libnsgif: Fix null pointer deref on frameless GIF input

A crafted GIF file with no frame data could cause a null pointer dereference leading to denial of service (crash). Reported by @JieyongMa via huntr.dev.
hpjansson · Apr 24, 2022 · e4b777c · e4b777c
1 parent 8645008
commit e4b777c
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/libnsgif/libnsgif.c b/libnsgif/libnsgif.c
@@ -595,6 +595,12 @@ gif_internal_decode_frame(gif_animation *gif,
         unsigned int x, y, decode_y, burst_bytes;
         register unsigned char colour;
 
+        /* If the GIF has no frame data, frame holders will not be allocated in
+         * gif_initialise() */
+        if (gif->frames == NULL) {
+                return GIF_INSUFFICIENT_DATA;
+        }
+
         /* Ensure this frame is supposed to be decoded */
         if (gif->frames[frame].display == false) {
                 return GIF_OK;