File gdk-pixbuf-gif-negative-array-indexes.patch of Package gdk-pixbuf

From 23e2a7c4b7794220ecd77389b3976c0767fc839d Mon Sep 17 00:00:00 2001
From: Tobias Mueller <muelli@cryptobitch.de>
Date: Wed, 14 Dec 2016 08:03:16 +0100
Subject: [PATCH] gif: Prevent access to negative array indexes

It seems that a pathological gif file can cause a negative array index
to be read.  UBSAN reported this:
io-gif.c:509:44: runtime error: index -2 out of bounds for type 'guchar [280]'
io-gif.c:510:44: runtime error: index -1 out of bounds for type 'guchar [280]'

https://bugzilla.gnome.org/show_bug.cgi?id=778584
---
 gdk-pixbuf/io-gif.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/gdk-pixbuf/io-gif.c b/gdk-pixbuf/io-gif.c
index ef1001779..acbd1f3be 100644
--- a/gdk-pixbuf/io-gif.c
+++ b/gdk-pixbuf/io-gif.c
@@ -508,6 +508,14 @@ gif_lzw_fill_buffer (GifContext *context)
 		return -2;
 	}
 
+	if (context->code_last_byte < 2) {
+		g_set_error_literal (context->error,
+				     GDK_PIXBUF_ERROR,
+				     GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+				     _("Bad code encountered"));
+		return -2;
+	}
+
 	context->block_buf[0] = context->block_buf[context->code_last_byte - 2];
 	context->block_buf[1] = context->block_buf[context->code_last_byte - 1];
 
-- 
2.15.1