From 040a65cbe4187bc82f19f8bff794a096a46b6f30 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Tue, 5 Nov 2019 07:40:27 +0100 Subject: Sync security patches from Fedora: - Fixed heap based buffer overflow in gd_color_match.c:gdImageColorMatch() in libgd as used in imagecolormatch() - Resolves: RHBZ#1678104 (CVE-2019-6977) - Fixed potential double-free in gdImage*Ptr() - Resolves: RHBZ#1671391 (CVE-2019-6978) --- gd-2.2.5-heap-based-buffer-overflow.patch | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 gd-2.2.5-heap-based-buffer-overflow.patch (limited to 'gd-2.2.5-heap-based-buffer-overflow.patch') diff --git a/gd-2.2.5-heap-based-buffer-overflow.patch b/gd-2.2.5-heap-based-buffer-overflow.patch new file mode 100644 index 0000000..ae795d0 --- /dev/null +++ b/gd-2.2.5-heap-based-buffer-overflow.patch @@ -0,0 +1,28 @@ +From 98b2e94e62d873acbcc6d968f1f97af9749fe021 Mon Sep 17 00:00:00 2001 +From: Ondrej Dubaj +Date: Tue, 4 Jun 2019 10:54:45 +0200 +Subject: [PATCH] heap based buffer overflow in + gd_color_match.c:gdImageColorMatch() in libgd as used in imagecolormatch() + +--- + src/gd_color_match.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/gd_color_match.c b/src/gd_color_match.c +index f0842b6..a94a841 100755 +--- a/src/gd_color_match.c ++++ b/src/gd_color_match.c +@@ -31,8 +31,8 @@ BGD_DECLARE(int) gdImageColorMatch (gdImagePtr im1, gdImagePtr im2) + return -4; /* At least 1 color must be allocated */ + } + +- buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * im2->colorsTotal); +- memset (buf, 0, sizeof(unsigned long) * 5 * im2->colorsTotal ); ++ buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * gdMaxColors); ++ memset (buf, 0, sizeof(unsigned long) * 5 * gdMaxColors ); + + for (x=0; x < im1->sx; x++) { + for( y=0; ysy; y++ ) { +-- +2.17.1 + -- cgit