image/gif: be stricter on parsing graphic control extensions.

See Section 23. Graphic Control Extension of the spec:
https://www.w3.org/Graphics/GIF/spec-gif89a.txt

Change-Id: Ie78b4ff4aa97e1b332ade67ae4fa25f7c0770610
Reviewed-on: https://go-review.googlesource.com/22547
Reviewed-by: Rob Pike <[email protected]>

Author: nigeltao

src/image/gif/reader.go

@@ -349,13 +349,19 @@ func (d *decoder) readGraphicControl() error {
 	if _, err := io.ReadFull(d.r, d.tmp[:6]); err != nil {
 		return fmt.Errorf("gif: can't read graphic control: %s", err)
 	}
+	if d.tmp[0] != 4 {
+		return fmt.Errorf("gif: invalid graphic control extension block size: %d", d.tmp[0])
+	}
 	flags := d.tmp[1]
 	d.disposalMethod = (flags & gcDisposalMethodMask) >> 2
 	d.delayTime = int(d.tmp[2]) | int(d.tmp[3])<<8
 	if flags&gcTransparentColorSet != 0 {
 		d.transparentIndex = d.tmp[4]
 		d.hasTransparentIndex = true
 	}
+	if d.tmp[5] != 0 {
+		return fmt.Errorf("gif: invalid graphic control extension block terminator: %d", d.tmp[5])
+	}
 	return nil
 }
 

src/image/gif/reader_test.go

@@ -97,7 +97,7 @@ func TestTransparentIndex(t *testing.T) {
 	for transparentIndex := 0; transparentIndex < 3; transparentIndex++ {
 		if transparentIndex < 2 {
 			// Write the graphic control for the transparent index.
-			b.WriteString("\x21\xf9\x00\x01\x00\x00")
+			b.WriteString("\x21\xf9\x04\x01\x00\x00")
 			b.WriteByte(byte(transparentIndex))
 			b.WriteByte(0)
 		}