rpms / gd

Clone
Source Code
GIT

#1 Fixed heap based buffer overflow in gd_color_match.c:gdImageColorMatch() in libgd as used in imagecolormatch()
Closed 4 years ago by odubaj. Opened 4 years ago by odubaj.
rpms/ odubaj/gd master  into  master

file added
+28 
@@ -0,0 +1,28 @@ 
 

+ From 98b2e94e62d873acbcc6d968f1f97af9749fe021 Mon Sep 17 00:00:00 2001
 

+ From: Ondrej Dubaj <odubaj@redhat.com>
 

+ Date: Tue, 4 Jun 2019 10:54:45 +0200
 

+ Subject: [PATCH] heap based buffer overflow in
 

+  gd_color_match.c:gdImageColorMatch() in libgd as used in imagecolormatch()
 

+ 

+ ---
 

+  src/gd_color_match.c | 4 ++--
 

+  1 file changed, 2 insertions(+), 2 deletions(-)
 

+ 

+ diff --git a/src/gd_color_match.c b/src/gd_color_match.c
 

+ index f0842b6..a94a841 100755
 

+ --- a/src/gd_color_match.c
 

+ +++ b/src/gd_color_match.c
 

+ @@ -31,8 +31,8 @@ BGD_DECLARE(int) gdImageColorMatch (gdImagePtr im1, gdImagePtr im2)
 

+  		return -4; /* At least 1 color must be allocated */
 

+  	}
 

+  

+ -	buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * im2->colorsTotal);
 

+ -	memset (buf, 0, sizeof(unsigned long) * 5 * im2->colorsTotal );
 

+ +	buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * gdMaxColors);
 

+ +	memset (buf, 0, sizeof(unsigned long) * 5 * gdMaxColors );
 

+  

+  	for (x=0; x < im1->sx; x++) {
 

+  		for( y=0; y<im1->sy; y++ ) {
 

+ -- 

+ 2.17.1
 

+

file modified
+8 -1 
@@ -9,7 +9,7 @@ 
 

  Summary:       A graphics library for quick creation of PNG or JPEG images
 

  Name:          gd
 

  Version:       2.2.5
 

- Release:       8%{?prever}%{?short}%{?dist}
 

+ Release:       9%{?prever}%{?short}%{?dist}
 

  License:       MIT
 

  URL:           http://libgd.github.io/
 

  %if 0%{?commit:1}
 
@@ -25,6 +25,8 @@ 
 

  Patch2:        gd-2.2.5-upstream.patch
 

  # CVE-2018-1000222 - https://github.com/libgd/libgd/commit/ac16bdf2d41724b5a65255d4c28fb0ec46bc42f5
 

  Patch3:        gd-2.2.5-gdImageBmpPtr-double-free.patch
 

+ # CVE-2019-6977
 

+ Patch4:        gd-2.2.5-heap-based-buffer-overflow.patch
 

  

  BuildRequires: freetype-devel
 

  BuildRequires: fontconfig-devel
 
@@ -90,6 +92,7 @@ 
 

  %patch1 -p1 -b .mlib
 

  %patch2 -p1 -b .upstream
 

  %patch3 -p1 -b .gdImageBmpPtr-free
 

+ %patch4 -p1
 

  

  : $(perl config/getver.pl)
 

  
@@ -161,6 +164,10 @@ 
 

  

  

  %changelog
 

+ * Tue Jun 04 2019 odubaj@redhat.com - 2.2.5-9
 

+ - Fixed heap based buffer overflow in gd_color_match.c:gdImageColorMatch() in libgd as used in imagecolormatch()
 

+   Resolves: RHBZ#1678104 (CVE-2019-6977)
 

+ 

  * Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.5-8
 

  - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild

RHBZ#1672210

Not fixed in upstream yet, waiting for response.

Pull-Request has been closed by odubaj
4 years ago
Changes Summary 2
+28
file added
gd-2.2.5-heap-based-buffer-overflow.patch
+8 -1
file changed
gd.spec
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.