Bug 403578 - glibc detected firefox-bin: malloc(): memory corruption, patch by Alfred Kayser, r=pavlov, sr=tor, a=blocking1.9

modules/libpr0n/decoders/gif/nsGIFDecoder2.cpp

@@ -1010,7 +1010,12 @@ nsresult nsGIFDecoder2::GifWrite(const PRUint8 *buf, PRUint32 len)
       PRUint32 depth = mGIFStruct.global_colormap_depth;
       if (q[8] & 0x80)
         depth = (q[8]&0x07) + 1;
-      BeginImageFrame(depth);
+      // Make sure the transparent pixel is within colormap space
+      PRUint32 realDepth = depth;
+      while (mGIFStruct.tpixel >= (1 << realDepth) && (realDepth < 8)) {
+        realDepth++;
+      } 
+      BeginImageFrame(realDepth);
       
       // handle allocation error
       if (!mImageFrame) {
@@ -1058,6 +1063,10 @@ nsresult nsGIFDecoder2::GifWrite(const PRUint8 *buf, PRUint32 len)
           mColormap = mGIFStruct.local_colormap;
         }
         const PRUint32 size = 3 << depth;
+        // Clear the notfilled part of the colormap
+        if (realDepth > depth) {
+          memset(mColormap + size, 0, (3<<realDepth) - size);
+        }
         if (len < size) {
           // Use 'hold' pattern to get the image colormap
           GETN(size, gif_image_colormap);