Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

gdImageBmpPtr possible double free bug #447

Closed
y3noor opened this issue Jul 14, 2018 · 3 comments

Comments

@y3noor
Copy link

commented Jul 14, 2018

Possible double free bug same as CVE-2017-6362 exists for gdImageBmpPtr function.

BGD_DECLARE(void *) gdImageBmpPtr(gdImagePtr im, int *size, int compression)
{
	void *rv;
	gdIOCtx *out = gdNewDynamicCtx(2048, NULL);
	if (out == NULL) return NULL;
	gdImageBmpCtx(im, out, compression); ---> **return is not checked**
	rv = gdDPExtractData(out, size); ---> it will call the chain: gdDPExtractData -> trimDynamic -> gdReallocDynamic and it causes double free.
       out->gd_free(out);
	return rv;
}

@cmb69

@y3noor

This comment has been minimized.

Copy link
Author

commented Jul 14, 2018

The same issue is valid for php libgd extension.

@vapier vapier closed this in ac16bdf Jul 14, 2018

@vapier

This comment has been minimized.

Copy link
Member

commented Jul 14, 2018

thanks, should be fixed now

vapier added a commit that referenced this issue Jul 14, 2018
bmp: check return value in gdImageBmpPtr
Closes #447.

(cherry picked from commit ac16bdf)
@cmb69

This comment has been minimized.

Copy link
Contributor

commented Jul 14, 2018

@y3noor Please report (potential) security issues to security@libgd.org next time. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.