diff options
Diffstat (limited to 'main/gd/CVE-2019-11038.patch')
-rw-r--r-- | main/gd/CVE-2019-11038.patch | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/main/gd/CVE-2019-11038.patch b/main/gd/CVE-2019-11038.patch new file mode 100644 index 0000000000..1ccb9c1c15 --- /dev/null +++ b/main/gd/CVE-2019-11038.patch @@ -0,0 +1,36 @@ +From e13a342c079aeb73e31dfa19eaca119761bac3f3 Mon Sep 17 00:00:00 2001 +From: Jonas Meurer <jonas@freesources.org> +Date: Tue, 11 Jun 2019 12:16:46 +0200 +Subject: [PATCH] Fix #501: Uninitialized read in gdImageCreateFromXbm + (CVE-2019-11038) + +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-11038 +Bug-Debian: https://bugs.debian.org/929821 +Bug: https://github.com/libgd/libgd/issues/501 + +We have to ensure that `sscanf()` does indeed read a hex value here, +and bail out otherwise. + +Original patch by Christoph M. Becker <cmbecker69@gmx.de> for PHP libgd ext. +https://git.php.net/?p=php-src.git;a=commit;h=ed6dee9a198c904ad5e03113e58a2d2c200f5184 +--- + src/gd_xbm.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/gd_xbm.c b/src/gd_xbm.c +index 4ca41acf..cf0545ef 100644 +--- a/src/gd_xbm.c ++++ b/src/gd_xbm.c +@@ -169,7 +169,11 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromXbm(FILE * fd) + } + h[3] = ch; + } +- sscanf(h, "%x", &b); ++ if (sscanf(h, "%x", &b) != 1) { ++ gd_error("invalid XBM"); ++ gdImageDestroy(im); ++ return 0; ++ } + for (bit = 1; bit <= max_bit; bit = bit << 1) { + gdImageSetPixel(im, x++, y, (b & bit) ? 1 : 0); + if (x == im->sx) { |