Fixed heap based buffer overflow in gd_color_match.c:gdImageColorMatch() in libgd as used in imagecolormatch()

This commit is contained in:
Ondrej Dubaj 2019-06-04 11:04:25 +02:00
parent 88a1fee47a
commit 136a74b419
2 changed files with 36 additions and 1 deletions

View File

@ -0,0 +1,28 @@
From 98b2e94e62d873acbcc6d968f1f97af9749fe021 Mon Sep 17 00:00:00 2001
From: Ondrej Dubaj <odubaj@redhat.com>
Date: Tue, 4 Jun 2019 10:54:45 +0200
Subject: [PATCH] heap based buffer overflow in
gd_color_match.c:gdImageColorMatch() in libgd as used in imagecolormatch()
---
src/gd_color_match.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/gd_color_match.c b/src/gd_color_match.c
index f0842b6..a94a841 100755
--- a/src/gd_color_match.c
+++ b/src/gd_color_match.c
@@ -31,8 +31,8 @@ BGD_DECLARE(int) gdImageColorMatch (gdImagePtr im1, gdImagePtr im2)
return -4; /* At least 1 color must be allocated */
}
- buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * im2->colorsTotal);
- memset (buf, 0, sizeof(unsigned long) * 5 * im2->colorsTotal );
+ buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * gdMaxColors);
+ memset (buf, 0, sizeof(unsigned long) * 5 * gdMaxColors );
for (x=0; x < im1->sx; x++) {
for( y=0; y<im1->sy; y++ ) {
--
2.17.1

View File

@ -9,7 +9,7 @@
Summary: A graphics library for quick creation of PNG or JPEG images
Name: gd
Version: 2.2.5
Release: 7%{?prever}%{?short}%{?dist}
Release: 8%{?prever}%{?short}%{?dist}
Group: System Environment/Libraries
License: MIT
URL: http://libgd.github.io/
@ -26,6 +26,8 @@ Patch1: gd-2.1.0-multilib.patch
Patch2: gd-2.2.5-upstream.patch
# CVE-2018-1000222 - https://github.com/libgd/libgd/commit/ac16bdf2d41724b5a65255d4c28fb0ec46bc42f5
Patch3: gd-2.2.5-gdImageBmpPtr-double-free.patch
# CVE-2019-6977
Patch4: gd-2.2.5-heap-based-buffer-overflow.patch
BuildRequires: freetype-devel
BuildRequires: fontconfig-devel
@ -93,6 +95,7 @@ files for gd, a graphics library for creating PNG and JPEG graphics.
%patch1 -p1 -b .mlib
%patch2 -p1 -b .upstream
%patch3 -p1 -b .gdImageBmpPtr-free
%patch4 -p1
: $(perl config/getver.pl)
@ -166,6 +169,10 @@ grep %{version} $RPM_BUILD_ROOT%{_libdir}/pkgconfig/gdlib.pc
%changelog
* Fri Nov 01 2019 odubaj@redhat.com - 2.2.5-8
- Fixed heap based buffer overflow in gd_color_match.c:gdImageColorMatch() in libgd as used in imagecolormatch()
- Resolves: RHBZ#1678104 (CVE-2019-6977)
* Fri Sep 07 2018 mskalick@redhat.com - 2.2.5-7
- Add missing requires to libimagequent-devel