From f048d38d380ef042bb1b5f3a2e5ecc729a5c826a Mon Sep 17 00:00:00 2001
From: James Zern <jzern@google.com>
Date: Mon, 31 Oct 2016 12:56:04 -0700
Subject: [PATCH] gifdec,Remap: avoid out of bounds colormap read

sanitize the requested length to be read against the reported size of
the table

BUG=webp:316

Change-Id: I1c471e93ab696a9d21a0142cf1987ffcf8f55dd2
---
 examples/gifdec.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/examples/gifdec.c b/examples/gifdec.c
index f921c0a4..feb84e6e 100644
--- a/examples/gifdec.c
+++ b/examples/gifdec.c
@@ -87,7 +87,8 @@ static void Remap(const GifFileType* const gif, const uint8_t* const src,
   const GifColorType* colors;
   const ColorMapObject* const cmap =
       gif->Image.ColorMap ? gif->Image.ColorMap : gif->SColorMap;
-  if (cmap == NULL) return;
+  if (cmap == NULL || cmap->Colors == NULL) return;
+  if (len > cmap->ColorCount) len = cmap->ColorCount;
   colors = cmap->Colors;
 
   for (i = 0; i < len; ++i) {