gifdec: check ff_lzw_decode_init() return value, fix out of array reads

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

diff --git a/libavcodec/gifdec.c b/libavcodec/gifdec.c
index 3e7799f..2a61090 100644 (file)
--- a/libavcodec/gifdec.c
+++ b/libavcodec/gifdec.c
@@ -67,6 +67,7 @@ static int gif_read_image(GifState *s)
     int left, top, width, height, bits_per_pixel, code_size, flags;
     int is_interleaved, has_local_palette, y, pass, y1, linesize, n, i;
     uint8_t *ptr, *spal, *palette, *ptr1;
+    int ret;
 
     left = bytestream_get_le16(&s->bytestream);
     top = bytestream_get_le16(&s->bytestream);
@@ -107,8 +108,11 @@ static int gif_read_image(GifState *s)
 
     /* now get the image data */
     code_size = bytestream_get_byte(&s->bytestream);
-    ff_lzw_decode_init(s->lzw, code_size, s->bytestream,
-                       s->bytestream_end - s->bytestream, FF_LZW_GIF);
+    if ((ret = ff_lzw_decode_init(s->lzw, code_size, s->bytestream,
+                       s->bytestream_end - s->bytestream, FF_LZW_GIF)) < 0) {
+        av_log(s->avctx, AV_LOG_ERROR, "LZW init failed\n");
+        return ret;
+    }
 
     /* read all the image */
     linesize = s->picture.linesize[0];