From 78e5b6c19d45b3083b8160cde0b90cd072bead06 Mon Sep 17 00:00:00 2001
From: James Jackson-South <james_south@hotmail.com>
Date: Mon, 21 Feb 2022 18:39:29 +1100
Subject: [PATCH] Throw for corrupt  LZW min code. Add test for deferred clear
 code

---
 ImageSharp.sln                                |  7 +++++
 src/ImageSharp/Formats/Gif/GifDecoderCore.cs  |  4 +--
 src/ImageSharp/Formats/Gif/LzwDecoder.cs      | 26 ++++++++++++-------
 .../Formats/Gif/GifDecoderTests.cs            | 17 ++++++++++++
 tests/ImageSharp.Tests/TestImages.cs          |  1 +
 ...2012BadMinCode_Rgba32_issue2012_drona1.png |  3 ---
 ...eferredClearCode_Rgba32_bugzilla-55918.png |  3 +++
 .../Input/Gif/issues/bugzilla-55918.gif       |  3 +++
 8 files changed, 50 insertions(+), 14 deletions(-)
 delete mode 100644 tests/Images/External/ReferenceOutput/GifDecoderTests/Issue2012BadMinCode_Rgba32_issue2012_drona1.png
 create mode 100644 tests/Images/External/ReferenceOutput/GifDecoderTests/IssueDeferredClearCode_Rgba32_bugzilla-55918.png
 create mode 100644 tests/Images/Input/Gif/issues/bugzilla-55918.gif

diff --git a/ImageSharp.sln b/ImageSharp.sln
index 17d293b43..5428f3394 100644
--- a/ImageSharp.sln
+++ b/ImageSharp.sln
@@ -142,6 +142,13 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Gif", "Gif", "{EE3FB0B3-1C3
 EndProject
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "issues", "issues", "{BF8DFDC1-CEE5-4A37-B216-D3085360C776}"
 	ProjectSection(SolutionItems) = preProject
+		tests\Images\Input\Gif\issues\bugzilla-55918.gif = tests\Images\Input\Gif\issues\bugzilla-55918.gif
+		tests\Images\Input\Gif\issues\issue1505_argumentoutofrange.png = tests\Images\Input\Gif\issues\issue1505_argumentoutofrange.png
+		tests\Images\Input\Gif\issues\issue1530.gif = tests\Images\Input\Gif\issues\issue1530.gif
+		tests\Images\Input\Gif\issues\issue1668_invalidcolorindex.gif = tests\Images\Input\Gif\issues\issue1668_invalidcolorindex.gif
+		tests\Images\Input\Gif\issues\issue1962_tiniest_gif_1st.gif = tests\Images\Input\Gif\issues\issue1962_tiniest_gif_1st.gif
+		tests\Images\Input\Gif\issues\issue2012_drona1.gif = tests\Images\Input\Gif\issues\issue2012_drona1.gif
+		tests\Images\Input\Gif\issues\issue2012_Stronghold-Crusader-Extreme-Cover.gif = tests\Images\Input\Gif\issues\issue2012_Stronghold-Crusader-Extreme-Cover.gif
 		tests\Images\Input\Gif\issues\issue403_baddescriptorwidth.gif = tests\Images\Input\Gif\issues\issue403_baddescriptorwidth.gif
 		tests\Images\Input\Gif\issues\issue405_badappextlength252-2.gif = tests\Images\Input\Gif\issues\issue405_badappextlength252-2.gif
 		tests\Images\Input\Gif\issues\issue405_badappextlength252.gif = tests\Images\Input\Gif\issues\issue405_badappextlength252.gif
diff --git a/src/ImageSharp/Formats/Gif/GifDecoderCore.cs b/src/ImageSharp/Formats/Gif/GifDecoderCore.cs
index 98e012658..16dca3324 100644
--- a/src/ImageSharp/Formats/Gif/GifDecoderCore.cs
+++ b/src/ImageSharp/Formats/Gif/GifDecoderCore.cs
@@ -410,9 +410,9 @@ namespace SixLabors.ImageSharp.Formats.Gif
         [MethodImpl(MethodImplOptions.AggressiveInlining)]
         private void ReadFrameIndices(Buffer2D<byte> indices)
         {
-            int dataSize = this.stream.ReadByte();
+            int minCodeSize = this.stream.ReadByte();
             using var lzwDecoder = new LzwDecoder(this.Configuration.MemoryAllocator, this.stream);
-            lzwDecoder.DecodePixels(dataSize, indices);
+            lzwDecoder.DecodePixels(minCodeSize, indices);
         }
 
         /// <summary>
diff --git a/src/ImageSharp/Formats/Gif/LzwDecoder.cs b/src/ImageSharp/Formats/Gif/LzwDecoder.cs
index 8bb52b637..470929c4a 100644
--- a/src/ImageSharp/Formats/Gif/LzwDecoder.cs
+++ b/src/ImageSharp/Formats/Gif/LzwDecoder.cs
@@ -64,17 +64,22 @@ namespace SixLabors.ImageSharp.Formats.Gif
         /// <summary>
         /// Decodes and decompresses all pixel indices from the stream.
         /// </summary>
-        /// <param name="dataSize">Size of the data.</param>
+        /// <param name="minCodeSize">Minimum code size of the data.</param>
         /// <param name="pixels">The pixel array to decode to.</param>
-        public void DecodePixels(int dataSize, Buffer2D<byte> pixels)
+        public void DecodePixels(int minCodeSize, Buffer2D<byte> pixels)
         {
-            // Calculate the clear code. The value of the clear code is 2 ^ dataSize
-            int clearCode = 1 << dataSize;
-            if (clearCode > MaxStackSize)
+            // Calculate the clear code. The value of the clear code is 2 ^ minCodeSize
+            int clearCode = 1 << minCodeSize;
+
+            // It is possible to specify a larger LZW minimum code size than the palette length in bits
+            // which may leave a gap in the codes where no colors are assigned.
+            // http://www.matthewflickinger.com/lab/whatsinagif/lzw_image_data.asp#lzw_compression
+            if (minCodeSize < 2 || clearCode > MaxStackSize)
             {
                 // Don't attempt to decode the frame indices.
-                // The image is most likely corrupted.
-                return;
+                // Theoretically we could determine a min code size from the length of the provided
+                // color palette but we won't bother since the image is most likely corrupted.
+                ThrowBadMinimumCode();
             }
 
             // The resulting index table length.
@@ -82,7 +87,7 @@ namespace SixLabors.ImageSharp.Formats.Gif
             int height = pixels.Height;
             int length = width * height;
 
-            int codeSize = dataSize + 1;
+            int codeSize = minCodeSize + 1;
 
             // Calculate the end code
             int endCode = clearCode + 1;
@@ -169,7 +174,7 @@ namespace SixLabors.ImageSharp.Formats.Gif
                     if (code == clearCode)
                     {
                         // Reset the decoder
-                        codeSize = dataSize + 1;
+                        codeSize = minCodeSize + 1;
                         codeMask = (1 << codeSize) - 1;
                         availableCode = clearCode + 2;
                         oldCode = NullCode;
@@ -258,5 +263,8 @@ namespace SixLabors.ImageSharp.Formats.Gif
             this.suffix.Dispose();
             this.pixelStack.Dispose();
         }
+
+        [MethodImpl(InliningOptions.ColdPath)]
+        public static void ThrowBadMinimumCode() => throw new InvalidImageContentException("Gif Image does not contain a valid LZW minimum code.");
     }
 }
diff --git a/tests/ImageSharp.Tests/Formats/Gif/GifDecoderTests.cs b/tests/ImageSharp.Tests/Formats/Gif/GifDecoderTests.cs
index 289bf6a4f..30bcb7255 100644
--- a/tests/ImageSharp.Tests/Formats/Gif/GifDecoderTests.cs
+++ b/tests/ImageSharp.Tests/Formats/Gif/GifDecoderTests.cs
@@ -277,6 +277,23 @@ namespace SixLabors.ImageSharp.Tests.Formats.Gif
         [WithFile(TestImages.Gif.Issues.Issue2012BadMinCode, PixelTypes.Rgba32)]
         public void Issue2012BadMinCode<TPixel>(TestImageProvider<TPixel> provider)
             where TPixel : unmanaged, IPixel<TPixel>
+        {
+            Exception ex = Record.Exception(
+                () =>
+                {
+                    using Image<TPixel> image = provider.GetImage();
+                    image.DebugSave(provider);
+                });
+
+            Assert.NotNull(ex);
+            Assert.Contains("Gif Image does not contain a valid LZW minimum code.", ex.Message);
+        }
+
+        // https://bugzilla.mozilla.org/show_bug.cgi?id=55918
+        [Theory]
+        [WithFile(TestImages.Gif.Issues.DeferredClearCode, PixelTypes.Rgba32)]
+        public void IssueDeferredClearCode<TPixel>(TestImageProvider<TPixel> provider)
+            where TPixel : unmanaged, IPixel<TPixel>
         {
             using Image<TPixel> image = provider.GetImage();
 
diff --git a/tests/ImageSharp.Tests/TestImages.cs b/tests/ImageSharp.Tests/TestImages.cs
index 6ff116225..6fbf584d8 100644
--- a/tests/ImageSharp.Tests/TestImages.cs
+++ b/tests/ImageSharp.Tests/TestImages.cs
@@ -448,6 +448,7 @@ namespace SixLabors.ImageSharp.Tests
                 public const string BadAppExtLength = "Gif/issues/issue405_badappextlength252.gif";
                 public const string BadAppExtLength_2 = "Gif/issues/issue405_badappextlength252-2.gif";
                 public const string BadDescriptorWidth = "Gif/issues/issue403_baddescriptorwidth.gif";
+                public const string DeferredClearCode = "Gif/issues/bugzilla-55918.gif";
                 public const string Issue1505 = "Gif/issues/issue1505_argumentoutofrange.png";
                 public const string Issue1530 = "Gif/issues/issue1530.gif";
                 public const string InvalidColorIndex = "Gif/issues/issue1668_invalidcolorindex.gif";
diff --git a/tests/Images/External/ReferenceOutput/GifDecoderTests/Issue2012BadMinCode_Rgba32_issue2012_drona1.png b/tests/Images/External/ReferenceOutput/GifDecoderTests/Issue2012BadMinCode_Rgba32_issue2012_drona1.png
deleted file mode 100644
index 5e23f5528..000000000
--- a/tests/Images/External/ReferenceOutput/GifDecoderTests/Issue2012BadMinCode_Rgba32_issue2012_drona1.png
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:cf4bc93479140b05b25066eb10c33fa9f82c617828a56526d47f5a8c72035ef0
-size 1871
diff --git a/tests/Images/External/ReferenceOutput/GifDecoderTests/IssueDeferredClearCode_Rgba32_bugzilla-55918.png b/tests/Images/External/ReferenceOutput/GifDecoderTests/IssueDeferredClearCode_Rgba32_bugzilla-55918.png
new file mode 100644
index 000000000..b5769c2c4
--- /dev/null
+++ b/tests/Images/External/ReferenceOutput/GifDecoderTests/IssueDeferredClearCode_Rgba32_bugzilla-55918.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:6b33733518b855b25c5e9a1b2f5c93cacf0699a40a459dde795b0ed91a978909
+size 12776
diff --git a/tests/Images/Input/Gif/issues/bugzilla-55918.gif b/tests/Images/Input/Gif/issues/bugzilla-55918.gif
new file mode 100644
index 000000000..929ea67c3
--- /dev/null
+++ b/tests/Images/Input/Gif/issues/bugzilla-55918.gif
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d11148669a093c2e39be62bc3482c5863362d28c03c7f26c5a2386d5de28c339
+size 14551