Commit | Line | Data |
---|---|---|
8147d7c6 JL |
1 | This patch is adapted from commit a11f47475e6443b7f32d21f2271f28f417e2ac04 and |
2 | fixes CVE-2018-5711. | |
3 | ||
4 | From a11f47475e6443b7f32d21f2271f28f417e2ac04 Mon Sep 17 00:00:00 2001 | |
5 | From: "Christoph M. Becker" <cmbecker69@gmx.de> | |
6 | Date: Wed, 29 Nov 2017 19:37:38 +0100 | |
7 | Subject: [PATCH] Fix #420: Potential infinite loop in gdImageCreateFromGifCtx | |
8 | ||
9 | Due to a signedness confusion in `GetCode_` a corrupt GIF file can | |
10 | trigger an infinite loop. Furthermore we make sure that a GIF without | |
11 | any palette entries is treated as invalid *after* open palette entries | |
12 | have been removed. | |
13 | ||
14 | CVE-2018-5711 | |
15 | ||
16 | See also https://bugs.php.net/bug.php?id=75571. | |
17 | --- | |
18 | src/gd_gif_in.c | 12 ++++++------ | |
19 | 1 file changed, 38 insertions(+), 6 deletions(-) | |
20 | ||
21 | diff --git a/src/gd_gif_in.c b/src/gd_gif_in.c | |
22 | index daf26e7..0a8bd71 100644 | |
23 | --- a/src/gd_gif_in.c | |
24 | +++ b/src/gd_gif_in.c | |
25 | @@ -335,11 +335,6 @@ terminated: | |
26 | return 0; | |
27 | } | |
28 | ||
29 | - if(!im->colorsTotal) { | |
30 | - gdImageDestroy(im); | |
31 | - return 0; | |
32 | - } | |
33 | - | |
34 | /* Check for open colors at the end, so | |
35 | * we can reduce colorsTotal and ultimately | |
36 | * BitsPerPixel */ | |
37 | @@ -351,6 +346,11 @@ terminated: | |
38 | } | |
39 | } | |
40 | ||
41 | + if(!im->colorsTotal) { | |
42 | + gdImageDestroy(im); | |
43 | + return 0; | |
44 | + } | |
45 | + | |
46 | return im; | |
47 | } | |
48 | ||
49 | @@ -447,7 +447,7 @@ static int | |
50 | GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_size, int flag, int *ZeroDataBlockP) | |
51 | { | |
52 | int i, j, ret; | |
53 | - unsigned char count; | |
54 | + int count; | |
55 | ||
56 | if(flag) { | |
57 | scd->curbit = 0; | |
58 | ||
59 | -- | |
60 | 2.13.6 | |
61 |