From 531c3fe72eb18615dba89bfe673b8a8336abfb89 Mon Sep 17 00:00:00 2001
From: Andreas Kling <kling@serenityos.org>
Date: Tue, 22 Dec 2020 09:31:33 +0100
Subject: [PATCH] LibGfx: Fix OOB access in GIF deinterlacing

It was possible to go outside the interlacing row strid/offset arrays.
Just fail the decode if this is about to happen. I've added a FIXME
about rejecting such images earlier, since it's a bit sad to only do
this once we realize the pass index is about to overflow.

Found by oss-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28239
---
 Libraries/LibGfx/GIFLoader.cpp | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/Libraries/LibGfx/GIFLoader.cpp b/Libraries/LibGfx/GIFLoader.cpp
index 1b36361cc8..b27aa05868 100644
--- a/Libraries/LibGfx/GIFLoader.cpp
+++ b/Libraries/LibGfx/GIFLoader.cpp
@@ -380,6 +380,9 @@ static bool decode_frame(GIFLoadingContext& context, size_t frame_index)
                     if (image.interlaced) {
                         if (row + INTERLACE_ROW_STRIDES[interlace_pass] >= image.height) {
                             ++interlace_pass;
+                            // FIXME: We could probably figure this out earlier and fail before doing a bunch of work.
+                            if (interlace_pass >= 4)
+                                return false;
                             row = INTERLACE_ROW_OFFSETS[interlace_pass];
                         } else {
                             row += INTERLACE_ROW_STRIDES[interlace_pass];