Permalink
Browse files

gd2: handle corrupt images better (CVE-2016-3074)

Make sure we do some range checking on corrupted chunks.

Thanks to Hans Jerry Illikainen <hji@dyntopia.com> for indepth report
and reproducer information.  Made for easy test case writing :).
  • Loading branch information...
vapier committed Apr 16, 2016
1 parent fc14a8c commit 2bb97f407c1145c850416a3bfbcc8cf124e68a19
Showing with 30 additions and 1 deletion.
  1. +1 −0 .gitignore
  2. +2 −0 src/gd_gd2.c
  3. +2 −1 tests/Makefile.am
  4. +25 −0 tests/gd2/gd2_read_corrupt.c
  5. BIN tests/gd2/invalid_neg_size.gd2
@@ -150,6 +150,7 @@ Makefile.in
/tests/gd2/gd2_im2im
/tests/gd2/gd2_null
/tests/gd2/gd2_read
/tests/gd2/gd2_read_corrupt
/tests/gdimagearc/bug00079
/tests/gdimageline/gdimageline_aa
/tests/gdimageline/bug00072
@@ -165,6 +165,8 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy,
if (gdGetInt (&cidx[i].size, in) != 1) {
goto fail2;
};
if (cidx[i].offset < 0 || cidx[i].size < 0)
goto fail2;
};
*chunkIdx = cidx;
};
@@ -129,7 +129,8 @@ endif

if HAVE_LIBZ
check_PROGRAMS += \
gd2/gd2_null
gd2/gd2_null \
gd2/gd2_read_corrupt
endif

if HAVE_LIBPNG
@@ -0,0 +1,25 @@
/* Just try to read the invalid gd2 image & not crash. */
#include "gd.h"
#include <stdio.h>
#include <stdlib.h>
#include "gdtest.h"

int main()
{
gdImagePtr im;
FILE *fp;
char path[1024];

/* Read the corrupt image. */
sprintf(path, "%s/gd2/invalid_neg_size.gd2", GDTEST_TOP_DIR);
fp = fopen(path, "rb");
if (!fp) {
printf("failed, cannot open file\n");
return 1;
}
im = gdImageCreateFromGd2(fp);
fclose(fp);

/* Should have failed & rejected it. */
return im == NULL ? 0 : 1;
}
Binary file not shown.

0 comments on commit 2bb97f4

Please sign in to comment.