Fix #497: gdImageColorMatch Out Of Bounds Write on Heap (CVE-2019-6977)

Fixed CVE-2019-6977 and add corresponding testcase.

Original patch by Christoph M. Bechker <cmbecker69@gmx.de>
https://gist.github.com/cmb69/1f36d285eb297ed326f5c821d7aafced

src/gd_color_match.c

@@ -31,9 +31,8 @@ BGD_DECLARE(int) gdImageColorMatch (gdImagePtr im1, gdImagePtr im2)
 		return -4; /* At least 1 color must be allocated */
 	}
 
-	buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * im2->colorsTotal);
-	memset (buf, 0, sizeof(unsigned long) * 5 * im2->colorsTotal );
-
+	buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * gdMaxColors);
+	memset (buf, 0, sizeof(unsigned long) * 5 * gdMaxColors );
 	for (x=0; x < im1->sx; x++) {
 		for( y=0; y<im1->sy; y++ ) {
 			color = im2->pixels[y][x];

tests/gdimagecolormatch/.gitignore

@@ -1 +1,2 @@
+/cve_2019_6977
 /gdimagecolormatch

tests/gdimagecolormatch/CMakeLists.txt

@@ -1,4 +1,5 @@
 LIST(APPEND TESTS_FILES
+	cve_2019_6977
 	gdimagecolormatch
 )
 

tests/gdimagecolormatch/Makemodule.am

@@ -1,4 +1,5 @@
 libgd_test_programs += \
+	gdimagecolormatch/cve_2019_6977 \
 	gdimagecolormatch/gdimagecolormatch
 
 EXTRA_DIST += \

tests/gdimagecolormatch/cve_2019_6977.c

@@ -0,0 +1,25 @@
+/**
+ * Test for CVE-2019-6977
+ */
+
+#include "gd.h"
+
+int main()
+{
+	gdImagePtr im1;
+	gdImagePtr im2;
+
+	im1 = gdImageCreateTrueColor(0xfff, 0xfff);
+	im2 = gdImageCreate(0xfff, 0xfff);
+	if (gdImageColorAllocate(im2, 0, 0, 0) < 0)
+	{
+		gdImageDestroy(im1);
+		gdImageDestroy(im2);
+		return 1;
+	}
+	gdImageSetPixel(im2, 0, 0, 255);
+	gdImageColorMatch(im1, im2);
+	gdImageDestroy(im1);
+	gdImageDestroy(im2);
+	return 0;
+}