2207e3c88a
The issue is that `gdImagePngCtxEx` (which is called by `gdImagePngPtr` and the other PNG output functions to do the real work) does not return whether it succeeded or failed, so this is not checked in `gdImagePngPtr` and the function wrongly assumes everything is okay, which is not, in this case, because the palette image contains no palette entries. We can't change the signature of `gdImagePngCtxEx` for API compatibility reasons, so we introduce the static helper `_gdImagePngCtxEx` which returns success respective failure, so `gdImagePngPtr` and `gdImagePngPtrEx` can check the return value. We leave it solely to libpng for now to report warnings regarding the failing write. CVE-2017-6362
32 lines
606 B
C
32 lines
606 B
C
/**
|
|
* Test that failure to convert to PNG returns NULL
|
|
*
|
|
* We are creating a palette image without allocating any colors in the palette,
|
|
* and pass this image to `gdImagePngPtr()` which is supposed to fail, and as
|
|
* such should return NULL.
|
|
*
|
|
* See also <https://github.com/libgd/libgd/issues/381>
|
|
*/
|
|
|
|
|
|
#include "gd.h"
|
|
#include "gdtest.h"
|
|
|
|
|
|
int main()
|
|
{
|
|
gdImagePtr im;
|
|
void *data;
|
|
int size = 0;
|
|
|
|
im = gdImageCreate(100, 100);
|
|
gdTestAssert(im != NULL);
|
|
|
|
data = gdImagePngPtr(im, &size);
|
|
gdTestAssert(data == NULL);
|
|
|
|
gdImageDestroy(im);
|
|
|
|
return gdNumFailures();
|
|
}
|