Check invalid color index

[Issue]
  A crash occurred while processing black-and-white(ColorMapObject's ColorCount is 2) image.

Change-Id: I30cc793e65e357fe12407dc870f6a48279e38683

diff --git a/gif/mm_util_gif.c b/gif/mm_util_gif.c
index 67a098b263e3ef8b2e6c63f4d2d3517efc50183a..96d103efc2d2fcc7c1d72c90387cbd0373f03f6c 100644 (file)
--- a/gif/mm_util_gif.c
+++ b/gif/mm_util_gif.c
@@ -198,12 +198,16 @@ static int __gif_convert_to_rgba(void **data, ColorMapObject *color_map, GifRowT
        if (!mm_util_is_proper_image_size(data_size))
                return MM_UTIL_ERROR_OUT_OF_MEMORY;
 
-       *data = g_malloc0(data_size);
-
-       buffer = (GifByteType *) *data;
+       buffer = g_new0(GifByteType, data_size);
        for (i = 0; i < height; i++) {
                gif_row = frame_buffer[i];
                for (j = 0; j < width; j++) {
+                       if (gif_row[j] >= color_map->ColorCount) {
+                               mm_util_error("invalid color index=%d, color count=%d", gif_row[j], color_map->ColorCount);
+                               g_free(buffer);
+                               return MM_UTIL_ERROR_INVALID_OPERATION;
+                       }
+
                        color_map_entry = &color_map->Colors[gif_row[j]];
                        *buffer++ = color_map_entry->Red;
                        *buffer++ = color_map_entry->Green;
@@ -212,6 +216,8 @@ static int __gif_convert_to_rgba(void **data, ColorMapObject *color_map, GifRowT
                }
        }
 
+       *data = buffer;
+
        return MM_UTIL_ERROR_NONE;
 }