New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Signed Integer Overflow gd_gd2.c #354
Comments
oerdnj
pushed a commit
that referenced
this issue
Jan 18, 2017
GD2 stores the number of horizontal and vertical chunks as words (i.e. 2 byte unsigned). These values are multiplied and assigned to an int when reading the image, what can cause integer overflows. We have to avoid that, and also make sure that either chunk count is actually greater than zero. If illegal chunk counts are detected, we bail out from reading the image.
|
This is supposed to be fixed as of GD 2.2.4. |
oerdnj
pushed a commit
that referenced
this issue
Jan 18, 2017
GD2 stores the number of horizontal and vertical chunks as words (i.e. 2 byte unsigned). These values are multiplied and assigned to an int when reading the image, what can cause integer overflows. We have to avoid that, and also make sure that either chunk count is actually greater than zero. If illegal chunk counts are detected, we bail out from reading the image.
|
CVE requested: http://www.openwall.com/lists/oss-security/2017/01/26/1 |
|
CVE-2016-10168 has been assigned for this issue. |
|
Thanks! I've added the CVEs to the release announcement. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
My sample:
./gd2togif test_file /dev/null
gd_gd2.c:212:15: runtime error: signed integer overflow: 65530 * 65531 cannot be represented in type 'int'
The text was updated successfully, but these errors were encountered: