]>
Commit | Line | Data |
---|---|---|
f510b224 AM |
1 | From: Mike Frysinger <vapier@gentoo.org> |
2 | Date: Sat, 14 Jul 2018 13:54:08 -0400 | |
3 | Subject: bmp: check return value in gdImageBmpPtr | |
4 | Origin: https://github.com/libgd/libgd/commit/ac16bdf2d41724b5a65255d4c28fb0ec46bc42f5 | |
5 | Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-1000222 | |
6 | Bug-Debian: https://bugs.debian.org/906886 | |
7 | Bug: https://github.com/libgd/libgd/issues/447 | |
8 | ||
9 | Closes #447. | |
10 | --- | |
11 | src/gd_bmp.c | 17 ++++++++++++++--- | |
12 | 1 file changed, 14 insertions(+), 3 deletions(-) | |
13 | ||
14 | diff --git a/src/gd_bmp.c b/src/gd_bmp.c | |
15 | index bde0b9d3abbd..78f40d9a475e 100644 | |
16 | --- a/src/gd_bmp.c | |
17 | +++ b/src/gd_bmp.c | |
18 | @@ -47,6 +47,8 @@ static int bmp_read_4bit(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info, bmp | |
19 | static int bmp_read_8bit(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info, bmp_hdr_t *header); | |
20 | static int bmp_read_rle(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info); | |
21 | ||
22 | +static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression); | |
23 | + | |
24 | #define BMP_DEBUG(s) | |
25 | ||
26 | static int gdBMPPutWord(gdIOCtx *out, int w) | |
27 | @@ -87,8 +89,10 @@ BGD_DECLARE(void *) gdImageBmpPtr(gdImagePtr im, int *size, int compression) | |
28 | void *rv; | |
29 | gdIOCtx *out = gdNewDynamicCtx(2048, NULL); | |
30 | if (out == NULL) return NULL; | |
31 | - gdImageBmpCtx(im, out, compression); | |
32 | - rv = gdDPExtractData(out, size); | |
33 | + if (!_gdImageBmpCtx(im, out, compression)) | |
34 | + rv = gdDPExtractData(out, size); | |
35 | + else | |
36 | + rv = NULL; | |
37 | out->gd_free(out); | |
38 | return rv; | |
39 | } | |
40 | @@ -141,6 +145,11 @@ BGD_DECLARE(void) gdImageBmp(gdImagePtr im, FILE *outFile, int compression) | |
41 | compression - whether to apply RLE or not. | |
42 | */ | |
43 | BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression) | |
44 | +{ | |
45 | + _gdImageBmpCtx(im, out, compression); | |
46 | +} | |
47 | + | |
48 | +static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression) | |
49 | { | |
50 | int bitmap_size = 0, info_size, total_size, padding; | |
51 | int i, row, xpos, pixel; | |
52 | @@ -148,6 +157,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression) | |
53 | unsigned char *uncompressed_row = NULL, *uncompressed_row_start = NULL; | |
54 | FILE *tmpfile_for_compression = NULL; | |
55 | gdIOCtxPtr out_original = NULL; | |
56 | + int ret = 1; | |
57 | ||
58 | /* No compression if its true colour or we don't support seek */ | |
59 | if (im->trueColor) { | |
60 | @@ -325,6 +335,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression) | |
61 | out_original = NULL; | |
62 | } | |
63 | ||
64 | + ret = 0; | |
65 | cleanup: | |
66 | if (tmpfile_for_compression) { | |
67 | #ifdef _WIN32 | |
68 | @@ -338,7 +349,7 @@ cleanup: | |
69 | if (out_original) { | |
70 | out_original->gd_free(out_original); | |
71 | } | |
72 | - return; | |
73 | + return ret; | |
74 | } | |
75 | ||
76 | static int compress_row(unsigned char *row, int length) | |
77 | -- | |
78 | 2.19.1 | |
79 |