From 11ea831e84a6229606d17d31b5c2be77dce2d4c4 Mon Sep 17 00:00:00 2001
From: treeform <starplant@gmail.com>
Date: Thu, 30 Apr 2026 08:49:08 -0700
Subject: [PATCH] Fix GIF background color index bounds

---
 src/pixie/fileformats/gif.nim |  2 +-
 tests/test_gif.nim            | 17 +++++++++++++++++
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/src/pixie/fileformats/gif.nim b/src/pixie/fileformats/gif.nim
index 7adfa785..d3b330f7 100644
--- a/src/pixie/fileformats/gif.nim
+++ b/src/pixie/fileformats/gif.nim
@@ -41,7 +41,7 @@ proc decodeGif*(data: string): Gif {.raises: [PixieError].} =
     bgColorIndex = data.readUint8(11).int
     pixelAspectRatio = data.readUint8(12)
 
-  if bgColorIndex > globalColorTableSize:
+  if bgColorIndex >= globalColorTableSize:
     failInvalid()
 
   if pixelAspectRatio != 0:
diff --git a/tests/test_gif.nim b/tests/test_gif.nim
index 6c724fd5..455ff25e 100644
--- a/tests/test_gif.nim
+++ b/tests/test_gif.nim
@@ -35,3 +35,20 @@ block:
     decodeGif(readFile("tests/fileformats/gif/newtons_cradle.gif"))
   doAssert animatedGif.frames.len == 36
   doAssert animatedGif.intervals.len == animatedGif.frames.len
+
+block:
+  proc addLe16(data: var string, value: int) =
+    data.add(char(value and 0xff))
+    data.add(char((value shr 8) and 0xff))
+
+  var payload = "GIF89a"
+  payload.addLe16(1)
+  payload.addLe16(1)
+  payload.add(char(0x80)) # Global color table present, size = 2 entries.
+  payload.add(char(0x02)) # One past the last valid color table index.
+  payload.add(char(0x00))
+  payload.add("\x00\x00\x00\xff\xff\xff")
+  payload.add(char(0x3b))
+
+  doAssertRaises PixieError:
+    discard decodeGif(payload)