From b04cd19b76374ebce8f3326275bdfd7e9b9aeab5 Mon Sep 17 00:00:00 2001
From: Li Zhou <li.zhou@windriver.com>
Date: Sun, 11 Feb 2018 15:03:21 +0800
Subject: [PATCH] Fixed bug #75571: Potential infinite loop in
 gdImageCreateFromGifCtx

Due to a signedness confusion in `GetCode_` a corrupt GIF file can
trigger an infinite loop.  Furthermore we make sure that a GIF without
any palette entries is treated as invalid *after* open palette entries
have been removed.

Upstream-Status: Backport
CVE: CVE-2018-5711
Signed-off-by: Li Zhou <li.zhou@windriver.com>
---
 ext/gd/libgd/gd_gif_in.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/ext/gd/libgd/gd_gif_in.c b/ext/gd/libgd/gd_gif_in.c
index 76ba152..7156e4b 100644
--- a/ext/gd/libgd/gd_gif_in.c
+++ b/ext/gd/libgd/gd_gif_in.c
@@ -261,10 +261,6 @@ terminated:
 	if (!im) {
 		return 0;
 	}
-	if (!im->colorsTotal) {
-		gdImageDestroy(im);
-		return 0;
-	}
 	/* Check for open colors at the end, so
 	   we can reduce colorsTotal and ultimately
 	   BitsPerPixel */
@@ -275,6 +271,10 @@ terminated:
 			break;
 		}
 	}
+	if (!im->colorsTotal) {
+		gdImageDestroy(im);
+		return 0;
+	}
 	return im;
 }
 /* }}} */
@@ -375,7 +375,7 @@ static int
 GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_size, int flag, int *ZeroDataBlockP)
 {
 	int           i, j, ret;
-	unsigned char count;
+	int           count;
 
 	if (flag) {
 		scd->curbit = 0;
-- 
1.9.1