[gimp] file-gif-load: fix heap corruption and buffer overflow (CVE-2011-2896)

[Nils Philippsen <nphilipp src gnome org>]

commit 376ad788c1a1c31d40f18494889c383f6909ebfc
Author: Nils Philippsen <nils redhat com>
Date:   Thu Aug 4 12:51:42 2011 +0200

    file-gif-load: fix heap corruption and buffer overflow (CVE-2011-2896)

 plug-ins/common/file-gif-load.c |   15 +++++++++------
 1 files changed, 9 insertions(+), 6 deletions(-)
---
diff --git a/plug-ins/common/file-gif-load.c b/plug-ins/common/file-gif-load.c
index 81f3bd0..c91e7aa 100644
--- a/plug-ins/common/file-gif-load.c
+++ b/plug-ins/common/file-gif-load.c
@@ -713,7 +713,8 @@ LZWReadByte (FILE *fd,
   static gint firstcode, oldcode;
   static gint clear_code, end_code;
   static gint table[2][(1 << MAX_LZW_BITS)];
-  static gint stack[(1 << (MAX_LZW_BITS)) * 2], *sp;
+#define STACK_SIZE ((1 << (MAX_LZW_BITS)) * 2)
+  static gint stack[STACK_SIZE], *sp;
   gint        i;
 
   if (just_reset_LZW)
@@ -788,7 +789,7 @@ LZWReadByte (FILE *fd,
 
           return firstcode & 255;
         }
-      else if (code == end_code)
+      else if (code == end_code || code > max_code)
         {
           gint   count;
           guchar buf[260];
@@ -807,13 +808,14 @@ LZWReadByte (FILE *fd,
 
       incode = code;
 
-      if (code >= max_code)
+      if (code == max_code)
         {
-          *sp++ = firstcode;
+          if (sp < &(stack[STACK_SIZE]))
+            *sp++ = firstcode;
           code = oldcode;
         }
 
-      while (code >= clear_code)
+      while (code >= clear_code && sp < &(stack[STACK_SIZE]))
         {
           *sp++ = table[1][code];
           if (code == table[0][code])
@@ -824,7 +826,8 @@ LZWReadByte (FILE *fd,
           code = table[0][code];
         }
 
-      *sp++ = firstcode = table[1][code];
+      if (sp < &(stack[STACK_SIZE]))
+        *sp++ = firstcode = table[1][code];
 
       if ((code = max_code) < (1 << MAX_LZW_BITS))
         {