Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

gdImageBmpPtr possible double free bug #447

Closed
y3noor opened this issue Jul 14, 2018 · 3 comments
Closed

gdImageBmpPtr possible double free bug #447

y3noor opened this issue Jul 14, 2018 · 3 comments

Comments

@y3noor
Copy link

y3noor commented Jul 14, 2018

Possible double free bug same as CVE-2017-6362 exists for gdImageBmpPtr function.

BGD_DECLARE(void *) gdImageBmpPtr(gdImagePtr im, int *size, int compression)
{
	void *rv;
	gdIOCtx *out = gdNewDynamicCtx(2048, NULL);
	if (out == NULL) return NULL;
	gdImageBmpCtx(im, out, compression); ---> **return is not checked**
	rv = gdDPExtractData(out, size); ---> it will call the chain: gdDPExtractData -> trimDynamic -> gdReallocDynamic and it causes double free.
       out->gd_free(out);
	return rv;
}

@cmb69

@y3noor
Copy link
Author

y3noor commented Jul 14, 2018

The same issue is valid for php libgd extension.

@vapier vapier closed this as completed in ac16bdf Jul 14, 2018
@vapier
Copy link
Member

vapier commented Jul 14, 2018

thanks, should be fixed now

vapier added a commit that referenced this issue Jul 14, 2018
Closes #447.

(cherry picked from commit ac16bdf)
@cmb69
Copy link
Contributor

cmb69 commented Jul 14, 2018

@y3noor Please report (potential) security issues to security@libgd.org next time. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants