1fb3530455
From changelog:
Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow (CVE-2016-5767)
=> already in 2.1.1
Integer Overflow in _gd2GetHeader() resulting in heap overflow (CVE-2016-5766)
=> seems missing in libgd compared to PHP
=> under investigation
NULL Pointer Dereference at _gdScaleVert
=> unneeded, already on 2.1.1
32 lines
785 B
Diff
32 lines
785 B
Diff
From 4d29684fd4ddbd6bb4dbde805f0fdaa84b0f66f2 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
|
|
Date: Fri, 20 May 2016 09:39:38 +0200
|
|
Subject: [PATCH] CVE-2015-8874
|
|
|
|
---
|
|
src/gd.c | 11 +++++++++++
|
|
1 file changed, 11 insertions(+)
|
|
|
|
diff --git a/src/gd.c b/src/gd.c
|
|
index 300dfce..0603247 100644
|
|
--- a/src/gd.c
|
|
+++ b/src/gd.c
|
|
@@ -1938,6 +1938,17 @@ BGD_DECLARE(void) gdImageFillToBorder (gdImagePtr im, int x, int y, int border,
|
|
restoreAlphaBleding = im->alphaBlendingFlag;
|
|
im->alphaBlendingFlag = 0;
|
|
|
|
+ if (x >= im->sx) {
|
|
+ x = im->sx - 1;
|
|
+ } else if (x < 0) {
|
|
+ x = 0;
|
|
+ }
|
|
+ if (y >= im->sy) {
|
|
+ y = im->sy - 1;
|
|
+ } else if (y < 0) {
|
|
+ y = 0;
|
|
+ }
|
|
+
|
|
for (i = x; (i >= 0); i--) {
|
|
if (gdImageGetPixel (im, i, y) == border) {
|
|
break;
|