From 797226335ec47573f80e84d0fbdf1536292868d0 Mon Sep 17 00:00:00 2001
From: Jan Wielemaker <J.Wielemaker@cs.vu.nl>
Date: Wed, 24 Aug 2011 14:08:17 +0200
Subject: [PATCH 1/2] SECURITY: Bug#9: Loading incomplete GIF files causes an
 invalid read. Petr Pisar.

An incomplete image file causes part of the pixels to be uninitialised.
As the pixels are entries in a colormap, this causes invalid reads.
---
 src/img/gifread.c |   19 ++++++++++++-------
 1 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/src/img/gifread.c b/src/img/gifread.c
index 0e24e27..9c35f63 100644
--- a/src/img/gifread.c
+++ b/src/img/gifread.c
@@ -553,7 +553,9 @@ ReadImage(IOSTREAM *fd,
   UCHAR c;
   int color;
   int xpos = 0, ypos = 0, pass = 0;
+  int lines = 0;
   long curidx;
+  int last;
 
   if ( !ReadOK(fd, &c, 1) || c > MAX_LZW_BITS )
   { return GIF_INVALID;
@@ -606,20 +608,23 @@ ReadImage(IOSTREAM *fd,
 	  }
 	}
       } else
-      {
-	++ypos;
+      { ++ypos;
       }
+      ++lines;
     }
     if (ypos >= height)
-      break;
+      goto fini;
   }
+  return GIF_INVALID;			/* short file */
 
 fini:
+  if ( lines != height )
+    return GIF_INVALID;
 
-  if (LZWReadByte(fd, FALSE, c) >= 0)
-  {
+  if ( (last=LZWReadByte(fd, FALSE, c)) >= 0 )
+  { return GIF_OK;			/* end is 0x3B, but we only read the */
+  }					/* first image of animated GIFs */
 
-  }
-  return GIF_OK;
+  return GIF_INVALID;
 }
 
-- 
1.7.6