On Mon, 2015-01-19 at 23:38 -0600, Yaakov Selkowitz wrote:
> Dr. Volker Zell,
>
> A security vulnerability has been made public for gd. Could you please:
>
> 1) port this patch to 2.0.36RC1, for the benefit of those package
> currently linked against libgd2:
>
> http://git.php.net/?p=php-src.git;a=patch;h=cf47536
Please consider the attached.
> 2) AND could you bump gd to 2.1.1, which already includes this fix, from
> its new home at http://libgd.bitbucket.org/ so we can move on to the
> currently supported code base for future builds?
--
Yaakov
--- origsrc/gd-2.0.36RC1/gdxpm.c 2007-11-27 02:30:34.000000000 -0600
+++ src/gd-2.0.36RC1/gdxpm.c 2015-01-20 00:31:47.904443500 -0600
@@ -43,13 +43,19 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFro
if (ret != XpmSuccess)
return 0;
- if (!(im = gdImageCreate (image.width, image.height)))
- return 0;
-
number = image.ncolors;
if (overflow2(sizeof (int), number)) {
return 0;
}
+ for (i = 0; i < number; i++)
+ {
+ if (!image.colorTable[i].c_color)
+ goto done;
+ }
+
+ if (!(im = gdImageCreate (image.width, image.height)))
+ return 0;
+
colors = (int *) gdMalloc (sizeof (int) * number);
if (colors == NULL)
return (0);
@@ -143,6 +149,9 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFro
}
}
gdFree (colors);
+done:
+ XpmFreeXpmImage(&image);
+ XpmFreeXpmInfo(&info);
return (im);
}
#endif /* HAVE_LIBXPM */
