From: Marius Kamm <marius.kamm@protonmail.com> The GIF LZW decompressor writes a new table entry at index RunningCode-2 for every code while LastCode != NO_SUCH_CODE. Once the table is full, DGifDecompressInput freezes RunningCode at LZ_MAX_CODE+2, so RunningCode-2 stays at 4095 and every subsequent code overwrites the already-valid entry 4095. For a GIF that fills the 4096-entry table and keeps emitting codes before a clear code, a later code whose prefix chain runs through the corrupted entry then produces CrntPrefix > LZ_MAX_CODE / j >= LZ_MAX_CODE, so DGifDecompressLine returns GIF_ERROR and the whole image fails to load. Native Windows decodes such files correctly. Only define a table entry while it is still empty, matching giflib, which keeps the full table intact until a clear code arrives. Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=59887 --- dlls/windowscodecs/ungif.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/dlls/windowscodecs/ungif.c b/dlls/windowscodecs/ungif.c index c994bad6bcb..6737958a574 100644 --- a/dlls/windowscodecs/ungif.c +++ b/dlls/windowscodecs/ungif.c @@ -740,7 +740,9 @@ DGifDecompressLine(GifFileType * GifFile, while (StackPtr != 0 && i < LineLen) Line[i++] = Stack[--StackPtr]; } - if (LastCode != NO_SUCH_CODE) { + if (LastCode != NO_SUCH_CODE && + Private->RunningCode - 2 < (LZ_MAX_CODE + 1) && + Prefix[Private->RunningCode - 2] == NO_SUCH_CODE) { Prefix[Private->RunningCode - 2] = LastCode; if (CrntCode == Private->RunningCode - 2) { -- GitLab https://gitlab.winehq.org/wine/wine/-/merge_requests/11209