Backported for 5.4 without test and binary patch

From 8d6e9588671136837533fe3785657c31c5b52767 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Wed, 29 Nov 2017 18:52:33 +0100
Subject: [PATCH] Fixed bug #75571: Potential infinite loop in
 gdImageCreateFromGifCtx

Due to a signedness confusion in `GetCode_` a corrupt GIF file can
trigger an infinite loop.  Furthermore we make sure that a GIF without
any palette entries is treated as invalid *after* open palette entries
have been removed.
---
 ext/gd/libgd/gd_gif_in.c   |  10 +++++-----
 ext/gd/tests/bug75571.gif  | Bin 0 -> 1731 bytes
 ext/gd/tests/bug75571.phpt |  15 +++++++++++++++
 3 files changed, 20 insertions(+), 5 deletions(-)
 create mode 100644 ext/gd/tests/bug75571.gif
 create mode 100644 ext/gd/tests/bug75571.phpt

diff --git a/ext/gd/libgd/gd_gif_in.c b/ext/gd/libgd/gd_gif_in.c
index e0f0fe3..16776d3 100644
--- a/ext/gd/libgd/gd_gif_in.c
+++ b/ext/gd/libgd/gd_gif_in.c
@@ -261,10 +261,6 @@ terminated:
 	if (!im) {
 		return 0;
 	}
-	if (!im->colorsTotal) {
-		gdImageDestroy(im);
-		return 0;
-	}
 	/* Check for open colors at the end, so
 	   we can reduce colorsTotal and ultimately
 	   BitsPerPixel */
@@ -275,6 +271,10 @@ terminated:
 			break;
 		}
 	}
+	if (!im->colorsTotal) {
+		gdImageDestroy(im);
+		return 0;
+	}
 	return im;
 }
 /* }}} */
@@ -375,7 +375,7 @@ static int
 GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_size, int flag, int *ZeroDataBlockP)
 {
 	int           i, j, ret;
-	unsigned char count;
+	int           count;
 
 	if (flag) {
 		scd->curbit = 0;
-- 
2.1.4