Gif decoder: fix read error caused by ub check

The recently added check to avoid negative-bitshift ub ignored that
the algorithm will sometimes use a negative bitcount value as a
flag. This caused reading failure for some frames.

Fixes: QTBUG-86702
Change-Id: I4c247a7eb6102f9b51cc8ac708c60db80d609e38
Reviewed-by: Lars Knoll <lars.knoll@qt.io>
(cherry picked from commit f1c1f444811643acda66aaeb21a9e73a8e60e830)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>

1 files changed, 7 insertions, 5 deletions

diff --git a/src/plugins/imageformats/gif/qgifhandler.cpp b/src/plugins/imageformats/gif/qgifhandler.cpp
index e7bd16a5fb..c0d4c71f7a 100644
--- a/src/plugins/imageformats/gif/qgifhandler.cpp
+++ b/src/plugins/imageformats/gif/qgifhandler.cpp
@@ -490,12 +490,14 @@ int QGIFFormat::decode(QImage *image, const uchar *buffer, int length,
             break;
           case ImageDataBlock:
             count++;
-            if (bitcount < 0 || bitcount > 31) {
-                state = Error;
-                return -1;
+            if (bitcount != -32768) {
+                if (bitcount < 0 || bitcount > 31) {
+                    state = Error;
+                    return -1;
+                }
+                accum |= (ch << bitcount);
+                bitcount += 8;
             }
-            accum|=(ch<<bitcount);
-            bitcount+=8;
             while (bitcount>=code_size && state==ImageDataBlock) {
                 int code=accum&((1<<code_size)-1);
                 bitcount-=code_size;