From a15af81b5f0058e020eda0f109f51a3c863f5212 Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Sun, 30 Dec 2018 13:59:26 +0100 Subject: [PATCH] Fix #77270: imagecolormatch Out Of Bounds Write on Heap At least some of the image reading functions may return images which use color indexes greater than or equal to im->colorsTotal. We cater to this by always using a buffer size which is sufficient for `gdMaxColors` in `gdImageColorMatch()`. (cherry picked from commit 7a12dad4dd6c370835b13afae214b240082c7538) --- NEWS | 1 + ext/gd/libgd/gd_color_match.c | 4 ++-- ext/gd/tests/bug77270.phpt | 18 ++++++++++++++++++ 3 files changed, 21 insertions(+), 2 deletions(-) create mode 100644 ext/gd/tests/bug77270.phpt diff --git a/ext/gd/libgd/gd_color_match.c b/ext/gd/libgd/gd_color_match.c index a4e56b1c40..e6f539bc75 100644 --- a/ext/gd/libgd/gd_color_match.c +++ b/ext/gd/libgd/gd_color_match.c @@ -33,8 +33,8 @@ int gdImageColorMatch (gdImagePtr im1, gdImagePtr im2) return -4; /* At least 1 color must be allocated */ } - buf = (unsigned long *)safe_emalloc(sizeof(unsigned long), 5 * im2->colorsTotal, 0); - memset( buf, 0, sizeof(unsigned long) * 5 * im2->colorsTotal ); + buf = (unsigned long *)safe_emalloc(sizeof(unsigned long), 5 * gdMaxColors, 0); + memset( buf, 0, sizeof(unsigned long) * 5 * gdMaxColors ); for (x=0; xsx; x++) { for( y=0; ysy; y++ ) { diff --git a/ext/gd/tests/bug77270.phpt b/ext/gd/tests/bug77270.phpt new file mode 100644 index 0000000000..1c4555a64d --- /dev/null +++ b/ext/gd/tests/bug77270.phpt @@ -0,0 +1,18 @@ +--TEST-- +Bug #77270 (imagecolormatch Out Of Bounds Write on Heap) +--SKIPIF-- + +--FILE-- + +===DONE=== +--EXPECT-- +===DONE=== -- 2.11.0