Brad Bishop | 1a4b7ee | 2018-12-16 17:11:34 -0800 | [diff] [blame^] | 1 | From 4b1e18a00ce7c4b7e6919c3b3109a034393b805a Mon Sep 17 00:00:00 2001 |
| 2 | From: Mike Frysinger <vapier@gentoo.org> |
| 3 | Date: Sat, 14 Jul 2018 13:54:08 -0400 |
| 4 | Subject: [PATCH] bmp: check return value in gdImageBmpPtr |
| 5 | |
| 6 | Closes #447. |
| 7 | |
| 8 | (cherry picked from commit ac16bdf2d41724b5a65255d4c28fb0ec46bc42f5) |
| 9 | |
| 10 | Upstream-Status: Backport [https://github.com/libgd/libgd/commit/4b1e18a00ce7c4b7e6919c3b3109a034393b805a] |
| 11 | CVE: CVE-2018-1000222 |
| 12 | Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com> |
| 13 | --- |
| 14 | src/gd_bmp.c | 17 ++++++++++++++--- |
| 15 | 1 file changed, 14 insertions(+), 3 deletions(-) |
| 16 | |
| 17 | diff --git a/src/gd_bmp.c b/src/gd_bmp.c |
| 18 | index ccafdcd..d625da1 100644 |
| 19 | --- a/src/gd_bmp.c |
| 20 | +++ b/src/gd_bmp.c |
| 21 | @@ -48,6 +48,8 @@ static int bmp_read_4bit(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info, bmp |
| 22 | static int bmp_read_8bit(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info, bmp_hdr_t *header); |
| 23 | static int bmp_read_rle(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info); |
| 24 | |
| 25 | +static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression); |
| 26 | + |
| 27 | #define BMP_DEBUG(s) |
| 28 | |
| 29 | static int gdBMPPutWord(gdIOCtx *out, int w) |
| 30 | @@ -88,8 +90,10 @@ BGD_DECLARE(void *) gdImageBmpPtr(gdImagePtr im, int *size, int compression) |
| 31 | void *rv; |
| 32 | gdIOCtx *out = gdNewDynamicCtx(2048, NULL); |
| 33 | if (out == NULL) return NULL; |
| 34 | - gdImageBmpCtx(im, out, compression); |
| 35 | - rv = gdDPExtractData(out, size); |
| 36 | + if (!_gdImageBmpCtx(im, out, compression)) |
| 37 | + rv = gdDPExtractData(out, size); |
| 38 | + else |
| 39 | + rv = NULL; |
| 40 | out->gd_free(out); |
| 41 | return rv; |
| 42 | } |
| 43 | @@ -142,6 +146,11 @@ BGD_DECLARE(void) gdImageBmp(gdImagePtr im, FILE *outFile, int compression) |
| 44 | compression - whether to apply RLE or not. |
| 45 | */ |
| 46 | BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression) |
| 47 | +{ |
| 48 | + _gdImageBmpCtx(im, out, compression); |
| 49 | +} |
| 50 | + |
| 51 | +static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression) |
| 52 | { |
| 53 | int bitmap_size = 0, info_size, total_size, padding; |
| 54 | int i, row, xpos, pixel; |
| 55 | @@ -149,6 +158,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression) |
| 56 | unsigned char *uncompressed_row = NULL, *uncompressed_row_start = NULL; |
| 57 | FILE *tmpfile_for_compression = NULL; |
| 58 | gdIOCtxPtr out_original = NULL; |
| 59 | + int ret = 1; |
| 60 | |
| 61 | /* No compression if its true colour or we don't support seek */ |
| 62 | if (im->trueColor) { |
| 63 | @@ -326,6 +336,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression) |
| 64 | out_original = NULL; |
| 65 | } |
| 66 | |
| 67 | + ret = 0; |
| 68 | cleanup: |
| 69 | if (tmpfile_for_compression) { |
| 70 | #ifdef _WIN32 |
| 71 | @@ -339,7 +350,7 @@ cleanup: |
| 72 | if (out_original) { |
| 73 | out_original->gd_free(out_original); |
| 74 | } |
| 75 | - return; |
| 76 | + return ret; |
| 77 | } |
| 78 | |
| 79 | static int compress_row(unsigned char *row, int length) |
| 80 | -- |
| 81 | 2.17.1 |
| 82 | |