|
 |
3220ab |
From 5b026e3cc05d7041cbe47a8702f1b51ffbf0a99b Mon Sep 17 00:00:00 2001
|
|
|
3220ab |
From: Ondrej Dubaj <odubaj@redhat.com>
|
|
|
3220ab |
Date: Thu, 5 Mar 2020 11:02:27 +0100
|
|
|
3220ab |
Subject: [PATCH] Imagecolormatch Out Of Bounds Write on Heap
|
|
|
3220ab |
|
|
|
3220ab |
At least some of the image reading functions may return images which
|
|
|
3220ab |
use color indexes greater than or equal to im->colorsTotal. We cater
|
|
|
3220ab |
to this by always using a buffer size which is sufficient for
|
|
|
3220ab |
`gdMaxColors` in `gdImageColorMatch()`.
|
|
|
3220ab |
|
|
|
3220ab |
Resolves: #1678104
|
|
|
3220ab |
Version: 2.2.5-7
|
|
|
3220ab |
---
|
|
|
3220ab |
src/gd_color_match.c | 4 ++--
|
|
|
3220ab |
tests/CMakeLists.txt | 1 +
|
|
|
3220ab |
tests/Makefile.am | 1 +
|
|
|
3220ab |
tests/gdimagecolormatch/CMakeLists.txt | 5 +++++
|
|
|
3220ab |
tests/gdimagecolormatch/Makemodule.am | 5 +++++
|
|
|
3220ab |
tests/gdimagecolormatch/cve_2019_6977.c | 25 +++++++++++++++++++++++++
|
|
|
3220ab |
6 files changed, 39 insertions(+), 2 deletions(-)
|
|
|
3220ab |
create mode 100644 tests/gdimagecolormatch/CMakeLists.txt
|
|
|
3220ab |
create mode 100644 tests/gdimagecolormatch/Makemodule.am
|
|
|
3220ab |
create mode 100644 tests/gdimagecolormatch/cve_2019_6977.c
|
|
|
3220ab |
|
|
|
3220ab |
diff --git a/src/gd_color_match.c b/src/gd_color_match.c
|
|
|
3220ab |
index f0842b6..a94a841 100755
|
|
|
3220ab |
--- a/src/gd_color_match.c
|
|
|
3220ab |
+++ b/src/gd_color_match.c
|
|
|
3220ab |
@@ -31,8 +31,8 @@ BGD_DECLARE(int) gdImageColorMatch (gdImagePtr im1, gdImagePtr im2)
|
|
|
3220ab |
return -4; /* At least 1 color must be allocated */
|
|
|
3220ab |
}
|
|
|
3220ab |
|
|
|
3220ab |
- buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * im2->colorsTotal);
|
|
|
3220ab |
- memset (buf, 0, sizeof(unsigned long) * 5 * im2->colorsTotal );
|
|
|
3220ab |
+ buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * gdMaxColors);
|
|
|
3220ab |
+ memset (buf, 0, sizeof(unsigned long) * 5 * gdMaxColors );
|
|
|
3220ab |
|
|
|
3220ab |
for (x=0; x < im1->sx; x++) {
|
|
|
3220ab |
for( y=0; y<im1->sy; y++ ) {
|
|
|
3220ab |
diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
|
|
|
3220ab |
index 7eef4bf..6979416 100755
|
|
|
3220ab |
--- a/tests/CMakeLists.txt
|
|
|
3220ab |
+++ b/tests/CMakeLists.txt
|
|
|
3220ab |
@@ -31,6 +31,7 @@ if (BUILD_TEST)
|
|
|
3220ab |
gdimagecolordeallocate
|
|
|
3220ab |
gdimagecolorexact
|
|
|
3220ab |
gdimagecolorreplace
|
|
|
3220ab |
+ gdimagecolormatch
|
|
|
3220ab |
gdimagecolorresolve
|
|
|
3220ab |
gdimagecolortransparent
|
|
|
3220ab |
gdimagecontrast
|
|
|
3220ab |
diff --git a/tests/Makefile.am b/tests/Makefile.am
|
|
|
3220ab |
index 5f8b624..1a44112 100755
|
|
|
3220ab |
--- a/tests/Makefile.am
|
|
|
3220ab |
+++ b/tests/Makefile.am
|
|
|
3220ab |
@@ -26,6 +26,7 @@ include gdimagecolorclosest/Makemodule.am
|
|
|
3220ab |
include gdimagecolordeallocate/Makemodule.am
|
|
|
3220ab |
include gdimagecolorexact/Makemodule.am
|
|
|
3220ab |
include gdimagecolorreplace/Makemodule.am
|
|
|
3220ab |
+include gdimagecolormatch/Makemodule.am
|
|
|
3220ab |
include gdimagecolorresolve/Makemodule.am
|
|
|
3220ab |
include gdimagecolortransparent/Makemodule.am
|
|
|
3220ab |
include gdimagecontrast/Makemodule.am
|
|
|
3220ab |
diff --git a/tests/gdimagecolormatch/CMakeLists.txt b/tests/gdimagecolormatch/CMakeLists.txt
|
|
|
3220ab |
new file mode 100644
|
|
|
3220ab |
index 0000000..591938f
|
|
|
3220ab |
--- /dev/null
|
|
|
3220ab |
+++ b/tests/gdimagecolormatch/CMakeLists.txt
|
|
|
3220ab |
@@ -0,0 +1,5 @@
|
|
|
3220ab |
+LIST(APPEND TESTS_FILES
|
|
|
3220ab |
+ cve_2019_6977
|
|
|
3220ab |
+)
|
|
|
3220ab |
+
|
|
|
3220ab |
+ADD_GD_TESTS()
|
|
|
3220ab |
diff --git a/tests/gdimagecolormatch/Makemodule.am b/tests/gdimagecolormatch/Makemodule.am
|
|
|
3220ab |
new file mode 100644
|
|
|
3220ab |
index 0000000..e8e09a9
|
|
|
3220ab |
--- /dev/null
|
|
|
3220ab |
+++ b/tests/gdimagecolormatch/Makemodule.am
|
|
|
3220ab |
@@ -0,0 +1,5 @@
|
|
|
3220ab |
+libgd_test_programs += \
|
|
|
3220ab |
+ gdimagecolormatch/cve_2019_6977
|
|
|
3220ab |
+
|
|
|
3220ab |
+EXTRA_DIST += \
|
|
|
3220ab |
+ gdimagecolormatch/CMakeLists.txt
|
|
|
3220ab |
diff --git a/tests/gdimagecolormatch/cve_2019_6977.c b/tests/gdimagecolormatch/cve_2019_6977.c
|
|
|
3220ab |
new file mode 100644
|
|
|
3220ab |
index 0000000..fdd7af5
|
|
|
3220ab |
--- /dev/null
|
|
|
3220ab |
+++ b/tests/gdimagecolormatch/cve_2019_6977.c
|
|
|
3220ab |
@@ -0,0 +1,25 @@
|
|
|
3220ab |
+/**
|
|
|
3220ab |
+ * Test for CVE-2019-6977
|
|
|
3220ab |
+ */
|
|
|
3220ab |
+
|
|
|
3220ab |
+#include "gd.h"
|
|
|
3220ab |
+
|
|
|
3220ab |
+int main()
|
|
|
3220ab |
+{
|
|
|
3220ab |
+ gdImagePtr im1;
|
|
|
3220ab |
+ gdImagePtr im2;
|
|
|
3220ab |
+
|
|
|
3220ab |
+ im1 = gdImageCreateTrueColor(0xfff, 0xfff);
|
|
|
3220ab |
+ im2 = gdImageCreate(0xfff, 0xfff);
|
|
|
3220ab |
+ if (gdImageColorAllocate(im2, 0, 0, 0) < 0)
|
|
|
3220ab |
+ {
|
|
|
3220ab |
+ gdImageDestroy(im1);
|
|
|
3220ab |
+ gdImageDestroy(im2);
|
|
|
3220ab |
+ return 1;
|
|
|
3220ab |
+ }
|
|
|
3220ab |
+ gdImageSetPixel(im2, 0, 0, 255);
|
|
|
3220ab |
+ gdImageColorMatch(im1, im2);
|
|
|
3220ab |
+ gdImageDestroy(im1);
|
|
|
3220ab |
+ gdImageDestroy(im2);
|
|
|
3220ab |
+ return 0;
|
|
|
3220ab |
+}
|
|
|
3220ab |
--
|
|
|
3220ab |
2.24.1
|
|
|
3220ab |
|
|
|
3220ab |
|