fix potential undefined behavior in cgif_addframe

  CVE-2026-4985

1 files changed, 31 insertions, 0 deletions

diff --git a/CVE-2026-4985.patch b/CVE-2026-4985.patch
new file mode 100644
index 0000000..12b538b
--- /dev/null
+++ b/CVE-2026-4985.patch
@@ -0,0 +1,31 @@
+From a9ecd7a129f3f7177dfec3e0e7b48c87131ac410 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20L=C3=B6bl?= <dloebl.2000@gmail.com>
+Date: Mon, 30 Mar 2026 13:04:27 +0200
+Subject: [PATCH] fix potential undefined behavior in cgif_addframe (#112)
+
+---
+ src/cgif.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/cgif.c b/src/cgif.c
+index 7190a1f..d526aee 100644
+--- a/src/cgif.c
++++ b/src/cgif.c
+@@ -480,7 +480,7 @@ static void copyFrameConfig(CGIF_FrameConfig* pDest, CGIF_FrameConfig* pSrc) {
+ int cgif_addframe(CGIF* pGIF, CGIF_FrameConfig* pConfig) {
+   CGIF_Frame* pNewFrame;
+   int         hasAlpha, hasSetTransp;
+-  int         i;
++  uint32_t    i;
+   cgif_result r;
+ 
+   // check for previous errors
+@@ -518,7 +518,7 @@ int cgif_addframe(CGIF* pGIF, CGIF_FrameConfig* pConfig) {
+           sameFrame = 0;
+         }
+       } else {
+-        for(i = 0; i < pGIF->config.width * pGIF->config.height; i++) {
++        for(i = 0; i < MULU16(pGIF->config.width, pGIF->config.height); i++) {
+           if(cmpPixel(pGIF, pConfig, &pGIF->aFrames[pGIF->iHEAD]->config, pConfig->pImageData[i], pGIF->aFrames[pGIF->iHEAD]->config.pImageData[i])) {
+             sameFrame = 0;
+             break;