blob: b21a8ac6190fbfe77dd1e77a5bb899bb3fa9fca7 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
|
Fix CVE-2019-6977:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6977
Patch copied from Debian:
https://salsa.debian.org/debian/libgd2/commit/2d7d3b68bb79843e5271a05543e996fd5a3a8cd1
Description: Heap-based buffer overflow in gdImageColorMatch
Origin: other, https://gist.github.com/cmb69/1f36d285eb297ed326f5c821d7aafced
Bug-PHP: https://bugs.php.net/bug.php?id=77270
Bug-Debian: https://bugs.debian.org/920645
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-6977
Forwarded: no
Author: "Christoph M. Becker" <cmbecker69@gmx.de>
Last-Update: 2019-02-01
At least some of the image reading functions may return images which
use color indexes greater than or equal to im->colorsTotal. We cater
to this by always using a buffer size which is sufficient for
`gdMaxColors` in `gdImageColorMatch()`.
---
--- a/src/gd_color_match.c
+++ b/src/gd_color_match.c
@@ -31,8 +31,8 @@ BGD_DECLARE(int) gdImageColorMatch (gdIm
return -4; /* At least 1 color must be allocated */
}
- buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * im2->colorsTotal);
- memset (buf, 0, sizeof(unsigned long) * 5 * im2->colorsTotal );
+ buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * gdMaxColors);
+ memset (buf, 0, sizeof(unsigned long) * 5 * gdMaxColors );
for (x=0; x < im1->sx; x++) {
for( y=0; y<im1->sy; y++ ) {
|