From 2e886046f86d0d6bfc14aab94a881259a081e3f4 Mon Sep 17 00:00:00 2001 From: wilson chen Date: Fri, 20 Dec 2019 10:12:04 +0800 Subject: [PATCH] Fix #497: gdImageColorMatch Out Of Bounds Write on Heap (CVE-2019-6977) Fixed CVE-2019-6977 and add corresponding testcase. Original patch by Christoph M. Bechker https://gist.github.com/cmb69/1f36d285eb297ed326f5c821d7aafced [Retrieved (and updated to remove .gitignore and tests) from: https://github.com/libgd/libgd/commit/2e886046f86d0d6bfc14aab94a881259a081e3f4] Signed-off-by: Fabrice Fontaine --- src/gd_color_match.c | 5 ++--- tests/gdimagecolormatch/.gitignore | 1 + tests/gdimagecolormatch/CMakeLists.txt | 1 + tests/gdimagecolormatch/Makemodule.am | 1 + tests/gdimagecolormatch/cve_2019_6977.c | 25 +++++++++++++++++++++++++ 5 files changed, 30 insertions(+), 3 deletions(-) create mode 100644 tests/gdimagecolormatch/cve_2019_6977.c diff --git a/src/gd_color_match.c b/src/gd_color_match.c index f0842b69..f0194302 100644 --- a/src/gd_color_match.c +++ b/src/gd_color_match.c @@ -31,9 +31,8 @@ BGD_DECLARE(int) gdImageColorMatch (gdImagePtr im1, gdImagePtr im2) return -4; /* At least 1 color must be allocated */ } - buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * im2->colorsTotal); - memset (buf, 0, sizeof(unsigned long) * 5 * im2->colorsTotal ); - + buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * gdMaxColors); + memset (buf, 0, sizeof(unsigned long) * 5 * gdMaxColors ); for (x=0; x < im1->sx; x++) { for( y=0; ysy; y++ ) { color = im2->pixels[y][x];