|
 |
3e6383 |
Adapted for 5.4.13
|
|
|
3e6383 |
With test removed (binary patch not handled)
|
|
|
3e6383 |
|
|
|
3e6383 |
From 018092125538782b25d3ab6b036f0c8d5968f757 Mon Sep 17 00:00:00 2001
|
|
|
3e6383 |
From: "Christoph M. Becker" <cmbecker69@gmx.de>
|
|
|
3e6383 |
Date: Tue, 20 Jun 2017 16:45:42 +0200
|
|
|
3e6383 |
Subject: [PATCH] Fix #74435: Buffer over-read into uninitialized memory
|
|
|
3e6383 |
|
|
|
3e6383 |
The stack allocated color map buffers were not zeroed before usage, and
|
|
|
3e6383 |
so undefined palette indexes could cause information leakage.
|
|
|
3e6383 |
---
|
|
|
3e6383 |
ext/gd/libgd/gd_gif_in.c | 3 +++
|
|
|
3e6383 |
ext/gd/tests/bug74435.gif | Bin 0 -> 11464 bytes
|
|
|
3e6383 |
ext/gd/tests/bug74435.phpt | 27 +++++++++++++++++++++++++++
|
|
|
3e6383 |
3 files changed, 30 insertions(+)
|
|
|
3e6383 |
create mode 100644 ext/gd/tests/bug74435.gif
|
|
|
3e6383 |
create mode 100644 ext/gd/tests/bug74435.phpt
|
|
|
3e6383 |
|
|
|
3e6383 |
diff --git a/ext/gd/libgd/gd_gif_in.c b/ext/gd/libgd/gd_gif_in.c
|
|
|
3e6383 |
index 74b7493..76ba152 100644
|
|
|
3e6383 |
--- a/ext/gd/libgd/gd_gif_in.c
|
|
|
3e6383 |
+++ b/ext/gd/libgd/gd_gif_in.c
|
|
|
3e6383 |
@@ -147,6 +147,9 @@ gdImagePtr gdImageCreateFromGifCtx(gdIOCtxPtr fd) /* {{{ */
|
|
|
3e6383 |
int haveGlobalColormap;
|
|
|
3e6383 |
gdImagePtr im = 0;
|
|
|
3e6383 |
|
|
|
3e6383 |
+ memset(ColorMap, 0, 3 * MAXCOLORMAPSIZE);
|
|
|
3e6383 |
+ memset(localColorMap, 0, 3 * MAXCOLORMAPSIZE);
|
|
|
3e6383 |
+
|
|
|
3e6383 |
/*1.4//imageNumber = 1; */
|
|
|
3e6383 |
if (! ReadOK(fd,buf,6)) {
|
|
|
3e6383 |
return 0;
|
|
|
3e6383 |
--
|
|
|
3e6383 |
2.1.4
|
|
|
3e6383 |
|