Skip to content

gdImageBmpPtr possible double free bug  #447

Closed
@y3noor

Description

@y3noor

Possible double free bug same as CVE-2017-6362 exists for gdImageBmpPtr function.

BGD_DECLARE(void *) gdImageBmpPtr(gdImagePtr im, int *size, int compression)
{
	void *rv;
	gdIOCtx *out = gdNewDynamicCtx(2048, NULL);
	if (out == NULL) return NULL;
	gdImageBmpCtx(im, out, compression); ---> **return is not checked**
	rv = gdDPExtractData(out, size); ---> it will call the chain: gdDPExtractData -> trimDynamic -> gdReallocDynamic and it causes double free.
       out->gd_free(out);
	return rv;
}

@cmb69

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions