From a49c77b76d0203a0165f3749c290ef363fbddd44 Mon Sep 17 00:00:00 2001 From: Ben Wiederhake Date: Sun, 30 May 2021 12:37:17 +0200 Subject: [PATCH] LibGfx: Load correct durations for gifs The wrong shift effectively set the upper byte to 0, meaning that durations longer than 255 centiseconds (2.55 seconds) were wrapped around. See serenity-fuzz-corpora for an example. --- Userland/Libraries/LibGfx/GIFLoader.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Userland/Libraries/LibGfx/GIFLoader.cpp b/Userland/Libraries/LibGfx/GIFLoader.cpp index 41a33b736f..a4d9a9d497 100644 --- a/Userland/Libraries/LibGfx/GIFLoader.cpp +++ b/Userland/Libraries/LibGfx/GIFLoader.cpp @@ -511,7 +511,7 @@ static bool load_gif_frame_descriptors(GIFLoadingContext& context) u8 transparent = sub_block[0] & 1; current_image->transparent = transparent == 1; - u16 duration = sub_block[1] + ((u16)sub_block[2] >> 8); + u16 duration = sub_block[1] + ((u16)sub_block[2] << 8); current_image->duration = duration; current_image->transparency_index = sub_block[3];