From 16882f721279a82a1c860ac689ce570b16fe26a0 Mon Sep 17 00:00:00 2001
From: Leon Scroggins III <scroggo@google.com>
Date: Fri, 3 Feb 2017 09:31:04 -0500
Subject: Fix out of bounds memory read in GIFMovie.cpp

Test: TODO (to be separately uploaded to CTS)

When decoding a GIF image, do not attempt to copy an index if it is out
of range.

BUG:33897722
Change-Id: I8c8ca69b00bf1f655e62bbe1798b9a47bf6699be
---
 src/images/SkMovie_gif.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/images/SkMovie_gif.cpp b/src/images/SkMovie_gif.cpp
index decefd5acc..9dedfc0aab 100644
--- a/src/images/SkMovie_gif.cpp
+++ b/src/images/SkMovie_gif.cpp
@@ -116,7 +116,7 @@ static void copyLine(uint32_t* dst, const unsigned char* src, const ColorMapObje
                      int transparent, int width)
 {
     for (; width > 0; width--, src++, dst++) {
-        if (*src != transparent) {
+        if (*src != transparent && *src < cmap->ColorCount) {
             const GifColorType& col = cmap->Colors[*src];
             *dst = SkPackARGB32(0xFF, col.Red, col.Green, col.Blue);
         }
-- 
cgit v1.2.3