From 10420dee7e48c818a7b1c5386b8fcebc587825f0 Mon Sep 17 00:00:00 2001
From: Andreas Kling <kling@serenityos.org>
Date: Sun, 7 Feb 2021 11:18:55 +0100
Subject: LibGfx: Fix global-buffer-overflow in interlaced GIF decode

Regressed with 57e10eadac01273cc4c0bcb681aa9381cacef0b3 and immediately
caught by oss-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30507
---
 Userland/Libraries/LibGfx/GIFLoader.cpp | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'Userland')

diff --git a/Userland/Libraries/LibGfx/GIFLoader.cpp b/Userland/Libraries/LibGfx/GIFLoader.cpp
index 4e69cc7fb5..278c5a686c 100644
--- a/Userland/Libraries/LibGfx/GIFLoader.cpp
+++ b/Userland/Libraries/LibGfx/GIFLoader.cpp
@@ -404,7 +404,8 @@ static bool decode_frame(GIFLoadingContext& context, size_t frame_index)
                             if (interlace_pass < 4)
                                 row = INTERLACE_ROW_OFFSETS[interlace_pass];
                         } else {
-                            row += INTERLACE_ROW_STRIDES[interlace_pass];
+                            if (interlace_pass < 4)
+                                row += INTERLACE_ROW_STRIDES[interlace_pass];
                         }
                     } else {
                         ++row;
-- 
cgit v1.2.3