Fix #497: gdImageColorMatch Out Of Bounds Write on Heap (CVE-2019-6977)
Fixed CVE-2019-6977 and add corresponding testcase. Original patch by Christoph M. Bechker <cmbecker69@gmx.de> https://gist.github.com/cmb69/1f36d285eb297ed326f5c821d7aafcedmaster
parent
4b0f372402
commit
2e886046f8
|
@ -31,9 +31,8 @@ BGD_DECLARE(int) gdImageColorMatch (gdImagePtr im1, gdImagePtr im2)
|
||||||
return -4; /* At least 1 color must be allocated */
|
return -4; /* At least 1 color must be allocated */
|
||||||
}
|
}
|
||||||
|
|
||||||
buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * im2->colorsTotal);
|
buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * gdMaxColors);
|
||||||
memset (buf, 0, sizeof(unsigned long) * 5 * im2->colorsTotal );
|
memset (buf, 0, sizeof(unsigned long) * 5 * gdMaxColors );
|
||||||
|
|
||||||
for (x=0; x < im1->sx; x++) {
|
for (x=0; x < im1->sx; x++) {
|
||||||
for( y=0; y<im1->sy; y++ ) {
|
for( y=0; y<im1->sy; y++ ) {
|
||||||
color = im2->pixels[y][x];
|
color = im2->pixels[y][x];
|
||||||
|
|
|
@ -1 +1,2 @@
|
||||||
|
/cve_2019_6977
|
||||||
/gdimagecolormatch
|
/gdimagecolormatch
|
||||||
|
|
|
@ -1,4 +1,5 @@
|
||||||
LIST(APPEND TESTS_FILES
|
LIST(APPEND TESTS_FILES
|
||||||
|
cve_2019_6977
|
||||||
gdimagecolormatch
|
gdimagecolormatch
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
|
@ -1,4 +1,5 @@
|
||||||
libgd_test_programs += \
|
libgd_test_programs += \
|
||||||
|
gdimagecolormatch/cve_2019_6977 \
|
||||||
gdimagecolormatch/gdimagecolormatch
|
gdimagecolormatch/gdimagecolormatch
|
||||||
|
|
||||||
EXTRA_DIST += \
|
EXTRA_DIST += \
|
||||||
|
|
|
@ -0,0 +1,25 @@
|
||||||
|
/**
|
||||||
|
* Test for CVE-2019-6977
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include "gd.h"
|
||||||
|
|
||||||
|
int main()
|
||||||
|
{
|
||||||
|
gdImagePtr im1;
|
||||||
|
gdImagePtr im2;
|
||||||
|
|
||||||
|
im1 = gdImageCreateTrueColor(0xfff, 0xfff);
|
||||||
|
im2 = gdImageCreate(0xfff, 0xfff);
|
||||||
|
if (gdImageColorAllocate(im2, 0, 0, 0) < 0)
|
||||||
|
{
|
||||||
|
gdImageDestroy(im1);
|
||||||
|
gdImageDestroy(im2);
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
gdImageSetPixel(im2, 0, 0, 255);
|
||||||
|
gdImageColorMatch(im1, im2);
|
||||||
|
gdImageDestroy(im1);
|
||||||
|
gdImageDestroy(im2);
|
||||||
|
return 0;
|
||||||
|
}
|
Loading…
Reference in New Issue