diff options
| author | Robert Hart <bathterror@gmail.com> | 2021-10-09 16:40:45 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-10-09 11:40:45 -0400 |
| commit | ba14dec6efe9d87fe80fa1d7bd3d5b0583e1320e (patch) | |
| tree | bd84e4da42ba0815a19111d01b9b5118a5b17124 /src/circletexttest.c | |
| parent | dceb29a6f5e8b0fb5e21d14c39013efcbb9203ee (diff) | |
| download | libgd-ba14dec6efe9d87fe80fa1d7bd3d5b0583e1320e.tar.gz | |
Fix out of bounds write im->alpha[im->transparent] (#785)
Since #737 gdImageColorTransparent does not correctly handle the case that im->transparent = -1
(which is the initial value and used to indicate no transparent colour has been set).
This leads to undefined behaviour via an out-of-bound write:
im->alpha[im->transparent] = gdAlphaOpaque;
(in practice I assume this merely overwrites an earlier struct member)
This can be triggered via loading a gif through gdImageCreateFromGifPtr
third_party/gd/source/gd.c:922:2: runtime error: index -1 out of bounds for type 'int [256]'
#0 0x5629c034a839 in gdImageColorTransparent third_party/gd/source/gd.c:922:29
#1 0x5629c034ebf0 in gdImageCreateFromGifCtx third_party/gd/source/gd_gif_in.c:328:4
#2 0x5629c034f14f in gdImageCreateFromGifPtr third_party/gd/source/gd_gif_in.c:186:7
Fixes #784.
Diffstat (limited to 'src/circletexttest.c')
0 files changed, 0 insertions, 0 deletions