Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Signed Integer Overflow gd_gd2.c #354

Closed
OnurTasliogluu opened this issue Dec 16, 2016 · 4 comments
Closed

Signed Integer Overflow gd_gd2.c #354

OnurTasliogluu opened this issue Dec 16, 2016 · 4 comments
Assignees
Labels
Milestone

Comments

@OnurTasliogluu
Copy link

My sample:
./gd2togif test_file /dev/null
gd_gd2.c:212:15: runtime error: signed integer overflow: 65530 * 65531 cannot be represented in type 'int'

@cmb69 cmb69 self-assigned this Dec 17, 2016
@cmb69 cmb69 added the bug label Dec 17, 2016
@cmb69 cmb69 added this to the GD 2.2.4 milestone Dec 17, 2016
@OnurTasliogluu OnurTasliogluu changed the title Signed Integer Overflow gd_io.c Signed Integer Overflow gd_gd2.c Dec 17, 2016
oerdnj pushed a commit that referenced this issue Jan 18, 2017
GD2 stores the number of horizontal and vertical chunks as words (i.e. 2
byte unsigned). These values are multiplied and assigned to an int when
reading the image, what can cause integer overflows. We have to avoid
that, and also make sure that either chunk count is actually greater
than zero. If illegal chunk counts are detected, we bail out from
reading the image.
@cmb69
Copy link
Contributor

cmb69 commented Jan 18, 2017

This is supposed to be fixed as of GD 2.2.4.

@cmb69 cmb69 closed this as completed Jan 18, 2017
oerdnj pushed a commit that referenced this issue Jan 18, 2017
GD2 stores the number of horizontal and vertical chunks as words (i.e. 2
byte unsigned). These values are multiplied and assigned to an int when
reading the image, what can cause integer overflows. We have to avoid
that, and also make sure that either chunk count is actually greater
than zero. If illegal chunk counts are detected, we bail out from
reading the image.
@carnil
Copy link

carnil commented Jan 26, 2017

@carnil
Copy link

carnil commented Jan 28, 2017

CVE-2016-10168 has been assigned for this issue.

@cmb69
Copy link
Contributor

cmb69 commented Jan 28, 2017

Thanks! I've added the CVEs to the release announcement.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants