diff options
Diffstat (limited to 'gnu/packages/patches/gd-CVE-2019-6977.patch')
-rw-r--r-- | gnu/packages/patches/gd-CVE-2019-6977.patch | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/gnu/packages/patches/gd-CVE-2019-6977.patch b/gnu/packages/patches/gd-CVE-2019-6977.patch new file mode 100644 index 0000000000..b21a8ac619 --- /dev/null +++ b/gnu/packages/patches/gd-CVE-2019-6977.patch @@ -0,0 +1,36 @@ +Fix CVE-2019-6977: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6977 + +Patch copied from Debian: + +https://salsa.debian.org/debian/libgd2/commit/2d7d3b68bb79843e5271a05543e996fd5a3a8cd1 + +Description: Heap-based buffer overflow in gdImageColorMatch +Origin: other, https://gist.github.com/cmb69/1f36d285eb297ed326f5c821d7aafced +Bug-PHP: https://bugs.php.net/bug.php?id=77270 +Bug-Debian: https://bugs.debian.org/920645 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-6977 +Forwarded: no +Author: "Christoph M. Becker" <cmbecker69@gmx.de> +Last-Update: 2019-02-01 + +At least some of the image reading functions may return images which +use color indexes greater than or equal to im->colorsTotal. We cater +to this by always using a buffer size which is sufficient for +`gdMaxColors` in `gdImageColorMatch()`. +--- + +--- a/src/gd_color_match.c ++++ b/src/gd_color_match.c +@@ -31,8 +31,8 @@ BGD_DECLARE(int) gdImageColorMatch (gdIm + return -4; /* At least 1 color must be allocated */ + } + +- buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * im2->colorsTotal); +- memset (buf, 0, sizeof(unsigned long) * 5 * im2->colorsTotal ); ++ buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * gdMaxColors); ++ memset (buf, 0, sizeof(unsigned long) * 5 * gdMaxColors ); + + for (x=0; x < im1->sx; x++) { + for( y=0; y<im1->sy; y++ ) { |