Fix bug #68601 buffer read overflow in gd_gif_in.c

diff --git a/ext/gd/libgd/gd_gif_in.c b/ext/gd/libgd/gd_gif_in.c
index ee88a2fc8e102720526f9b37ec17c46f4a383484..491e9422db0c9baf9b021958451e8cb0aab4b807 100644 (file)
--- a/ext/gd/libgd/gd_gif_in.c
+++ b/ext/gd/libgd/gd_gif_in.c
@@ -72,8 +72,10 @@ static struct {
 
 #define STACK_SIZE ((1<<(MAX_LWZ_BITS))*2)
 
+#define CSD_BUF_SIZE 280
+
 typedef struct {
-       unsigned char    buf[280];
+       unsigned char    buf[CSD_BUF_SIZE];
        int              curbit, lastbit, done, last_byte;
 } CODE_STATIC_DATA;
 
@@ -400,7 +402,12 @@ GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_size, int flag, int *ZeroD
 
        ret = 0;
        for (i = scd->curbit, j = 0; j < code_size; ++i, ++j)
-               ret |= ((scd->buf[ i / 8 ] & (1 << (i % 8))) != 0) << j;
+               if (i < CSD_BUF_SIZE * 8) {
+                       ret |= ((scd->buf[i / 8] & (1 << (i % 8))) != 0) << j;
+               } else {
+                       ret = -1;
+                       break;
+               }
 
        scd->curbit += code_size;
        return ret;