From f142b9fff4665e81e5272d735b4fb29452e1f6a4 Mon Sep 17 00:00:00 2001
From: "martijn.martijn@gmail.com" <martijn.martijn@gmail.com>
Date: Wed, 12 Dec 2007 08:56:39 -0800
Subject: [PATCH] Bug 403578 - glibc detected firefox-bin: malloc(): memory
 corruption, patch by Alfred Kayser, r=pavlov, sr=tor, a=blocking1.9

---
 modules/libpr0n/decoders/gif/nsGIFDecoder2.cpp | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/modules/libpr0n/decoders/gif/nsGIFDecoder2.cpp b/modules/libpr0n/decoders/gif/nsGIFDecoder2.cpp
index 01fd8d37fdc9..edca72965a09 100644
--- a/modules/libpr0n/decoders/gif/nsGIFDecoder2.cpp
+++ b/modules/libpr0n/decoders/gif/nsGIFDecoder2.cpp
@@ -1010,7 +1010,12 @@ nsresult nsGIFDecoder2::GifWrite(const PRUint8 *buf, PRUint32 len)
       PRUint32 depth = mGIFStruct.global_colormap_depth;
       if (q[8] & 0x80)
         depth = (q[8]&0x07) + 1;
-      BeginImageFrame(depth);
+      // Make sure the transparent pixel is within colormap space
+      PRUint32 realDepth = depth;
+      while (mGIFStruct.tpixel >= (1 << realDepth) && (realDepth < 8)) {
+        realDepth++;
+      } 
+      BeginImageFrame(realDepth);
       
       // handle allocation error
       if (!mImageFrame) {
@@ -1058,6 +1063,10 @@ nsresult nsGIFDecoder2::GifWrite(const PRUint8 *buf, PRUint32 len)
           mColormap = mGIFStruct.local_colormap;
         }
         const PRUint32 size = 3 << depth;
+        // Clear the notfilled part of the colormap
+        if (realDepth > depth) {
+          memset(mColormap + size, 0, (3<<realDepth) - size);
+        }
         if (len < size) {
           // Use 'hold' pattern to get the image colormap
           GETN(size, gif_image_colormap);