Skip to content
Permalink
Browse files

Fix #340: System frozen

gdImageCreate() doesn't check for oversized images and as such is prone
to DoS vulnerabilities. We fix that by applying the same overflow check
that is already in place for gdImageCreateTrueColor().

CVE-2016-9317
  • Loading branch information...
cmb69 committed Nov 12, 2016
1 parent 58b6dde commit 1846f48e5fcdde996e7c27a4bbac5d0aef183e4b
@@ -188,6 +188,7 @@ BGD_DECLARE(gdImagePtr) gdImageCreate (int sx, int sy)
if (overflow2(sx, sy)) {
return NULL;
}

if (overflow2(sizeof (unsigned char *), sy)) {
return NULL;
}
@@ -38,6 +38,7 @@ if (BUILD_TEST)
gdimagecopy
gdimagecopyresampled
gdimagecopyrotated
gdimagecreate
gdimagecrop
gdimagefile
gdimagefill
@@ -33,6 +33,7 @@ include gdimageconvolution/Makemodule.am
include gdimagecopy/Makemodule.am
include gdimagecopyresampled/Makemodule.am
include gdimagecopyrotated/Makemodule.am
include gdimagecreate/Makemodule.am
include gdimagecrop/Makemodule.am
include gdimagefile/Makemodule.am
include gdimagefill/Makemodule.am
@@ -0,0 +1 @@
/bug00340
@@ -0,0 +1,5 @@
SET(TESTS_FILES
bug00340
)

ADD_GD_TESTS()
@@ -0,0 +1,5 @@
libgd_test_programs += \
gdimagecreate/bug00340

EXTRA_DIST += \
gdimagecreate/CMakeLists.txt
@@ -0,0 +1,33 @@
/**
* Regression test for <https://github.com/libgd/libgd/issues/340>
*
* We're testing that trying to create an oversized image fails early,
* triggering an appropriate warning.
*/


#include <string.h>
#include "gd.h"
#include "gd_errors.h"
#include "gdtest.h"


#define MSG "product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully\n"


void error_handler(int priority, const char *format, ...)
{
gdTestAssert(priority == GD_WARNING);
gdTestAssert(!strcmp(format, MSG));
}


int main()
{
gdImagePtr im;

im = gdImageCreate(64970, 65111);
gdTestAssert(im == NULL);

return gdNumFailures();
}

0 comments on commit 1846f48

Please sign in to comment.
You can’t perform that action at this time.