| From 6ab531ef0d82efb9e00236ee5ea23928335d221f Mon Sep 17 00:00:00 2001 |
| From: Catalin Enache <catalin.enache@windriver.com> |
| Date: Fri, 7 Apr 2017 12:30:22 +0300 |
| Subject: [PATCH] Fix DOS vulnerability in gdImageCreateFromGd2Ctx() |
| |
| We must not pretend that there are image data if there are none. Instead |
| we fail reading the image file gracefully. |
| |
| Upstream-Status: Backport |
| CVE: CVE-2016-10167 |
| |
| Signed-off-by: Catalin Enache <catalin.enache@windriver.com> |
| --- |
| src/gd_gd2.c | 14 ++++++-------- |
| 1 file changed, 6 insertions(+), 8 deletions(-) |
| |
| diff --git a/src/gd_gd2.c b/src/gd_gd2.c |
| index 8df93c1..bae65ea 100644 |
| --- a/src/gd_gd2.c |
| +++ b/src/gd_gd2.c |
| @@ -445,18 +445,16 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromGd2Ctx (gdIOCtxPtr in) |
| |
| if (im->trueColor) { |
| if (!gdGetInt (&im->tpixels[y][x], in)) { |
| - /*printf("EOF while reading\n"); */ |
| - /*gdImageDestroy(im); */ |
| - /*return 0; */ |
| - im->tpixels[y][x] = 0; |
| + gd_error("gd2: EOF while reading\n"); |
| + gdImageDestroy(im); |
| + return NULL; |
| } |
| } else { |
| int ch; |
| if (!gdGetByte (&ch, in)) { |
| - /*printf("EOF while reading\n"); */ |
| - /*gdImageDestroy(im); */ |
| - /*return 0; */ |
| - ch = 0; |
| + gd_error("gd2: EOF while reading\n"); |
| + gdImageDestroy(im); |
| + return NULL; |
| } |
| im->pixels[y][x] = ch; |
| } |
| -- |
| 2.10.2 |
| |