Go to file
Ondrej Dubaj dc2735f5a8 Potential double-free in gdImage*Ptr()
Whenever `gdImage*Ptr()` calls `gdImage*Ctx()` and the latter fails, we
must not call `gdDPExtractData()`; otherwise a double-free would
happen.  Since `gdImage*Ctx()` are void functions, and we can't change
that for BC reasons, we're introducing static helpers which are used
internally.

We're adding a regression test for `gdImageJpegPtr()`, but not for
`gdImageGifPtr()` and `gdImageWbmpPtr()` since we don't know how to
trigger failure of the respective `gdImage*Ctx()` calls.

This potential security issue has been reported by Solmaz Salimi (aka.
Rooney).
2019-11-01 09:21:22 +01:00
.gitignore
gd-2.1.0-multilib.patch
gd-2.2.5-gdImageBmpPtr-double-free.patch Check return value in gdImageBmpPtr to avoid double free (CVE-2018-1000222) 2018-08-30 11:04:26 +02:00
gd-2.2.5-heap-based-buffer-overflow.patch Fixed heap based buffer overflow in gd_color_match.c:gdImageColorMatch() in libgd as used in imagecolormatch() 2019-11-01 09:19:30 +01:00
gd-2.2.5-potential-double-free.patch Potential double-free in gdImage*Ptr() 2019-11-01 09:21:22 +01:00
gd-2.2.5-upstream.patch Fix CVE-2018-5711 - Potential infinite loop in gdImageCreateFromGifCtx 2018-03-26 12:49:23 +02:00
gd.spec Potential double-free in gdImage*Ptr() 2019-11-01 09:21:22 +01:00
sources