From 2c6a3af9b6595dcaa7151dd27caa5303a5d152c2 Mon Sep 17 00:00:00 2001
From: Fabian Keil <fk@fabiankeil.de>
Date: Wed, 3 Dec 2014 12:36:27 +0100
Subject: [PATCH] loader_gif(): Abort gif parsing if DGifGetLine() fails

Prevents multiple conditinal jumps based on and uses
of unitinitialied memory when parsing fuzzed file
id:000067,src:000000,op:havoc,rep:4,+cov.
---
 src/modules/loaders/loader_gif.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/modules/loaders/loader_gif.c b/src/modules/loaders/loader_gif.c
index e42a3ff..c6356ca 100644
--- a/src/modules/loaders/loader_gif.c
+++ b/src/modules/loaders/loader_gif.c
@@ -85,7 +85,10 @@ load(ImlibImage * im, ImlibProgressFunction progress, char progress_granularity,
                     {
                        for (j = intoffset[i]; j < h; j += intjump[i])
                          {
-                            DGifGetLine(gif, rows[j], w);
+                            if (DGifGetLine(gif, rows[i], w) == GIF_ERROR)
+                               {
+                                  break;
+                               }
                          }
                     }
                }
@@ -93,7 +96,10 @@ load(ImlibImage * im, ImlibProgressFunction progress, char progress_granularity,
                {
                   for (i = 0; i < h; i++)
                     {
-                       DGifGetLine(gif, rows[i], w);
+                       if (DGifGetLine(gif, rows[i], w) == GIF_ERROR)
+                          {
+                             break;
+                          }
                     }
                }
              done = 1;