Fix #497: gdImageColorMatch Out Of Bounds Write on Heap (CVE-2019-6977)

Fixed CVE-2019-6977 and add corresponding testcase. Original patch by Christoph M. Bechker <cmbecker69@gmx.de> https://gist.github.com/cmb69/1f36d285eb297ed326f5c821d7aafced
author: wilson chen <willson.chenwx@gmail.com> 2019-12-20 10:12:04 +0800
committer: GitHub <noreply@github.com> 2019-12-20 10:12:04 +0800
commit: 2e886046f86d0d6bfc14aab94a881259a081e3f4 (patch)
tree: a87195bd40239062bda2310771f7b96252710a1d /src/gd_color_match.c
parent: 4b0f3724022ad5bdf16d86409126436ff5a31afb (diff)
download: libgd-2e886046f86d0d6bfc14aab94a881259a081e3f4.tar.gz
1 files changed, 2 insertions, 3 deletions
diff --git a/src/gd_color_match.c b/src/gd_color_match.c
index f0842b6..f019430 100644
--- a/src/gd_color_match.c
+++ b/src/gd_color_match.c
@@ -31,9 +31,8 @@ BGD_DECLARE(int) gdImageColorMatch (gdImagePtr im1, gdImagePtr im2)
 		return -4; /* At least 1 color must be allocated */
 	}
 
-	buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * im2->colorsTotal);
-	memset (buf, 0, sizeof(unsigned long) * 5 * im2->colorsTotal );
-
+	buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * gdMaxColors);
+	memset (buf, 0, sizeof(unsigned long) * 5 * gdMaxColors );
 	for (x=0; x < im1->sx; x++) {
 		for( y=0; y<im1->sy; y++ ) {
 			color = im2->pixels[y][x];
author	wilson chen <willson.chenwx@gmail.com>	2019-12-20 10:12:04 +0800
committer	GitHub <noreply@github.com>	2019-12-20 10:12:04 +0800
commit	2e886046f86d0d6bfc14aab94a881259a081e3f4 (patch)
tree	a87195bd40239062bda2310771f7b96252710a1d /src/gd_color_match.c
parent	4b0f3724022ad5bdf16d86409126436ff5a31afb (diff)
download	libgd-2e886046f86d0d6bfc14aab94a881259a081e3f4.tar.gz