| |
@@ -0,0 +1,28 @@
|
| |
+ From 98b2e94e62d873acbcc6d968f1f97af9749fe021 Mon Sep 17 00:00:00 2001
|
| |
+ From: Ondrej Dubaj <odubaj@redhat.com>
|
| |
+ Date: Tue, 4 Jun 2019 10:54:45 +0200
|
| |
+ Subject: [PATCH] heap based buffer overflow in
|
| |
+ gd_color_match.c:gdImageColorMatch() in libgd as used in imagecolormatch()
|
| |
+
|
| |
+ ---
|
| |
+ src/gd_color_match.c | 4 ++--
|
| |
+ 1 file changed, 2 insertions(+), 2 deletions(-)
|
| |
+
|
| |
+ diff --git a/src/gd_color_match.c b/src/gd_color_match.c
|
| |
+ index f0842b6..a94a841 100755
|
| |
+ --- a/src/gd_color_match.c
|
| |
+ +++ b/src/gd_color_match.c
|
| |
+ @@ -31,8 +31,8 @@ BGD_DECLARE(int) gdImageColorMatch (gdImagePtr im1, gdImagePtr im2)
|
| |
+ return -4; /* At least 1 color must be allocated */
|
| |
+ }
|
| |
+
|
| |
+ - buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * im2->colorsTotal);
|
| |
+ - memset (buf, 0, sizeof(unsigned long) * 5 * im2->colorsTotal );
|
| |
+ + buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * gdMaxColors);
|
| |
+ + memset (buf, 0, sizeof(unsigned long) * 5 * gdMaxColors );
|
| |
+
|
| |
+ for (x=0; x < im1->sx; x++) {
|
| |
+ for( y=0; y<im1->sy; y++ ) {
|
| |
+ --
|
| |
+ 2.17.1
|
| |
+
|
| |
RHBZ#1672210
Not fixed in upstream yet, waiting for response.