Closed
Description
Possible double free bug same as CVE-2017-6362 exists for gdImageBmpPtr function.
BGD_DECLARE(void *) gdImageBmpPtr(gdImagePtr im, int *size, int compression)
{
void *rv;
gdIOCtx *out = gdNewDynamicCtx(2048, NULL);
if (out == NULL) return NULL;
gdImageBmpCtx(im, out, compression); ---> **return is not checked**
rv = gdDPExtractData(out, size); ---> it will call the chain: gdDPExtractData -> trimDynamic -> gdReallocDynamic and it causes double free.
out->gd_free(out);
return rv;
}
Metadata
Metadata
Assignees
Labels
No labels