[AUTO-CHERRYPICK] Patch giflib for CVE-2021-40633 [High] - branch main (#13537)

Co-authored-by: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com>

Author: CBL-Mariner-Bot

SPECS/giflib/CVE-2021-40633.patch

@@ -0,0 +1,30 @@
+From 7e6036db1536e0972de6f8f4e1fcf827d313f8ea Mon Sep 17 00:00:00 2001
+From: Kanishk-Bansal <kbkanishk975@gmail.com>
+Date: Mon, 21 Apr 2025 19:53:54 +0000
+Subject: [PATCH] Address CVE-2021-40633
+
+Upstream Patch Reference : https://sourceforge.net/p/giflib/code/ci/ccbc956432650734c91acb3fc88837f7b81267ff
+
+Signed-off-by: Kanishk-Bansal <kbkanishk975@gmail.com>
+---
+ gif2rgb.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/gif2rgb.c b/gif2rgb.c
+index 11c39e4..855f821 100644
+--- a/gif2rgb.c
++++ b/gif2rgb.c
+@@ -496,6 +496,10 @@ static void GIF2RGB(int NumFiles, char *FileName,
+ 		   ScreenBuffer, 
+ 		   GifFile->SWidth, GifFile->SHeight);
+ 
++	for (i = 0; i < GifFile->SHeight; i++) {
++		(void)free(ScreenBuffer[i]);
++	}
++
+     (void)free(ScreenBuffer);
+ 
+     if (DGifCloseFile(GifFile, &Error) == GIF_ERROR) {
+-- 
+2.45.2
+

SPECS/giflib/giflib.spec

@@ -1,7 +1,7 @@
 Name:           giflib
 Summary:        A library and utilities for processing GIFs
 Version:        5.2.1
-Release:        9%{?dist}
+Release:        10%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -13,6 +13,7 @@ Patch1:         CVE-2023-48161.patch
 Patch2:         CVE-2022-28506.patch
 Patch3:         CVE-2023-39742.patch
 Patch4:         CVE-2025-31344.patch
+Patch5:         CVE-2021-40633.patch
 BuildRequires:  gcc
 BuildRequires:  make
 BuildRequires:  xmlto
@@ -63,6 +64,9 @@ find %{buildroot} -name '*.a' -print -delete
 %{_mandir}/man1/*.1*
 
 %changelog
+* Mon Apr 21 2025 Kanishk Bansal <kanbansal@microsoft.com> - 5.2.1-10
+- Patch CVE-2021-40633 using an upstream patch
+
 * Tue Apr 15 2025 Sudipta Pandit <sudpandit@microsoft.com> - 5.2.1-9
 - Patch CVE-2025-31344