summaryrefslogtreecommitdiffstats
path: root/gd-2.2.5-heap-based-buffer-overflow.patch
diff options
context:
space:
mode:
Diffstat (limited to 'gd-2.2.5-heap-based-buffer-overflow.patch')
-rw-r--r--gd-2.2.5-heap-based-buffer-overflow.patch28
1 files changed, 28 insertions, 0 deletions
diff --git a/gd-2.2.5-heap-based-buffer-overflow.patch b/gd-2.2.5-heap-based-buffer-overflow.patch
new file mode 100644
index 0000000..ae795d0
--- /dev/null
+++ b/gd-2.2.5-heap-based-buffer-overflow.patch
@@ -0,0 +1,28 @@
+From 98b2e94e62d873acbcc6d968f1f97af9749fe021 Mon Sep 17 00:00:00 2001
+From: Ondrej Dubaj <odubaj@redhat.com>
+Date: Tue, 4 Jun 2019 10:54:45 +0200
+Subject: [PATCH] heap based buffer overflow in
+ gd_color_match.c:gdImageColorMatch() in libgd as used in imagecolormatch()
+
+---
+ src/gd_color_match.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/gd_color_match.c b/src/gd_color_match.c
+index f0842b6..a94a841 100755
+--- a/src/gd_color_match.c
++++ b/src/gd_color_match.c
+@@ -31,8 +31,8 @@ BGD_DECLARE(int) gdImageColorMatch (gdImagePtr im1, gdImagePtr im2)
+ return -4; /* At least 1 color must be allocated */
+ }
+
+- buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * im2->colorsTotal);
+- memset (buf, 0, sizeof(unsigned long) * 5 * im2->colorsTotal );
++ buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * gdMaxColors);
++ memset (buf, 0, sizeof(unsigned long) * 5 * gdMaxColors );
+
+ for (x=0; x < im1->sx; x++) {
+ for( y=0; y<im1->sy; y++ ) {
+--
+2.17.1
+