jedan bug u fillrect() NULL deref 

drugi u decode() , memset beskonacno izgleda 

obican.gif sad pokrece memset bug , a ok.gif idalje null deref 

the vulnerability is in QGIFFormat::fillRect() function 

void QGIFFormat::fillRect(QImage& img, int col, int row, int w, int h, QRgb color)
{
    if (w>0) {
	QRgb** line = (QRgb **)img.jumpTable() + row;
	for (int j=0; j<h; j++) {
	    for ( int i=0; i<w; i++ ) {
		*(line[j]+col+i) = color; /// !!!!!! no check if line == NULL 
	    }
	}
    }
}


if line is null it will crash 

this function can be reached from QGIFFormat::decode() function 

int QGIFFormat::decode(QImage& img, QImageConsumer* consumer,
	const uchar* buffer, int length)
{
 
#define LM(l, m) (((m)<<8)|l)
    digress = FALSE;
    int initial = length;
    QRgb** line = (QRgb **)img.jumpTable();
....
....

		frame++;
		if ( frame == 0 ) {
		    if ( left || top || width<swidth || height<sheight ) { // here , if any of these conditions is true [1]
			// Not full-size image - erase with bg or transparent
			if ( trans_index >= 0 ) {
			    fillRect(img, 0, 0, swidth, sheight, color(trans_index));
			    if (consumer) consumer->changed(QRect(0,0,swidth,sheight));
			} else if ( bgcol>=0 ) {
			    fillRect(img, 0, 0, swidth, sheight, color(bgcol)); // the actual call the the function
			    if (consumer) consumer->changed(QRect(0,0,swidth,sheight));
			}
		    }
		}


[1] any of those can be true by changing certain bytes in .gif file