It was found that output function from gd_gif_out.c causes out-of-bounds access of the masks array when ctx->cur_bits becomes a negative number.
Created gd tracking bugs for this issue:
Affects: fedora-all [bug 1359839]
Created php tracking bugs for this issue:
Affects: fedora-all [bug 1359837]
Out-of-bounds read of a global buffer. I can't see any real impact on security here.