LibGfx: Fix read buffer overflow in interlaced GIF decode

Unfortunately 10420dee7e didn't quite fix it, as the buffer overflow was actually happening here: af22204488/Userland/Libraries/LibGfx/GIFLoader.cpp (L402) Found by oss-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30507
Author: https://github.com/Lubrsi Commit: https://github.com/SerenityOS/serenity/commit/ce5fe2a6e80 Pull-request: https://github.com/SerenityOS/serenity/pull/5540
2024-09-20 17:58:18 +03:00 · 2021-02-26 22:31:07 +00:00 · 2021-02-26 22:31:07 +00:00 · ce5fe2a6e8 · 2024-07-18 21:53:46 +09:00
commit ce5fe2a6e8
parent 9aa91e6c6f
1 changed files with 7 additions and 6 deletions
--- a/Userland/Libraries/LibGfx/GIFLoader.cpp
+++ b/Userland/Libraries/LibGfx/GIFLoader.cpp
@ -399,13 +399,14 @@ static bool decode_frame(GIFLoadingContext& context, size_t frame_index)
                ++pixel_index;
                if (pixel_index % image.width == 0) {
                    if (image.interlaced) {
-                        if (row + INTERLACE_ROW_STRIDES[interlace_pass] >= image.height) {
-                            ++interlace_pass;
-                            if (interlace_pass < 4)
-                                row = INTERLACE_ROW_OFFSETS[interlace_pass];
-                        } else {
-                            if (interlace_pass < 4)
+                        if (interlace_pass < 4) {
+                            if (row + INTERLACE_ROW_STRIDES[interlace_pass] >= image.height) {
+                                ++interlace_pass;
+                                if (interlace_pass < 4)
+                                    row = INTERLACE_ROW_OFFSETS[interlace_pass];
+                            } else {
                                row += INTERLACE_ROW_STRIDES[interlace_pass];
+                            }
                        }
                    } else {
                        ++row;