Skip to content

Commit 1846f48

Browse files
committed
Fix #340: System frozen
gdImageCreate() doesn't check for oversized images and as such is prone to DoS vulnerabilities. We fix that by applying the same overflow check that is already in place for gdImageCreateTrueColor(). CVE-2016-9317
1 parent 58b6dde commit 1846f48

File tree

7 files changed

+47
-0
lines changed

7 files changed

+47
-0
lines changed

Diff for: src/gd.c

+1
Original file line numberDiff line numberDiff line change
@@ -188,6 +188,7 @@ BGD_DECLARE(gdImagePtr) gdImageCreate (int sx, int sy)
188188
if (overflow2(sx, sy)) {
189189
return NULL;
190190
}
191+
191192
if (overflow2(sizeof (unsigned char *), sy)) {
192193
return NULL;
193194
}

Diff for: tests/CMakeLists.txt

+1
Original file line numberDiff line numberDiff line change
@@ -38,6 +38,7 @@ if (BUILD_TEST)
3838
gdimagecopy
3939
gdimagecopyresampled
4040
gdimagecopyrotated
41+
gdimagecreate
4142
gdimagecrop
4243
gdimagefile
4344
gdimagefill

Diff for: tests/Makefile.am

+1
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,7 @@ include gdimageconvolution/Makemodule.am
3333
include gdimagecopy/Makemodule.am
3434
include gdimagecopyresampled/Makemodule.am
3535
include gdimagecopyrotated/Makemodule.am
36+
include gdimagecreate/Makemodule.am
3637
include gdimagecrop/Makemodule.am
3738
include gdimagefile/Makemodule.am
3839
include gdimagefill/Makemodule.am

Diff for: tests/gdimagecreate/.gitignore

+1
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
/bug00340

Diff for: tests/gdimagecreate/CMakeLists.txt

+5
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
SET(TESTS_FILES
2+
bug00340
3+
)
4+
5+
ADD_GD_TESTS()

Diff for: tests/gdimagecreate/Makemodule.am

+5
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
libgd_test_programs += \
2+
gdimagecreate/bug00340
3+
4+
EXTRA_DIST += \
5+
gdimagecreate/CMakeLists.txt

Diff for: tests/gdimagecreate/bug00340.c

+33
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,33 @@
1+
/**
2+
* Regression test for <https://github.com/libgd/libgd/issues/340>
3+
*
4+
* We're testing that trying to create an oversized image fails early,
5+
* triggering an appropriate warning.
6+
*/
7+
8+
9+
#include <string.h>
10+
#include "gd.h"
11+
#include "gd_errors.h"
12+
#include "gdtest.h"
13+
14+
15+
#define MSG "product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully\n"
16+
17+
18+
void error_handler(int priority, const char *format, ...)
19+
{
20+
gdTestAssert(priority == GD_WARNING);
21+
gdTestAssert(!strcmp(format, MSG));
22+
}
23+
24+
25+
int main()
26+
{
27+
gdImagePtr im;
28+
29+
im = gdImageCreate(64970, 65111);
30+
gdTestAssert(im == NULL);
31+
32+
return gdNumFailures();
33+
}

0 commit comments

Comments
 (0)