rpms/gd
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fixed heap based buffer overflow in gd_color_match.c:gdImageColorMatch() in libgd as used in imagecolormatch()

Browse Source
This commit is contained in:
Ondrej Dubaj 2019-06-04 11:04:25 +02:00
parent 25560c12f9
commit 11a42338bd
2 changed files with 36 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
gd-2.2.5-heap-based-buffer-overflow.patch Normal file
View File

@ -0,0 +1,28 @@
From 98b2e94e62d873acbcc6d968f1f97af9749fe021 Mon Sep 17 00:00:00 2001
From: Ondrej Dubaj <odubaj@redhat.com>
Date: Tue, 4 Jun 2019 10:54:45 +0200
Subject: [PATCH] heap based buffer overflow in
gd_color_match.c:gdImageColorMatch() in libgd as used in imagecolormatch()
---
src/gd_color_match.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/gd_color_match.c b/src/gd_color_match.c
index f0842b6..a94a841 100755
--- a/src/gd_color_match.c
+++ b/src/gd_color_match.c
@@ -31,8 +31,8 @@ BGD_DECLARE(int) gdImageColorMatch (gdImagePtr im1, gdImagePtr im2)
return -4; /* At least 1 color must be allocated */
}
- buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * im2->colorsTotal);
- memset (buf, 0, sizeof(unsigned long) * 5 * im2->colorsTotal );
+ buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * gdMaxColors);
+ memset (buf, 0, sizeof(unsigned long) * 5 * gdMaxColors );
for (x=0; x < im1->sx; x++) {
for( y=0; y<im1->sy; y++ ) {
--
2.17.1

9
gd.spec
View File

@ -9,7 +9,7 @@
Summary: A graphics library for quick creation of PNG or JPEG images Summary: A graphics library for quick creation of PNG or JPEG images
Name: gd Name: gd
Version: 2.2.5 Version: 2.2.5
Release: 9%{?prever}%{?short}%{?dist} Release: 10%{?prever}%{?short}%{?dist}
License: MIT License: MIT
URL: http://libgd.github.io/ URL: http://libgd.github.io/
%if 0%{?commit:1} %if 0%{?commit:1}
@ -25,6 +25,8 @@ Patch1: gd-2.1.0-multilib.patch
Patch2: gd-2.2.5-upstream.patch Patch2: gd-2.2.5-upstream.patch
# CVE-2018-1000222 - https://github.com/libgd/libgd/commit/ac16bdf2d41724b5a65255d4c28fb0ec46bc42f5 # CVE-2018-1000222 - https://github.com/libgd/libgd/commit/ac16bdf2d41724b5a65255d4c28fb0ec46bc42f5
Patch3: gd-2.2.5-gdImageBmpPtr-double-free.patch Patch3: gd-2.2.5-gdImageBmpPtr-double-free.patch
# CVE-2019-6977
Patch4: gd-2.2.5-heap-based-buffer-overflow.patch
BuildRequires: freetype-devel BuildRequires: freetype-devel
BuildRequires: fontconfig-devel BuildRequires: fontconfig-devel
@ -90,6 +92,7 @@ files for gd, a graphics library for creating PNG and JPEG graphics.
%patch1 -p1 -b .mlib %patch1 -p1 -b .mlib
%patch2 -p1 -b .upstream %patch2 -p1 -b .upstream
%patch3 -p1 -b .gdImageBmpPtr-free %patch3 -p1 -b .gdImageBmpPtr-free
%patch4 -p1
: $(perl config/getver.pl) : $(perl config/getver.pl)
@ -161,6 +164,10 @@ grep %{version} $RPM_BUILD_ROOT%{_libdir}/pkgconfig/gdlib.pc
%changelog %changelog
* Fri Nov 01 2019 odubaj@redhat.com - 2.2.5-10
- Fixed heap based buffer overflow in gd_color_match.c:gdImageColorMatch() in libgd as used in imagecolormatch()
- Resolves: RHBZ#1678104 (CVE-2019-6977)
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.5-9 * Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.5-9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild