summaryrefslogtreecommitdiffstats
path: root/bug74435.patch
blob: 968078c1b4cf527fc18bcd41aa47cc943a1b7f4d (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
Adapted for 5.4.13
With test removed (binary patch not handled)

From 018092125538782b25d3ab6b036f0c8d5968f757 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Tue, 20 Jun 2017 16:45:42 +0200
Subject: [PATCH] Fix #74435: Buffer over-read into uninitialized memory

The stack allocated color map buffers were not zeroed before usage, and
so undefined palette indexes could cause information leakage.
---
 ext/gd/libgd/gd_gif_in.c   |   3 +++
 ext/gd/tests/bug74435.gif  | Bin 0 -> 11464 bytes
 ext/gd/tests/bug74435.phpt |  27 +++++++++++++++++++++++++++
 3 files changed, 30 insertions(+)
 create mode 100644 ext/gd/tests/bug74435.gif
 create mode 100644 ext/gd/tests/bug74435.phpt

diff --git a/ext/gd/libgd/gd_gif_in.c b/ext/gd/libgd/gd_gif_in.c
index 74b7493..76ba152 100644
--- a/ext/gd/libgd/gd_gif_in.c
+++ b/ext/gd/libgd/gd_gif_in.c
@@ -147,6 +147,9 @@ gdImagePtr gdImageCreateFromGifCtx(gdIOCtxPtr fd) /* {{{ */
 	int haveGlobalColormap;
 	gdImagePtr im = 0;
 
+	memset(ColorMap, 0, 3 * MAXCOLORMAPSIZE);
+	memset(localColorMap, 0, 3 * MAXCOLORMAPSIZE);
+
 	/*1.4//imageNumber = 1; */
 	if (! ReadOK(fd,buf,6)) {
 		return 0;
-- 
2.1.4