diff options
author | Christoph M. Becker <cmbecker69@gmx.de> | 2017-11-29 19:37:38 +0100 |
---|---|---|
committer | Christoph M. Becker <cmbecker69@gmx.de> | 2018-01-29 15:17:12 +0100 |
commit | a11f47475e6443b7f32d21f2271f28f417e2ac04 (patch) | |
tree | 70b930940b958961b07fa2267883ecff8d637502 /tests/gif | |
parent | 7ff626c48a133eff1b6608bf28b1cfae30597408 (diff) | |
download | libgd-a11f47475e6443b7f32d21f2271f28f417e2ac04.tar.gz |
Fix #420: Potential infinite loop in gdImageCreateFromGifCtx
Due to a signedness confusion in `GetCode_` a corrupt GIF file can
trigger an infinite loop. Furthermore we make sure that a GIF without
any palette entries is treated as invalid *after* open palette entries
have been removed.
CVE-2018-5711
See also https://bugs.php.net/bug.php?id=75571.
Diffstat (limited to 'tests/gif')
-rw-r--r-- | tests/gif/.gitignore | 1 | ||||
-rw-r--r-- | tests/gif/CMakeLists.txt | 1 | ||||
-rw-r--r-- | tests/gif/Makemodule.am | 2 | ||||
-rw-r--r-- | tests/gif/php_bug_75571.c | 28 | ||||
-rw-r--r-- | tests/gif/php_bug_75571.gif | bin | 0 -> 1731 bytes |
5 files changed, 32 insertions, 0 deletions
diff --git a/tests/gif/.gitignore b/tests/gif/.gitignore index 4e80a4b..6eb643c 100644 --- a/tests/gif/.gitignore +++ b/tests/gif/.gitignore @@ -8,4 +8,5 @@ /gif_im2im /gif_null /ossfuzz5700 +/php_bug_75571 /uninitialized_memory_read diff --git a/tests/gif/CMakeLists.txt b/tests/gif/CMakeLists.txt index 2b73749..e58e6b0 100644 --- a/tests/gif/CMakeLists.txt +++ b/tests/gif/CMakeLists.txt @@ -4,6 +4,7 @@ LIST(APPEND TESTS_FILES bug00227 gif_null ossfuzz5700 + php_bug_75571 uninitialized_memory_read ) diff --git a/tests/gif/Makemodule.am b/tests/gif/Makemodule.am index 3199438..5dbeac5 100644 --- a/tests/gif/Makemodule.am +++ b/tests/gif/Makemodule.am @@ -4,6 +4,7 @@ libgd_test_programs += \ gif/bug00227 \ gif/gif_null \ gif/ossfuzz5700 \ + gif/php_bug_75571 \ gif/uninitialized_memory_read if HAVE_LIBPNG @@ -26,4 +27,5 @@ EXTRA_DIST += \ gif/bug00066.gif \ gif/bug00066_exp.png \ gif/ossfuzz5700.gif \ + gif/php_bug_75571.gif \ gif/unitialized_memory_read.gif diff --git a/tests/gif/php_bug_75571.c b/tests/gif/php_bug_75571.c new file mode 100644 index 0000000..d4fae3a --- /dev/null +++ b/tests/gif/php_bug_75571.c @@ -0,0 +1,28 @@ +/** + * Test that GIF reading does not loop infinitely + * + * We are reading a crafted GIF image which has been truncated. This would + * trigger an infinite loop formerly, but know bails out early, returning + * NULL from gdImageCreateFromGif(). + * + * See also https://bugs.php.net/bug.php?id=75571. + */ + + +#include "gd.h" +#include "gdtest.h" + + +int main() +{ + gdImagePtr im; + FILE *fp; + + fp = gdTestFileOpen2("gif", "php_bug_75571.gif"); + gdTestAssert(fp != NULL); + im = gdImageCreateFromGif(fp); + gdTestAssert(im == NULL); + fclose(fp); + + return gdNumFailures(); +} diff --git a/tests/gif/php_bug_75571.gif b/tests/gif/php_bug_75571.gif Binary files differnew file mode 100644 index 0000000..3c30b40 --- /dev/null +++ b/tests/gif/php_bug_75571.gif |