diff options
Diffstat (limited to 'main/gd/CVE-2018-5711.patch')
-rw-r--r-- | main/gd/CVE-2018-5711.patch | 53 |
1 files changed, 53 insertions, 0 deletions
diff --git a/main/gd/CVE-2018-5711.patch b/main/gd/CVE-2018-5711.patch new file mode 100644 index 0000000000..a90689a321 --- /dev/null +++ b/main/gd/CVE-2018-5711.patch @@ -0,0 +1,53 @@ +From: "Christoph M. Becker" <cmbecker69@gmx.de> +Date: Wed, 29 Nov 2017 19:37:38 +0100 +Subject: Fix #420: Potential infinite loop in gdImageCreateFromGifCtx +origin: https://github.com/libgd/libgd/commit/a11f47475e6443b7f32d21f2271f28f417e2ac04 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-5711 +Bug-Debian: https://bugs.debian.org/887485 +Bug: https://github.com/libgd/libgd/issues/420 + +Due to a signedness confusion in `GetCode_` a corrupt GIF file can +trigger an infinite loop. Furthermore we make sure that a GIF without +any palette entries is treated as invalid *after* open palette entries +have been removed. + +CVE-2018-5711 + +See also https://bugs.php.net/bug.php?id=75571. +--- + +--- a/src/gd_gif_in.c ++++ b/src/gd_gif_in.c +@@ -335,11 +335,6 @@ terminated: + return 0; + } + +- if(!im->colorsTotal) { +- gdImageDestroy(im); +- return 0; +- } +- + /* Check for open colors at the end, so + * we can reduce colorsTotal and ultimately + * BitsPerPixel */ +@@ -351,6 +346,11 @@ terminated: + } + } + ++ if(!im->colorsTotal) { ++ gdImageDestroy(im); ++ return 0; ++ } ++ + return im; + } + +@@ -447,7 +447,7 @@ static int + GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_size, int flag, int *ZeroDataBlockP) + { + int i, j, ret; +- unsigned char count; ++ int count; + + if(flag) { + scd->curbit = 0; |