37 lines
1.3 KiB
Diff
37 lines
1.3 KiB
Diff
Fix CVE-2019-6977:
|
|
|
|
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6977
|
|
|
|
Patch copied from Debian:
|
|
|
|
https://salsa.debian.org/debian/libgd2/commit/2d7d3b68bb79843e5271a05543e996fd5a3a8cd1
|
|
|
|
Description: Heap-based buffer overflow in gdImageColorMatch
|
|
Origin: other, https://gist.github.com/cmb69/1f36d285eb297ed326f5c821d7aafced
|
|
Bug-PHP: https://bugs.php.net/bug.php?id=77270
|
|
Bug-Debian: https://bugs.debian.org/920645
|
|
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-6977
|
|
Forwarded: no
|
|
Author: "Christoph M. Becker" <cmbecker69@gmx.de>
|
|
Last-Update: 2019-02-01
|
|
|
|
At least some of the image reading functions may return images which
|
|
use color indexes greater than or equal to im->colorsTotal. We cater
|
|
to this by always using a buffer size which is sufficient for
|
|
`gdMaxColors` in `gdImageColorMatch()`.
|
|
---
|
|
|
|
--- a/src/gd_color_match.c
|
|
+++ b/src/gd_color_match.c
|
|
@@ -31,8 +31,8 @@ BGD_DECLARE(int) gdImageColorMatch (gdIm
|
|
return -4; /* At least 1 color must be allocated */
|
|
}
|
|
|
|
- buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * im2->colorsTotal);
|
|
- memset (buf, 0, sizeof(unsigned long) * 5 * im2->colorsTotal );
|
|
+ buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * gdMaxColors);
|
|
+ memset (buf, 0, sizeof(unsigned long) * 5 * gdMaxColors );
|
|
|
|
for (x=0; x < im1->sx; x++) {
|
|
for( y=0; y<im1->sy; y++ ) {
|