Noticed while reviewing various GIF decoder patches. hclam -- want to fix this while you're touching this stuff? The bug is that the GIFNetscapeExtensionBlock state of the parser reads the block length from the image file, but then the GIFConsumeNetscapeExtension assumes the block length is at least the 3 that the spec requires. Therefore, an image can specify "1" or "2" here and then end after that many more bytes, and the parser will happily read another two or one bytes off the end of the buffer. I believe the correct fix is that the GIFNetscapeExtensionBlock state should call GETN(std::max(3, *currentComponent), GIFConsumeNetscapeExtension);. A comment explaining this wouldn't be amiss. I suspect Gecko has the same problem. The Chrome security guys looked at this and declared it not a security bug, since there seems to be no way to use this OOB read to malicious effect (since it just controls the image loop count).