Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix #354: Signed Integer Overflow gd_io.c
GD2 stores the number of horizontal and vertical chunks as words (i.e. 2
byte unsigned). These values are multiplied and assigned to an int when
reading the image, what can cause integer overflows. We have to avoid
that, and also make sure that either chunk count is actually greater
than zero. If illegal chunk counts are detected, we bail out from
reading the image.
  • Loading branch information
cmb69 committed Dec 17, 2016
1 parent 1846f48 commit 69d2fd2
Show file tree
Hide file tree
Showing 7 changed files with 41 additions and 0 deletions.
4 changes: 4 additions & 0 deletions src/gd_gd2.c
Expand Up @@ -209,6 +209,10 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy,
GD2_DBG (printf ("%d Chunks vertically\n", *ncy));

if (gd2_compressed (*fmt)) {
if (*ncx <= 0 || *ncy <= 0 || *ncx > INT_MAX / *ncy) {
GD2_DBG(printf ("Illegal chunk counts: %d * %d\n", *ncx, *ncy));
goto fail1;
}
nc = (*ncx) * (*ncy);

GD2_DBG (printf ("Reading %d chunk index entries\n", nc));
Expand Down
1 change: 1 addition & 0 deletions tests/gd2/.gitignore
@@ -1,5 +1,6 @@
/bug_289
/bug00309
/bug00354
/gd2_empty_file
/gd2_im2im
/gd2_null
Expand Down
1 change: 1 addition & 0 deletions tests/gd2/CMakeLists.txt
@@ -1,6 +1,7 @@
LIST(APPEND TESTS_FILES
bug_289
bug00309
bug00354
gd2_empty_file
gd2_im2im
gd2_null
Expand Down
3 changes: 3 additions & 0 deletions tests/gd2/Makemodule.am
@@ -1,6 +1,7 @@
libgd_test_programs += \
gd2/bug_289 \
gd2/bug00309 \
gd2/bug00354 \
gd2/gd2_empty_file \
gd2/php_bug_72339 \
gd2/gd2_read_corrupt \
Expand All @@ -19,6 +20,8 @@ endif

EXTRA_DIST += \
gd2/CMakeLists.txt \
gd2/bug00354a.gd2 \
gd2/bug00354b.gd2 \
gd2/conv_gd2_exp.gd2 \
gd2/conv_test.gd2 \
gd2/conv_test_exp.png \
Expand Down
32 changes: 32 additions & 0 deletions tests/gd2/bug00354.c
@@ -0,0 +1,32 @@
/**
* We're testing GD2 image files which report illegal chunk counts. These should
* not cause integer overflows or other issues, but instead simply fail to be
* loaded.
*
* See also <https://github.com/libgd/libgd/issues/354>.
*/


#include "gd.h"
#include "gdtest.h"


int main()
{
gdImagePtr im;
FILE *fp;

fp = gdTestFileOpen2("gd2", "bug00354a.gd2");
gdTestAssert(fp != NULL);
im = gdImageCreateFromGd2(fp);
gdTestAssert(im == NULL);
fclose(fp);

fp = gdTestFileOpen2("gd2", "bug00354b.gd2");
gdTestAssert(fp != NULL);
im = gdImageCreateFromGd2(fp);
gdTestAssert(im == NULL);
fclose(fp);

return gdNumFailures();
}
Binary file added tests/gd2/bug00354a.gd2
Binary file not shown.
Binary file added tests/gd2/bug00354b.gd2
Binary file not shown.

1 comment on commit 69d2fd2

@carnil
Copy link

@carnil carnil commented on 69d2fd2 Jan 28, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is CVE-2016-10168

Please sign in to comment.