1237 Commits

Author SHA1 Message Date
Mike Frysinger
9fa3abd2e6 gif: fix out-of-bounds read w/corrupted lzw data
oss-fuzz pointed out:
gd_gif_in.c:605:16: runtime error: index 5595 out of bounds for type 'int [4096]'

Add some bounds checking on each code that we read from the file.
2018-01-26 01:57:52 -05:00
Mike Frysinger
a8f1d5cab0 wbmp: getmbi: use unsigned int to avoid undefined shift behavior
oss-fuzz pointed out:
wbmp.c:48:14: runtime error: left shift of 253751679 by 7 places cannot be represented in type 'int'

See previous commit for more details.
2018-01-25 23:25:56 -05:00
Mike Frysinger
772d0107a6 gdGetIntLSB: use unsigned int to avoid undefined shift behavior
oss-fuzz pointed out:
gd_io.c:174:10: runtime error: left shift of 255 by 24 places cannot be represented in type 'int'

See previous commit for more details.
2018-01-25 23:18:56 -05:00
Mike Frysinger
24d352576c gdGetInt: use unsigned int to avoid undefined shift behavior
oss-fuzz pointed out:
gd_io.c:139:14: runtime error: left shift of 199 by 24 places cannot be represented in type 'int'

Switch the temp var we use here to unsigned to avoid that.  We do an
unsigned int to a signed int at the end which is undefined, but since
compilers don't seem to mind that, we won't care just yet.  It also
makes the code match gdGetIntLSB behavior.
2018-01-25 23:02:32 -05:00
Mike Frysinger
fdbd8df682 add underscores around attributes
We use __attribute__ instead of attribute everywhere to avoid namespace
issues, so make sure we use the same style for the attribute options too.
2018-01-25 21:51:03 -05:00
Tim D. Smith
f3dc031df7 Make ReadOK fail on short reads 2018-01-24 21:05:41 -05:00
Mike Frysinger
dd76e8fcf2 generate & install gdlib.pc for cmake builds too #164 2018-01-10 01:56:10 -05:00
Mike Frysinger
60016a4426 include snprintf.c in the dist tarball
The cmake files refer to it for older Windows builds.  Fixes #416.
2018-01-10 00:59:34 -05:00
Christoph M. Becker
712d9ec181 Fix #411: gd_gd.c format documentation appears to be incorrect
The palette headers always consist of 256 palette entries, and if
`\377\377\377\377` is given for the transparency, that means that there
is no transparent color.
2017-09-07 15:27:18 +02:00
Christoph M. Becker
c39fa1e03c Document GD 1.x image format 2017-09-03 15:50:42 +02:00
Christoph M. Becker
5176856eae Fix potential memory leak in gdImageStringFTEx()
Of course, we have to free all allocated resources before returning.

Reported by shqking <shqking@gmail.com> to security@libgd.org.
2017-08-29 16:47:24 +02:00
Christoph M. Becker
3b8a69cfe5 Merge branch 'pull-request/346' 2017-08-27 17:45:20 +02:00
Christoph M. Becker
2207e3c88a Fix #381: libgd double-free vulnerability
The issue is that `gdImagePngCtxEx` (which is called by `gdImagePngPtr`
and the other PNG output functions to do the real work) does not return
whether it succeeded or failed, so this is not checked in
`gdImagePngPtr` and the function wrongly assumes everything is okay,
which is not, in this case, because the palette image contains no
palette entries.

We can't change the signature of `gdImagePngCtxEx` for API
compatibility reasons, so we introduce the static helper
`_gdImagePngCtxEx` which returns success respective failure, so
`gdImagePngPtr` and `gdImagePngPtrEx` can check the return value. We
leave it solely to libpng for now to report warnings regarding the
failing write.

CVE-2017-6362
2017-08-27 17:18:34 +02:00
Christoph M. Becker
a7a7ece43c Fix #386: gdImageGrayScale() may produce colors
We have to make sure to avoid alpha-blending issues by explicitly
switching to `gdEffectReplace` and to restore the old value afterwards.

We also document the algorithm used by `gdImageGrayScale()` and note
its limitations regarding palette images.
2017-08-27 12:57:03 +02:00
Christoph M. Becker
1c090dc01e Fix #406: webpng -i removes the transparent color
We have to initialize `trans_col` to the value that guards the call to
`gdImageColorTransparent()`. To avoid confusion, we replace the magic
numbers with a macro.
2017-08-25 12:13:19 +02:00
Christoph M. Becker
880c9f6def Back-port fix for PHP bug 75111
Although libgd is not really affected by this issue, because contrary
to PHP's bundled libgd it does not allow to read from negative offsets,
we consider it still a bug that `dynamicSeek()` does not behave like
`fileSeek()` with regard to negative positions.

As this behavior cannot be probed from outside, we omit the regression
test.
2017-08-24 14:32:20 +02:00
Christoph M. Becker
c613bc1698 Close #339: Fix unitialized memory read vulnerability in GIF reading
The stack allocated color map buffers were not zeroed before usage, and
so undefined palette indexes could cause information leakage.

This issue has been reported by Matviy Kotoniy to security@libgd.org in
<CAKm_7a-AO++B6cXYWM_DtycPENG5WNWK7NSEvQ5OmZziMY_JyA@mail.gmail.com>.
2017-08-10 18:31:29 +02:00
Galik
3385b9aebf Truetype font drawing functions now take const strings (#400)
The following API functions now accept the font names and the text to be
printed as `const char*` rater than `char*`. This makes the functions
much more `C++` friendly.

gdImageStringFT();
gdImageStringTTF();
gdImageStringFTEx();

Other functions/types affected:

typeed struct fontkey_t;

any2eucjp();
gdTcl_UtfToUniChar();
DetectKanjiCode();
do_convert();
do_check_and_conv();
2017-07-29 11:24:32 -04:00
Mike Frysinger
660abbeb96 fix some unused variable errors when built w/out png 2017-02-15 10:57:24 -05:00
Christoph M. Becker
e65415d91c Fix Coverity #155476: potential resource leak
If the reading of GD2 images fails due to a truncated file, we have to
make sure that all resources are freed. We do so by going to `fail`
instead of bailing out early.

This is a minor issue, though, as GD2 isn't recommended for production
use at all.
2017-01-30 12:41:04 +01:00
Christoph M. Becker
acc11040cd Fix Coverity #155475: Failure to restore alphaBlendingFlag
Actually, there is no need to change the alphaBlendingFlag in the first
place, if the buffer allocation fails, so we move the allocation
attempt up.
2017-01-30 12:29:02 +01:00
Christoph M. Becker
b4d153ba96 Fix and reenable optimized support for reading 1 bps TIFFs
Due to #82 the optimized support for reading 1 bps TIFF files (black &
white) had been disabled. Tony Lew already pointed out a fix in #88.

Furthermore, there was the following missing and improper error handling:
* TIFFReadScanline() returns -1 on error, not 0
* the result of TIFFReadTile() hasn't been checked
* in case of failure of these functions, the error had not been
  propagated

We fix this, and re-enable direct support for 1 bps TIFFs, which is
more memory efficient than the general RGBA support. We also make sure
not to hit any not yet implemented code path.
2017-01-25 23:28:23 +01:00
Christoph M. Becker
bffad4da3c Add a test for reading X10 bitmap files
We also improve the related documentation, which didn't mention yet
which X bitmap formats are supported.
2017-01-21 16:56:12 +01:00
Christoph M. Becker
082c544483 Fix #109: XBM reading fails with printed error
When calculating the number of required bytes of an XBM image, we have
to take the line padding into account.
2017-01-20 22:49:28 +01:00
Christoph M. Becker
381e89de16 Fix build issue regarding INT_MAX
For portability gd_gd2.c needs to include <limits.h>.

(cherry picked from commit c9b601a658a79e6ea2aad29fbf60ca6e24ccef1e)
2017-01-19 01:10:40 +01:00
Christoph M. Becker
55ac28a293 Fix #357: 2.2.4: Segfault in test suite.
We make sure to never pass a negative `int` as argument to a `size_t`
parameter.
2017-01-19 01:02:58 +01:00
Christoph M. Becker
1f57639f04 Remove unused functions
gdImageRotate() and gdImageRotate45() are neither used by GD nor
exported, so we remove them.
2017-01-10 18:57:24 +01:00
Christoph M. Becker
69d2fd2c59 Fix #354: Signed Integer Overflow gd_io.c
GD2 stores the number of horizontal and vertical chunks as words (i.e. 2
byte unsigned). These values are multiplied and assigned to an int when
reading the image, what can cause integer overflows. We have to avoid
that, and also make sure that either chunk count is actually greater
than zero. If illegal chunk counts are detected, we bail out from
reading the image.
2016-12-17 17:38:02 +01:00
Christoph M. Becker
1846f48e5f Fix #340: System frozen
gdImageCreate() doesn't check for oversized images and as such is prone
to DoS vulnerabilities. We fix that by applying the same overflow check
that is already in place for gdImageCreateTrueColor().

CVE-2016-9317
2016-12-13 16:02:19 +01:00
Christoph M. Becker
58b6dde319 Fix OOB reads of the TGA decompression buffer
It is possible to craft TGA files which will overflow the decompression
buffer, but not the image's bitmap. Therefore we also have to check for
potential decompression buffer overflows.

This issue had been reported by Ibrahim El-Sayed to security@libgd.org;
a modified case exposing an off-by-one error of the first patch had been
provided by Konrad Beckmann.

This commit is an amendment to commit fb0e0cce, so we use CVE-2016-6906
as well.
2016-12-13 15:51:51 +01:00
Christoph M. Becker
fe9ed49daf Fix DOS vulnerability in gdImageCreateFromGd2Ctx()
We must not pretend that there are image data if there are none. Instead
we fail reading the image file gracefully.
2016-12-13 15:33:42 +01:00
Christoph M. Becker
60bfb401ad Fix potential unsigned underflow
No need to decrease `u`, so we don't do it. While we're at it, we also factor
out the overflow check of the loop, what improves performance and readability.

This issue has been reported by Stefan Esser to security@libgd.org.
2016-12-13 15:16:03 +01:00
Christoph M. Becker
a49feeae76 Fix double-free in gdImageWebPtr()
The issue is that gdImageWebpCtx() (which is called by gdImageWebpPtr() and
the other WebP output functions to do the real work) does not return whether
it succeeded or failed, so this is not checked in gdImageWebpPtr() and the
function wrongly assumes everything is okay, which is not, in this case,
because there is a size limitation for WebP, namely that the width and
height must by less than 16383.

We can't change the signature of gdImageWebpCtx() for API compatibility
reasons, so we introduce the static helper _gdImageWebpCtx() which returns
success respective failure, so gdImageWebpPtr() and gdImageWebpPtrEx() can
check the return value. We leave it solely to libwebp for now to report
warnings regarding the failing write.

This issue had been reported by Ibrahim El-Sayed to security@libgd.org.

CVE-2016-6912
2016-12-13 14:40:03 +01:00
Christoph M. Becker
4859d69e07 Fix invalid read in gdImageCreateFromTiffPtr()
tiff_invalid_read.tiff is corrupt, and causes an invalid read in
gdImageCreateFromTiffPtr(), but not in gdImageCreateFromTiff(). The culprit
is dynamicGetbuf(), which doesn't check for out-of-bound reads. In this case,
dynamicGetbuf() is called with a negative dp->pos, but also positive buffer
overflows have to be handled, in which case 0 has to be returned (cf. commit
75e29a9).

Fixing dynamicGetbuf() exhibits that the corrupt TIFF would still create
the image, because the return value of TIFFReadRGBAImage() is not checked.
We do that, and let createFromTiffRgba() fail if TIFFReadRGBAImage() fails.

This issue had been reported by Ibrahim El-Sayed to security@libgd.org.

CVE-2016-6911
2016-12-13 13:55:48 +01:00
Christoph M. Becker
fb0e0cce0b Fix OOB reads of the TGA decompression buffer
It is possible to craft TGA files which will overflow the decompression
buffer, but not the image's bitmap. Therefore we augment the check for the
bitmap's overflow with a check for the buffer's overflow.

This issue had been reported by Ibrahim El-Sayed to security@libgd.org.

CVE-2016-6906
2016-12-13 13:31:05 +01:00
Christoph M. Becker
fea55903ee Fix #338: Fatal and normal libjpeg/ibpng errors not distinguishable
libgd clients need to be able to distinguish between fatal and
"extremely fatal" libjpeg and libpng errors, because in the former case
execution can proceed, but in the latter case libgd calls exit().
Therefore we report fatal errors as GD_WARNING.
2016-11-16 18:10:29 +01:00
Mike Frysinger
5ebbd50cff cmake: add soname info to libgd.so
Pull out the library versioning info out of configure and into a common
script that both cmake & autotools can run.  This way we have a single
source of truth for the versioning info.
2016-11-10 09:09:14 -05:00
Christoph M. Becker
939d49a3a9 Fix #68: gif: buffer underflow reported by AddressSanitizer
The buffer underflow happens at the start of the bitstream and after
each clear code, where the wrap-around is actually unnecessary. To
avoid the buffer underflow we simply initialize scd->last_byte to 2,
instead of adding further control logic to skip the relevant
assignments altogether.

We do not add a regression test, because the buffer underflow could
only be detected with ASAN or a similar memory-checker (or debugging),
and it happens for all proper GIFs anyway, so other tests (such as
tests/gif/gif_im2im) already exhibited the behavior.
2016-10-15 19:00:57 +02:00
Christoph M. Becker
5311087193 Avoid potentially dangerous signed to unsigned conversion
We make sure to never pass a negative `rlen` as size to memcpy(). See
also <https://bugs.php.net/bug.php?id=73280>.

Patch provided by Emmanuel Law.
2016-10-12 11:15:32 +02:00
Christoph M. Becker
ca2b34e1f8 Fix #329: GD_BILINEAR_FIXED gdImageScale() can cause black border
We're passing `pixel1` as default color to `getPixelOverflow*()` for
pixels which may be outside the valid bounds. `pixel1` is supposed to
be always valid due to the fixed arithmetic's round towards zero
behavior.
2016-10-10 12:45:13 +02:00
Christoph M. Becker
77c8d359bb Fix #330: Integer overflow in gdImageScaleBilinearPalette()
The color components are supposed to be in range 0..255, so we must not
cast them to `signed char`, what can be the default for `char`.
2016-10-10 11:05:27 +02:00
Christoph M. Becker
b6b44d962d Document that gdImageScale() does not yet support GD_WEIGHTED4 2016-10-09 18:21:31 +02:00
Christoph M. Becker
0c0cd18aff Revert "Fix #328: gdImageScale() with GD_WEIGHTED4 always returns NULL"
This reverts commit 0809c9f64479e9f566e70d45a7934c3a77d9a93e.
2016-10-09 18:17:03 +02:00
Christoph M. Becker
0809c9f644 Fix #328: gdImageScale() with GD_WEIGHTED4 always returns NULL
Actually, there is no special case implementation for GD_WEIGHTED4
interpolation yet, so we must not pretend there would.
2016-10-09 16:25:07 +02:00
Christoph M. Becker
1f3f82d901 Document cropping stuff 2016-10-09 12:46:31 +02:00
Christoph M. Becker
1458f8765c Support writing lossless WebP
Lossless WebP is a rather interesting alternative to PNG, and already
supported by `gdImageCreateFromWebp*()`, so we add support for
`gdImageWebp*()`, too.

We can stick with the existing API, using the quality parameter to
request lossless encoding if it is set to `gdWebpLossless`, which we
define to `PHP_INT` (to avoid adding a new dependency to gd.h, we hard-
code the value – we're assuming `sizeof(int)==4` anyway).
2016-10-09 00:47:05 +02:00
Christoph M. Becker
4ebdb483e4 Document gdImageCompare() 2016-10-06 18:28:46 +02:00
Christoph M. Becker
b697bf74db Document cloning, copying, scaling and interpolation 2016-10-06 15:50:16 +02:00
Christoph M. Becker
1b6564cdc8 Fix 321: Null pointer dereferences in gdImageRotateInterpolated
We let gdImageRotateInterpolated() fail early, if `src` is NULL.
2016-10-06 14:20:24 +02:00
Christoph M. Becker
65d40f5aa5 Fix #319: gdImageRotateInterpolated can have wrong background color
We backport the fix for <https://bugs.php.net/65070>, and also the fix for
<https://bugs.php.net/70976> which was introduced by fixing 65070.
2016-10-03 16:19:19 +02:00