From da93119c3db207f67d9c6948733f2f4300de81e3 Mon Sep 17 00:00:00 2001
From: Seth Fowler <mark.seth.fowler@gmail.com>
Date: Thu, 14 May 2015 15:19:39 -0700
Subject: [PATCH] Bug 1160801 - Treat invalid GIF disposal methods as
 DisposalMethod::NOT_SPECIFIED. r=jrmuizel

---
 image/decoders/nsGIFDecoder2.cpp                  |   9 +++++++--
 image/test/crashtests/crashtests.list             |   5 +++++
 .../test/crashtests/invalid-disposal-method-1.gif | Bin 0 -> 167 bytes
 .../test/crashtests/invalid-disposal-method-2.gif | Bin 0 -> 167 bytes
 .../test/crashtests/invalid-disposal-method-3.gif | Bin 0 -> 167 bytes
 5 files changed, 12 insertions(+), 2 deletions(-)
 create mode 100644 image/test/crashtests/invalid-disposal-method-1.gif
 create mode 100644 image/test/crashtests/invalid-disposal-method-2.gif
 create mode 100644 image/test/crashtests/invalid-disposal-method-3.gif

diff --git a/image/decoders/nsGIFDecoder2.cpp b/image/decoders/nsGIFDecoder2.cpp
index 0e7b346912e..633551df593 100644
--- a/image/decoders/nsGIFDecoder2.cpp
+++ b/image/decoders/nsGIFDecoder2.cpp
@@ -824,10 +824,15 @@ nsGIFDecoder2::WriteInternal(const char* aBuffer, uint32_t aCount)
       mGIFStruct.is_transparent = *q & 0x1;
       mGIFStruct.tpixel = q[3];
       mGIFStruct.disposal_method = ((*q) >> 2) & 0x7;
-      // Some specs say 3rd bit (value 4), other specs say value 3
-      // Let's choose 3 (the more popular)
+
       if (mGIFStruct.disposal_method == 4) {
+        // Some specs say 3rd bit (value 4), other specs say value 3.
+        // Let's choose 3 (the more popular).
         mGIFStruct.disposal_method = 3;
+      } else if (mGIFStruct.disposal_method > 4) {
+        // This GIF is using a disposal method which is undefined in the spec.
+        // Treat it as DisposalMethod::NOT_SPECIFIED.
+        mGIFStruct.disposal_method = 0;
       }
 
       {
diff --git a/image/test/crashtests/crashtests.list b/image/test/crashtests/crashtests.list
index b03a27a299a..59a3d14fff3 100644
--- a/image/test/crashtests/crashtests.list
+++ b/image/test/crashtests/crashtests.list
@@ -47,3 +47,8 @@ load multiple-png-hassize.ico
 load 856616.gif
 
 skip-if(AddressSanitizer) skip-if(B2G) load 944353.jpg
+
+# Bug 1160801: Ensure that we handle invalid disposal types.
+load invalid-disposal-method-1.gif
+load invalid-disposal-method-2.gif
+load invalid-disposal-method-3.gif
diff --git a/image/test/crashtests/invalid-disposal-method-1.gif b/image/test/crashtests/invalid-disposal-method-1.gif
new file mode 100644
index 0000000000000000000000000000000000000000..30c61de188b9c63ea179c008c5171efad638f853
GIT binary patch
literal 167
zcmZ?wbhEHb)L_tH_{hW{sr6rbBl~|aQ2fav!o|SAp!iSFxhOTUBsE2$JhLQ2!QIn0
zfI$Z+0o0<wz`&&5)4%fcTmHp!w%qF8d~eTh{<cRR)1GxMdv$8tJMQD3e6D}%eg5m5
TGAjenKn9S3$a-6d)N2g@jDbj5

literal 0
HcmV?d00001

diff --git a/image/test/crashtests/invalid-disposal-method-2.gif b/image/test/crashtests/invalid-disposal-method-2.gif
new file mode 100644
index 0000000000000000000000000000000000000000..66158d81a90b670d28b258a22f87f037542122f0
GIT binary patch
literal 167
zcmZ?wbhEHb)L_tH_{hW{sr6rbBl~|aQ2fav!NtJ9p!iSFxhOTUBsE2$JhLQ2!QIn0
zfI$Z+0o0<wz`&&5)4%fcTmHp!w%qF8d~eTh{<cRR)1GxMdv$8tJMQD3e6D}%eg5m5
TGAjenKn9S3$a-6d)N2g@j;%;t

literal 0
HcmV?d00001

diff --git a/image/test/crashtests/invalid-disposal-method-3.gif b/image/test/crashtests/invalid-disposal-method-3.gif
new file mode 100644
index 0000000000000000000000000000000000000000..0da0723773e1b6c4f3d4e9df6d47ebe753f6c087
GIT binary patch
literal 167
zcmZ?wbhEHb)L_tH_{hW{sr6rbBl~|aQ2fav!^ObBp!iSFxhOTUBsE2$JhLQ2!QIn0
zfI$Z+0o0<wz`&&5)4%fcTmHp!w%qF8d~eTh{<cRR)1GxMdv$8tJMQD3e6D}%eg5m5
TGAjenKn9S3$a-6d)N2g@kl9FK

literal 0
HcmV?d00001