projects / packages / gd.git / blame
| Commit | Line | Data |
|---|---|---|
| 75d12200 AM |
1 | From 98b2e94e62d873acbcc6d968f1f97af9749fe021 Mon Sep 17 00:00:00 2001 |
| 2 | From: Ondrej Dubaj <odubaj@redhat.com> | |
| 3 | Date: Tue, 4 Jun 2019 10:54:45 +0200 | |
| 4 | Subject: [PATCH] heap based buffer overflow in | |
| 5 | gd_color_match.c:gdImageColorMatch() in libgd as used in imagecolormatch() | |
| 6 | ||
| 7 | --- | |
| 8 | src/gd_color_match.c | 4 ++-- | |
| 9 | 1 file changed, 2 insertions(+), 2 deletions(-) | |
| 10 | ||
| 11 | diff --git a/src/gd_color_match.c b/src/gd_color_match.c | |
| 12 | index f0842b6..a94a841 100755 | |
| 13 | --- a/src/gd_color_match.c | |
| 14 | +++ b/src/gd_color_match.c | |
| 15 | @@ -31,8 +31,8 @@ BGD_DECLARE(int) gdImageColorMatch (gdImagePtr im1, gdImagePtr im2) | |
| 16 | return -4; /* At least 1 color must be allocated */ | |
| 17 | } | |
| 18 | ||
| 19 | - buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * im2->colorsTotal); | |
| 20 | - memset (buf, 0, sizeof(unsigned long) * 5 * im2->colorsTotal ); | |
| 21 | + buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * gdMaxColors); | |
| 22 | + memset (buf, 0, sizeof(unsigned long) * 5 * gdMaxColors ); | |
| 23 | ||
| 24 | for (x=0; x < im1->sx; x++) { | |
| 25 | for( y=0; y<im1->sy; y++ ) { | |
| 26 | -- | |
| 27 | 2.17.1 | |
| 28 |