From 98b2e94e62d873acbcc6d968f1f97af9749fe021 Mon Sep 17 00:00:00 2001 From: Ondrej Dubaj Date: Tue, 4 Jun 2019 10:54:45 +0200 Subject: [PATCH] heap based buffer overflow in gd_color_match.c:gdImageColorMatch() in libgd as used in imagecolormatch() --- src/gd_color_match.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/gd_color_match.c b/src/gd_color_match.c index f0842b6..a94a841 100755 --- a/src/gd_color_match.c +++ b/src/gd_color_match.c @@ -31,8 +31,8 @@ BGD_DECLARE(int) gdImageColorMatch (gdImagePtr im1, gdImagePtr im2) return -4; /* At least 1 color must be allocated */ } - buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * im2->colorsTotal); - memset (buf, 0, sizeof(unsigned long) * 5 * im2->colorsTotal ); + buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * gdMaxColors); + memset (buf, 0, sizeof(unsigned long) * 5 * gdMaxColors ); for (x=0; x < im1->sx; x++) { for( y=0; ysy; y++ ) { -- 2.17.1