsgif.c16
1 files changed, 10 insertions, 6 deletions
diff --git a/src/libnsgif.c b/src/libnsgif.c
index 081ea9f..412c67a 100644
--- a/src/libnsgif.c
+++ b/src/libnsgif.c
@@ -793,7 +793,6 @@ gif_internal_decode_frame(gif_animation *gif,
unsigned int save_buffer_position;
unsigned int return_value = 0;
unsigned int x, y, decode_y, burst_bytes;
- int last_undisposed_frame = (frame - 1);
register unsigned char colour;
/* Ensure this frame is supposed to be decoded */
@@ -980,20 +979,25 @@ gif_internal_decode_frame(gif_animation *gif,
if (return_value != GIF_OK) {
goto gif_decode_frame_exit;
}
+
+ } else if ((frame != 0) &&
+ (gif->frames[frame - 1].disposal_method == GIF_FRAME_RESTORE)) {
/*
* If the previous frame's disposal method requires we
* restore the previous image, find the last image set
* to "do not dispose" and get that frame data
*/
- } else if ((frame != 0) &&
- (gif->frames[frame - 1].disposal_method == GIF_FRAME_RESTORE)) {
- while ((last_undisposed_frame != -1) &&
- (gif->frames[--last_undisposed_frame].disposal_method == GIF_FRAME_RESTORE));
+ int last_undisposed_frame = frame - 2;
+ while ((last_undisposed_frame >= 0) &&
+ (gif->frames[last_undisposed_frame].disposal_method == GIF_FRAME_RESTORE)) {
+ last_undisposed_frame--;
+ }
/* If we don't find one, clear the frame data */
if (last_undisposed_frame == -1) {
/* see notes above on transparency
- * vs. background color */
+ * vs. background color
+ */
memset((char*)frame_data,
GIF_TRANSPARENT_COLOUR,
gif->width * gif->height * sizeof(int));