[gdk-pixbuf] gif: Prevent access to negative array indexes

[Bastien Nocera <hadess src gnome org>]

commit 23e2a7c4b7794220ecd77389b3976c0767fc839d
Author: Tobias Mueller <muelli cryptobitch de>
Date:   Wed Dec 14 08:03:16 2016 +0100

    gif: Prevent access to negative array indexes
    
    It seems that a pathological gif file can cause a negative array index
    to be read.  UBSAN reported this:
    io-gif.c:509:44: runtime error: index -2 out of bounds for type 'guchar [280]'
    io-gif.c:510:44: runtime error: index -1 out of bounds for type 'guchar [280]'
    
    https://bugzilla.gnome.org/show_bug.cgi?id=778584

 gdk-pixbuf/io-gif.c |    8 ++++++++
 1 files changed, 8 insertions(+), 0 deletions(-)
---
diff --git a/gdk-pixbuf/io-gif.c b/gdk-pixbuf/io-gif.c
index ef10017..acbd1f3 100644
--- a/gdk-pixbuf/io-gif.c
+++ b/gdk-pixbuf/io-gif.c
@@ -508,6 +508,14 @@ gif_lzw_fill_buffer (GifContext *context)
                return -2;
        }
 
+       if (context->code_last_byte < 2) {
+               g_set_error_literal (context->error,
+                                    GDK_PIXBUF_ERROR,
+                                    GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+                                    _("Bad code encountered"));
+               return -2;
+       }
+
        context->block_buf[0] = context->block_buf[context->code_last_byte - 2];
        context->block_buf[1] = context->block_buf[context->code_last_byte - 1];