There are small typos in:
- examples/copyrotated.c
- src/gd.c
- src/gd.h
- src/gd_avif.c
- src/gd_nnquant.c
- src/gd_tga.c
- src/gd_topal.c
- src/wbmp.c
- tests/avif/compare_avif_to_png.c
Fixes:
- Should read `requires` rather than `reqiures`.
- Should read `of the` rather than `ofthe`.
- Should read `memory` rather than `memmory`.
- Should read `maximum` rather than `maxmum`.
- Should read `intersection` rather than `intertersection`.
- Should read `hypotenuse` rather than `hypothenus`.
- Should read `flexibility` rather than `flexibilty`.
- Should read `always` rather than `alwasy`.
- Should read `also` rather than `alos`.
oss-fuzz pointed out:
gd_tga.c:209:52: runtime error: signed integer overflow: 838848000 * 3 cannot be represented in type 'int'
This is somewhat of a false positive as we already have overflow checks
after this assignment, but we can delay the code until afterwards to
avoid warnings.
It is possible to craft TGA files which will overflow the decompression
buffer, but not the image's bitmap. Therefore we also have to check for
potential decompression buffer overflows.
This issue had been reported by Ibrahim El-Sayed to security@libgd.org;
a modified case exposing an off-by-one error of the first patch had been
provided by Konrad Beckmann.
This commit is an amendment to commit fb0e0cce, so we use CVE-2016-6906
as well.
It is possible to craft TGA files which will overflow the decompression
buffer, but not the image's bitmap. Therefore we augment the check for the
bitmap's overflow with a check for the buffer's overflow.
This issue had been reported by Ibrahim El-Sayed to security@libgd.org.
CVE-2016-6906
We make it work only, for now. Actually, it doesn't make sense that
`oTga::bitmap` is an `int *` as we're storing only bytes there. If this
will be changed, we can even get rid of the `conversion_buffer` in
`read_image_tga` altogether, and read the image data into the
`decompression_buffer` (if RLE'd) or the `tga->bitmap` (if uncompressed)
directly.
We fix the unintended sign extension issue #150385 by declaring encoded_pixels
as int, and the logical vs. bitwise operator issue #150382 by using the
proper operator.
Try to standardize the internals a little bit and simplify the read
paths to abort early on when we know we won't actually handle the
input format. Avoid resetting pointers that are on the stack or we
release as it's a waste of code.
First, if the tga input had an ID set, we'd read this into the pointer
itself (and the memory after it in the struct/heap) instead of the memory
allocated to hold it. This bug has been around since the tga code was
first added. We'd basically corrupt memory all the time since most tga
files out there have an ID set up (like a datestamp).
Second, make sure we reject invalid images that would cause overflows in
the allocation path. We tried to check for this already, but we used the
wrong type (we checked uint8_t but allocated int).
Fixes#159.
- revert horizontal/vertical, was too confusing, it acts now like any
application (ie. gimp/ps) instead of talking about h/v axis
- optimize both
- add simple example
Tim Gates
maryam ebrahimzadeh
Mike Frysinger
Christoph M. Becker
Ondřej Surý
Pierre Joye
Takeshi Abe
pierrejoye