From 5b026e3cc05d7041cbe47a8702f1b51ffbf0a99b Mon Sep 17 00:00:00 2001 From: Ondrej Dubaj Date: Thu, 5 Mar 2020 11:02:27 +0100 Subject: [PATCH] Imagecolormatch Out Of Bounds Write on Heap At least some of the image reading functions may return images which use color indexes greater than or equal to im->colorsTotal. We cater to this by always using a buffer size which is sufficient for `gdMaxColors` in `gdImageColorMatch()`. Resolves: #1678104 Version: 2.2.5-7 --- src/gd_color_match.c | 4 ++-- tests/CMakeLists.txt | 1 + tests/Makefile.am | 1 + tests/gdimagecolormatch/CMakeLists.txt | 5 +++++ tests/gdimagecolormatch/Makemodule.am | 5 +++++ tests/gdimagecolormatch/cve_2019_6977.c | 25 +++++++++++++++++++++++++ 6 files changed, 39 insertions(+), 2 deletions(-) create mode 100644 tests/gdimagecolormatch/CMakeLists.txt create mode 100644 tests/gdimagecolormatch/Makemodule.am create mode 100644 tests/gdimagecolormatch/cve_2019_6977.c diff --git a/src/gd_color_match.c b/src/gd_color_match.c index f0842b6..a94a841 100755 --- a/src/gd_color_match.c +++ b/src/gd_color_match.c @@ -31,8 +31,8 @@ BGD_DECLARE(int) gdImageColorMatch (gdImagePtr im1, gdImagePtr im2) return -4; /* At least 1 color must be allocated */ } - buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * im2->colorsTotal); - memset (buf, 0, sizeof(unsigned long) * 5 * im2->colorsTotal ); + buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * gdMaxColors); + memset (buf, 0, sizeof(unsigned long) * 5 * gdMaxColors ); for (x=0; x < im1->sx; x++) { for( y=0; ysy; y++ ) { diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt index 7eef4bf..6979416 100755 --- a/tests/CMakeLists.txt +++ b/tests/CMakeLists.txt @@ -31,6 +31,7 @@ if (BUILD_TEST) gdimagecolordeallocate gdimagecolorexact gdimagecolorreplace + gdimagecolormatch gdimagecolorresolve gdimagecolortransparent gdimagecontrast diff --git a/tests/Makefile.am b/tests/Makefile.am index 5f8b624..1a44112 100755 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -26,6 +26,7 @@ include gdimagecolorclosest/Makemodule.am include gdimagecolordeallocate/Makemodule.am include gdimagecolorexact/Makemodule.am include gdimagecolorreplace/Makemodule.am +include gdimagecolormatch/Makemodule.am include gdimagecolorresolve/Makemodule.am include gdimagecolortransparent/Makemodule.am include gdimagecontrast/Makemodule.am diff --git a/tests/gdimagecolormatch/CMakeLists.txt b/tests/gdimagecolormatch/CMakeLists.txt new file mode 100644 index 0000000..591938f --- /dev/null +++ b/tests/gdimagecolormatch/CMakeLists.txt @@ -0,0 +1,5 @@ +LIST(APPEND TESTS_FILES + cve_2019_6977 +) + +ADD_GD_TESTS() diff --git a/tests/gdimagecolormatch/Makemodule.am b/tests/gdimagecolormatch/Makemodule.am new file mode 100644 index 0000000..e8e09a9 --- /dev/null +++ b/tests/gdimagecolormatch/Makemodule.am @@ -0,0 +1,5 @@ +libgd_test_programs += \ + gdimagecolormatch/cve_2019_6977 + +EXTRA_DIST += \ + gdimagecolormatch/CMakeLists.txt diff --git a/tests/gdimagecolormatch/cve_2019_6977.c b/tests/gdimagecolormatch/cve_2019_6977.c new file mode 100644 index 0000000..fdd7af5 --- /dev/null +++ b/tests/gdimagecolormatch/cve_2019_6977.c @@ -0,0 +1,25 @@ +/** + * Test for CVE-2019-6977 + */ + +#include "gd.h" + +int main() +{ + gdImagePtr im1; + gdImagePtr im2; + + im1 = gdImageCreateTrueColor(0xfff, 0xfff); + im2 = gdImageCreate(0xfff, 0xfff); + if (gdImageColorAllocate(im2, 0, 0, 0) < 0) + { + gdImageDestroy(im1); + gdImageDestroy(im2); + return 1; + } + gdImageSetPixel(im2, 0, 0, 255); + gdImageColorMatch(im1, im2); + gdImageDestroy(im1); + gdImageDestroy(im2); + return 0; +} -- 2.24.1