Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

gdImageBmpPtr possible double free bug #447

y3noor opened this issue Jul 14, 2018 · 3 comments


Copy link

commented Jul 14, 2018

Possible double free bug same as CVE-2017-6362 exists for gdImageBmpPtr function.

BGD_DECLARE(void *) gdImageBmpPtr(gdImagePtr im, int *size, int compression)
	void *rv;
	gdIOCtx *out = gdNewDynamicCtx(2048, NULL);
	if (out == NULL) return NULL;
	gdImageBmpCtx(im, out, compression); ---> **return is not checked**
	rv = gdDPExtractData(out, size); ---> it will call the chain: gdDPExtractData -> trimDynamic -> gdReallocDynamic and it causes double free.
	return rv;



This comment has been minimized.

Copy link

commented Jul 14, 2018

The same issue is valid for php libgd extension.

@vapier vapier closed this in ac16bdf Jul 14, 2018


This comment has been minimized.

Copy link

commented Jul 14, 2018

thanks, should be fixed now

vapier added a commit that referenced this issue Jul 14, 2018
bmp: check return value in gdImageBmpPtr
Closes #447.

(cherry picked from commit ac16bdf)

This comment has been minimized.

Copy link

commented Jul 14, 2018

@y3noor Please report (potential) security issues to next time. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
3 participants
You can’t perform that action at this time.