Fixed bug #75571: Potential infinite loop in gdImageCreateFromGifCtx

Due to a signedness confusion in `GetCode_` a corrupt GIF file can
trigger an infinite loop.  Furthermore we make sure that a GIF without
any palette entries is treated as invalid *after* open palette entries
have been removed.

Author: cmb69

ext/gd/libgd/gd_gif_in.c

@@ -261,10 +261,6 @@ gdImagePtr gdImageCreateFromGifCtx(gdIOCtxPtr fd) /* {{{ */
 	if (!im) {
 		return 0;
 	}
-	if (!im->colorsTotal) {
-		gdImageDestroy(im);
-		return 0;
-	}
 	/* Check for open colors at the end, so
 	   we can reduce colorsTotal and ultimately
 	   BitsPerPixel */
@@ -275,6 +271,10 @@ gdImagePtr gdImageCreateFromGifCtx(gdIOCtxPtr fd) /* {{{ */
 			break;
 		}
 	}
+	if (!im->colorsTotal) {
+		gdImageDestroy(im);
+		return 0;
+	}
 	return im;
 }
 /* }}} */
@@ -375,7 +375,7 @@ static int
 GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_size, int flag, int *ZeroDataBlockP)
 {
 	int           i, j, ret;
-	unsigned char count;
+	int           count;
 
 	if (flag) {
 		scd->curbit = 0;

ext/gd/tests/bug75571.gif

@@ -0,0 +1,15 @@
+--TEST--
+Bug #75571 (Infinite loop in GIF reading causing DoS)
+--SKIPIF--
+<?php
+if (!extension_loaded('gd')) die('skip gd extension not available');
+?>
+--FILE--
+<?php
+var_dump(imagecreatefromgif(__DIR__ . '/bug75571.gif'));
+?>
+===DONE===
+--EXPECTF--
+Warning: imagecreatefromgif(): '%s' is not a valid GIF file in %s on line %d
+bool(false)
+===DONE===