main/gd/CVE-2019-11038.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

From e13a342c079aeb73e31dfa19eaca119761bac3f3 Mon Sep 17 00:00:00 2001
From: Jonas Meurer <jonas@freesources.org>
Date: Tue, 11 Jun 2019 12:16:46 +0200
Subject: [PATCH] Fix #501: Uninitialized read in gdImageCreateFromXbm
 (CVE-2019-11038)

Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-11038
Bug-Debian: https://bugs.debian.org/929821
Bug: https://github.com/libgd/libgd/issues/501

We have to ensure that `sscanf()` does indeed read a hex value here,
and bail out otherwise.

Original patch by Christoph M. Becker <cmbecker69@gmx.de> for PHP libgd ext.
https://git.php.net/?p=php-src.git;a=commit;h=ed6dee9a198c904ad5e03113e58a2d2c200f5184
---
 src/gd_xbm.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/gd_xbm.c b/src/gd_xbm.c
index 4ca41acf..cf0545ef 100644
--- a/src/gd_xbm.c
+++ b/src/gd_xbm.c
@@ -169,7 +169,11 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromXbm(FILE * fd)
 			}
 			h[3] = ch;
 		}
-		sscanf(h, "%x", &b);
+		if (sscanf(h, "%x", &b) != 1) {
+			gd_error("invalid XBM");
+			gdImageDestroy(im);
+			return 0;
+		}
 		for (bit = 1; bit <= max_bit; bit = bit << 1) {
 			gdImageSetPixel(im, x++, y, (b & bit) ? 1 : 0);
 			if (x == im->sx) {