Fix #497: gdImageColorMatch Out Of Bounds Write on Heap (CVE-2019-6977)
Fixed CVE-2019-6977 and add corresponding testcase. Original patch by Christoph M. Bechker <cmbecker69@gmx.de> https://gist.github.com/cmb69/1f36d285eb297ed326f5c821d7aafcedmaster
parent
4b0f372402
commit
2e886046f8
|
@ -31,9 +31,8 @@ BGD_DECLARE(int) gdImageColorMatch (gdImagePtr im1, gdImagePtr im2)
|
|||
return -4; /* At least 1 color must be allocated */
|
||||
}
|
||||
|
||||
buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * im2->colorsTotal);
|
||||
memset (buf, 0, sizeof(unsigned long) * 5 * im2->colorsTotal );
|
||||
|
||||
buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * gdMaxColors);
|
||||
memset (buf, 0, sizeof(unsigned long) * 5 * gdMaxColors );
|
||||
for (x=0; x < im1->sx; x++) {
|
||||
for( y=0; y<im1->sy; y++ ) {
|
||||
color = im2->pixels[y][x];
|
||||
|
|
|
@ -1 +1,2 @@
|
|||
/cve_2019_6977
|
||||
/gdimagecolormatch
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
LIST(APPEND TESTS_FILES
|
||||
cve_2019_6977
|
||||
gdimagecolormatch
|
||||
)
|
||||
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
libgd_test_programs += \
|
||||
gdimagecolormatch/cve_2019_6977 \
|
||||
gdimagecolormatch/gdimagecolormatch
|
||||
|
||||
EXTRA_DIST += \
|
||||
|
|
|
@ -0,0 +1,25 @@
|
|||
/**
|
||||
* Test for CVE-2019-6977
|
||||
*/
|
||||
|
||||
#include "gd.h"
|
||||
|
||||
int main()
|
||||
{
|
||||
gdImagePtr im1;
|
||||
gdImagePtr im2;
|
||||
|
||||
im1 = gdImageCreateTrueColor(0xfff, 0xfff);
|
||||
im2 = gdImageCreate(0xfff, 0xfff);
|
||||
if (gdImageColorAllocate(im2, 0, 0, 0) < 0)
|
||||
{
|
||||
gdImageDestroy(im1);
|
||||
gdImageDestroy(im2);
|
||||
return 1;
|
||||
}
|
||||
gdImageSetPixel(im2, 0, 0, 255);
|
||||
gdImageColorMatch(im1, im2);
|
||||
gdImageDestroy(im1);
|
||||
gdImageDestroy(im2);
|
||||
return 0;
|
||||
}
|
Loading…
Reference in New Issue