Bug 408310 - "20071213 trunk crash when visiting protopage.com @ all platforms" (Make sure to use the right paletteSize to prevent crashes) [p=alfredkayser@nl.ibm.com (Alfred Kayser) r=stuart sr=tor a=blocking1.9+]

modules/libpr0n/decoders/gif/nsGIFDecoder2.cpp

@@ -1044,17 +1044,17 @@ nsresult nsGIFDecoder2::GifWrite(const PRUint8 *buf, PRUint32 len)
       if (q[8] & 0x80) /* has a local colormap? */
       {
         mGIFStruct.local_colormap_size = 1 << depth;
+        PRUint32 paletteSize;
         if (mGIFStruct.images_decoded) {
           // Copy directly into the palette of current frame,
           // by pointing mColormap to that palette.
-          PRUint32 paletteSize;
           mImageFrame->GetPaletteData(&mColormap, &paletteSize);
         } else {
           // First frame has local colormap, allocate space for it
           // as the image frame doesn't have its own palette
+          paletteSize = sizeof(PRUint32) << realDepth;
           if (!mGIFStruct.local_colormap) {
-            mGIFStruct.local_colormap = 
-  			  (PRUint32*)PR_MALLOC(mGIFStruct.local_colormap_size * sizeof(PRUint32));
+            mGIFStruct.local_colormap = (PRUint32*)PR_MALLOC(paletteSize);
             if (!mGIFStruct.local_colormap) {
               mGIFStruct.state = gif_oom;
               break;
@@ -1063,9 +1063,9 @@ nsresult nsGIFDecoder2::GifWrite(const PRUint8 *buf, PRUint32 len)
           mColormap = mGIFStruct.local_colormap;
         }
         const PRUint32 size = 3 << depth;
-        // Clear the notfilled part of the colormap
-        if (realDepth > depth) {
-          memset(mColormap + size, 0, (3<<realDepth) - size);
+        if (paletteSize > size) {
+          // Clear the notfilled part of the colormap
+          memset(((PRUint8*)mColormap) + size, 0, paletteSize - size);
         }
         if (len < size) {
           // Use 'hold' pattern to get the image colormap