Fixed heap based buffer overflow in gd_color_match.c:gdImageColorMatch() in libgd as used in imagecolormatch()

2019-06-04 11:04:25 +02:00 · 2019-06-04 11:04:25 +02:00 · 11a42338bd
commit 11a42338bd
parent 25560c12f9
2 changed files with 36 additions and 1 deletions
--- a/gd-2.2.5-heap-based-buffer-overflow.patch
+++ b/gd-2.2.5-heap-based-buffer-overflow.patch
@ -0,0 +1,28 @@
+From 98b2e94e62d873acbcc6d968f1f97af9749fe021 Mon Sep 17 00:00:00 2001
+From: Ondrej Dubaj <odubaj@redhat.com>
+Date: Tue, 4 Jun 2019 10:54:45 +0200
+Subject: [PATCH] heap based buffer overflow in
+ gd_color_match.c:gdImageColorMatch() in libgd as used in imagecolormatch()
+
+---
+ src/gd_color_match.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/gd_color_match.c b/src/gd_color_match.c
+index f0842b6..a94a841 100755
+--- a/src/gd_color_match.c
+++ b/src/gd_color_match.c
+@@ -31,8 +31,8 @@ BGD_DECLARE(int) gdImageColorMatch (gdImagePtr im1, gdImagePtr im2)
+ 		return -4; /* At least 1 color must be allocated */
+ 	}
+ 
+-	buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * im2->colorsTotal);
+-	memset (buf, 0, sizeof(unsigned long) * 5 * im2->colorsTotal );
+	buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * gdMaxColors);
+	memset (buf, 0, sizeof(unsigned long) * 5 * gdMaxColors );
+ 
+ 	for (x=0; x < im1->sx; x++) {
+ 		for( y=0; y<im1->sy; y++ ) {
+-- 
+2.17.1
+
--- a/gd.spec
+++ b/gd.spec
@ -9,7 +9,7 @@
 Summary:       A graphics library for quick creation of PNG or JPEG images
 Name:          gd
 Version:       2.2.5
-Release:       9%{?prever}%{?short}%{?dist}
+Release:       10%{?prever}%{?short}%{?dist}
 License:       MIT
 URL:           http://libgd.github.io/
 %if 0%{?commit:1}
@ -25,6 +25,8 @@ Patch1:        gd-2.1.0-multilib.patch
 Patch2:        gd-2.2.5-upstream.patch
 # CVE-2018-1000222 - https://github.com/libgd/libgd/commit/ac16bdf2d41724b5a65255d4c28fb0ec46bc42f5
 Patch3:        gd-2.2.5-gdImageBmpPtr-double-free.patch
+# CVE-2019-6977
+Patch4:        gd-2.2.5-heap-based-buffer-overflow.patch

 BuildRequires: freetype-devel
 BuildRequires: fontconfig-devel
@ -90,6 +92,7 @@ files for gd, a graphics library for creating PNG and JPEG graphics.
 %patch1 -p1 -b .mlib
 %patch2 -p1 -b .upstream
 %patch3 -p1 -b .gdImageBmpPtr-free
+%patch4 -p1

 : $(perl config/getver.pl)

@ -161,6 +164,10 @@ grep %{version} $RPM_BUILD_ROOT%{_libdir}/pkgconfig/gdlib.pc


 %changelog
+* Fri Nov 01 2019 odubaj@redhat.com - 2.2.5-10
+- Fixed heap based buffer overflow in gd_color_match.c:gdImageColorMatch() in libgd as used in imagecolormatch()
+- Resolves: RHBZ#1678104 (CVE-2019-6977)
+
 * Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.5-9
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild