gd2: handle corrupt images better (CVE-2016-3074)
Make sure we do some range checking on corrupted chunks. Thanks to Hans Jerry Illikainen <hji@dyntopia.com> for indepth report and reproducer information. Made for easy test case writing :).master
parent
fc14a8c1bb
commit
2bb97f407c
|
@ -150,6 +150,7 @@ Makefile.in
|
|||
/tests/gd2/gd2_im2im
|
||||
/tests/gd2/gd2_null
|
||||
/tests/gd2/gd2_read
|
||||
/tests/gd2/gd2_read_corrupt
|
||||
/tests/gdimagearc/bug00079
|
||||
/tests/gdimageline/gdimageline_aa
|
||||
/tests/gdimageline/bug00072
|
||||
|
|
|
@ -165,6 +165,8 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy,
|
|||
if (gdGetInt (&cidx[i].size, in) != 1) {
|
||||
goto fail2;
|
||||
};
|
||||
if (cidx[i].offset < 0 || cidx[i].size < 0)
|
||||
goto fail2;
|
||||
};
|
||||
*chunkIdx = cidx;
|
||||
};
|
||||
|
|
|
@ -129,7 +129,8 @@ endif
|
|||
|
||||
if HAVE_LIBZ
|
||||
check_PROGRAMS += \
|
||||
gd2/gd2_null
|
||||
gd2/gd2_null \
|
||||
gd2/gd2_read_corrupt
|
||||
endif
|
||||
|
||||
if HAVE_LIBPNG
|
||||
|
|
|
@ -0,0 +1,25 @@
|
|||
/* Just try to read the invalid gd2 image & not crash. */
|
||||
#include "gd.h"
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include "gdtest.h"
|
||||
|
||||
int main()
|
||||
{
|
||||
gdImagePtr im;
|
||||
FILE *fp;
|
||||
char path[1024];
|
||||
|
||||
/* Read the corrupt image. */
|
||||
sprintf(path, "%s/gd2/invalid_neg_size.gd2", GDTEST_TOP_DIR);
|
||||
fp = fopen(path, "rb");
|
||||
if (!fp) {
|
||||
printf("failed, cannot open file\n");
|
||||
return 1;
|
||||
}
|
||||
im = gdImageCreateFromGd2(fp);
|
||||
fclose(fp);
|
||||
|
||||
/* Should have failed & rejected it. */
|
||||
return im == NULL ? 0 : 1;
|
||||
}
|
Binary file not shown.
Loading…
Reference in New Issue