Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix DOS vulnerability in gdImageCreateFromGd2Ctx()
We must not pretend that there are image data if there are none. Instead
we fail reading the image file gracefully.
  • Loading branch information
cmb69 committed Dec 13, 2016
1 parent 60bfb40 commit fe9ed49
Show file tree
Hide file tree
Showing 6 changed files with 35 additions and 10 deletions.
14 changes: 6 additions & 8 deletions src/gd_gd2.c
Expand Up @@ -503,18 +503,16 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromGd2Ctx (gdIOCtxPtr in)

if (im->trueColor) {
if (!gdGetInt (&im->tpixels[y][x], in)) {
/*printf("EOF while reading\n"); */
/*gdImageDestroy(im); */
/*return 0; */
im->tpixels[y][x] = 0;
gd_error("gd2: EOF while reading\n");
gdImageDestroy(im);
return NULL;
}
} else {
int ch;
if (!gdGetByte (&ch, in)) {
/*printf("EOF while reading\n"); */
/*gdImageDestroy(im); */
/*return 0; */
ch = 0;
gd_error("gd2: EOF while reading\n");
gdImageDestroy(im);
return NULL;
}
im->pixels[y][x] = ch;
}
Expand Down
1 change: 1 addition & 0 deletions tests/gd2/.gitignore
Expand Up @@ -6,3 +6,4 @@
/gd2_read
/gd2_read_corrupt
/php_bug_72339
/too_few_image_data
1 change: 1 addition & 0 deletions tests/gd2/CMakeLists.txt
Expand Up @@ -7,6 +7,7 @@ LIST(APPEND TESTS_FILES
php_bug_72339
gd2_read
gd2_read_corrupt
too_few_image_data
)

ADD_GD_TESTS()
7 changes: 5 additions & 2 deletions tests/gd2/Makemodule.am
Expand Up @@ -3,7 +3,8 @@ libgd_test_programs += \
gd2/bug00309 \
gd2/gd2_empty_file \
gd2/php_bug_72339 \
gd2/gd2_read_corrupt
gd2/gd2_read_corrupt \
gd2/too_few_image_data

if HAVE_LIBZ
libgd_test_programs += \
Expand All @@ -23,4 +24,6 @@ EXTRA_DIST += \
gd2/conv_test_exp.png \
gd2/empty.gd2 \
gd2/invalid_header.gd2 \
gd2/invalid_neg_size.gd2
gd2/invalid_neg_size.gd2 \
gd2/php_bug_72339_exp.gd2 \
gd2/too_few_image_data.gd2
22 changes: 22 additions & 0 deletions tests/gd2/too_few_image_data.c
@@ -0,0 +1,22 @@
/*
too_few_image_data.gd2 claims to have a size of 12336x48 pixels, but doesn't
provide as much image data. We test that gdImageCreateFromGd2Ctx() returns NULL
in this case.
*/

#include "gd.h"
#include "gdtest.h"

int main()
{
gdImagePtr im;
FILE *fp;

fp = gdTestFileOpen2("gd2", "too_few_image_data.gd2");
gdTestAssert(fp != NULL);
im = gdImageCreateFromGd2(fp);
gdTestAssert(im == NULL);
fclose(fp);

return gdNumFailures();
}
Binary file added tests/gd2/too_few_image_data.gd2
Binary file not shown.

1 comment on commit fe9ed49

@carnil
Copy link

@carnil carnil commented on fe9ed49 Jan 28, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is CVE-2016-10167

Please sign in to comment.