Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix #340: System frozen
gdImageCreate() doesn't check for oversized images and as such is prone
to DoS vulnerabilities. We fix that by applying the same overflow check
that is already in place for gdImageCreateTrueColor().

CVE-2016-9317
  • Loading branch information
cmb69 committed Dec 13, 2016
1 parent 58b6dde commit 1846f48
Show file tree
Hide file tree
Showing 7 changed files with 47 additions and 0 deletions.
1 change: 1 addition & 0 deletions src/gd.c
Expand Up @@ -188,6 +188,7 @@ BGD_DECLARE(gdImagePtr) gdImageCreate (int sx, int sy)
if (overflow2(sx, sy)) {
return NULL;
}

if (overflow2(sizeof (unsigned char *), sy)) {
return NULL;
}
Expand Down
1 change: 1 addition & 0 deletions tests/CMakeLists.txt
Expand Up @@ -38,6 +38,7 @@ if (BUILD_TEST)
gdimagecopy
gdimagecopyresampled
gdimagecopyrotated
gdimagecreate
gdimagecrop
gdimagefile
gdimagefill
Expand Down
1 change: 1 addition & 0 deletions tests/Makefile.am
Expand Up @@ -33,6 +33,7 @@ include gdimageconvolution/Makemodule.am
include gdimagecopy/Makemodule.am
include gdimagecopyresampled/Makemodule.am
include gdimagecopyrotated/Makemodule.am
include gdimagecreate/Makemodule.am
include gdimagecrop/Makemodule.am
include gdimagefile/Makemodule.am
include gdimagefill/Makemodule.am
Expand Down
1 change: 1 addition & 0 deletions tests/gdimagecreate/.gitignore
@@ -0,0 +1 @@
/bug00340
5 changes: 5 additions & 0 deletions tests/gdimagecreate/CMakeLists.txt
@@ -0,0 +1,5 @@
SET(TESTS_FILES
bug00340
)

ADD_GD_TESTS()
5 changes: 5 additions & 0 deletions tests/gdimagecreate/Makemodule.am
@@ -0,0 +1,5 @@
libgd_test_programs += \
gdimagecreate/bug00340

EXTRA_DIST += \
gdimagecreate/CMakeLists.txt
33 changes: 33 additions & 0 deletions tests/gdimagecreate/bug00340.c
@@ -0,0 +1,33 @@
/**
* Regression test for <https://github.com/libgd/libgd/issues/340>
*
* We're testing that trying to create an oversized image fails early,
* triggering an appropriate warning.
*/


#include <string.h>
#include "gd.h"
#include "gd_errors.h"
#include "gdtest.h"


#define MSG "product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully\n"


void error_handler(int priority, const char *format, ...)
{
gdTestAssert(priority == GD_WARNING);
gdTestAssert(!strcmp(format, MSG));
}


int main()
{
gdImagePtr im;

im = gdImageCreate(64970, 65111);
gdTestAssert(im == NULL);

return gdNumFailures();
}

0 comments on commit 1846f48

Please sign in to comment.