Fix #354: Signed Integer Overflow gd_io.c

GD2 stores the number of horizontal and vertical chunks as words (i.e. 2 byte unsigned). These values are multiplied and assigned to an int when reading the image, what can cause integer overflows. We have to avoid that, and also make sure that either chunk count is actually greater than zero. If illegal chunk counts are detected, we bail out from reading the image.
2016-12-17 17:06:58 +01:00 · 2016-12-17 17:06:58 +01:00 · 69d2fd2c59
commit 69d2fd2c59
parent 1846f48e5f
7 changed files with 41 additions and 0 deletions
--- a/src/gd_gd2.c
+++ b/src/gd_gd2.c
@ -209,6 +209,10 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy,
 	GD2_DBG (printf ("%d Chunks vertically\n", *ncy));

 	if (gd2_compressed (*fmt)) {
+		if (*ncx <= 0 || *ncy <= 0 || *ncx > INT_MAX / *ncy) {
+			GD2_DBG(printf ("Illegal chunk counts: %d * %d\n", *ncx, *ncy));
+			goto fail1;
+		}
 		nc = (*ncx) * (*ncy);

 		GD2_DBG (printf ("Reading %d chunk index entries\n", nc));
--- a/tests/gd2/.gitignore
+++ b/tests/gd2/.gitignore
@ -1,5 +1,6 @@
 /bug_289
 /bug00309
+/bug00354
 /gd2_empty_file
 /gd2_im2im
 /gd2_null
--- a/tests/gd2/CMakeLists.txt
+++ b/tests/gd2/CMakeLists.txt
@ -1,6 +1,7 @@
 LIST(APPEND TESTS_FILES
 	bug_289
 	bug00309
+	bug00354
 	gd2_empty_file
 	gd2_im2im
 	gd2_null
--- a/tests/gd2/Makemodule.am
+++ b/tests/gd2/Makemodule.am
@ -1,6 +1,7 @@
 libgd_test_programs += \
 	gd2/bug_289 \
 	gd2/bug00309 \
+	gd2/bug00354 \
 	gd2/gd2_empty_file \
 	gd2/php_bug_72339 \
 	gd2/gd2_read_corrupt \
@ -19,6 +20,8 @@ endif

 EXTRA_DIST += \
 	gd2/CMakeLists.txt \
+	gd2/bug00354a.gd2 \
+	gd2/bug00354b.gd2 \
 	gd2/conv_gd2_exp.gd2 \
 	gd2/conv_test.gd2 \
 	gd2/conv_test_exp.png \
--- a/tests/gd2/bug00354.c
+++ b/tests/gd2/bug00354.c
@ -0,0 +1,32 @@
+/**
+ * We're testing GD2 image files which report illegal chunk counts. These should
+ * not cause integer overflows or other issues, but instead simply fail to be
+ * loaded.
+ *
+ * See also <https://github.com/libgd/libgd/issues/354>.
+ */
+
+
+#include "gd.h"
+#include "gdtest.h"
+
+
+int main()
+{
+    gdImagePtr im;
+    FILE *fp;
+
+    fp = gdTestFileOpen2("gd2", "bug00354a.gd2");
+    gdTestAssert(fp != NULL);
+    im = gdImageCreateFromGd2(fp);
+    gdTestAssert(im == NULL);
+    fclose(fp);
+
+    fp = gdTestFileOpen2("gd2", "bug00354b.gd2");
+    gdTestAssert(fp != NULL);
+    im = gdImageCreateFromGd2(fp);
+    gdTestAssert(im == NULL);
+    fclose(fp);
+
+    return gdNumFailures();
+}
--- a/tests/gd2/bug00354a.gd2
+++ b/tests/gd2/bug00354a.gd2
--- a/tests/gd2/bug00354b.gd2
+++ b/tests/gd2/bug00354b.gd2