Merge pull request #46 from sysprog21/fix-gifdec

jserv · web-flow · commit a5b600c27d0c · 2024-09-12T14:34:22.000+08:00
Fix out-of-bounds read access in GIF decoding
diff --git a/mk/common.mk b/mk/common.mk
@@ -117,7 +117,7 @@ RM         := rm -rf
 MKDIR      := mkdir -p
 
 __CFLAGS := -Wall -Wextra -pipe
-__CFLAGS += -O2 -g -pipe
+__CFLAGS += -Og -g -pipe
 __CFLAGS += $(CFLAGS)
 
 uname_S := $(shell sh -c 'uname -s 2>/dev/null || echo not')
diff --git a/src/image-gif.c b/src/image-gif.c
@@ -578,9 +578,7 @@ static twin_animation_t *_twin_animation_from_gif_file(const char *path)
         twin_pointer_t p = twin_pixmap_pointer(anim->frames[i], 0, 0);
         twin_coord_t row = 0, col = 0;
         for (int j = 0; j < gif->width * gif->height; j++) {
-            uint8_t r = *(color++);
-            uint8_t g = *(color++);
-            uint8_t b = *(color++);
+            uint8_t r = color[0], g = color[1], b = color[2];
             if (!gif_is_bgcolor(gif, color))
                 *(p.argb32++) = 0xFF000000U | (r << 16) | (g << 8) | b;
             /* Construct background */
@@ -593,6 +591,8 @@ static twin_animation_t *_twin_animation_from_gif_file(const char *path)
                 row++;
                 col = 0;
             }
+            /* next palette */
+            color += 3;
         }
         /* GIF delay in units of 1/100 second */
         anim->frame_delays[i] = gif->gce.delay * 10;
