Fix #497: gdImageColorMatch Out Of Bounds Write on Heap (CVE-2019-6977)

Fixed CVE-2019-6977 and add corresponding testcase.

Original patch by Christoph M. Bechker <cmbecker69@gmx.de>
https://gist.github.com/cmb69/1f36d285eb297ed326f5c821d7aafced

4 files changed, 28 insertions, 0 deletions

diff --git a/tests/gdimagecolormatch/.gitignore b/tests/gdimagecolormatch/.gitignore
index b1540a2..f68c491 100644
--- a/tests/gdimagecolormatch/.gitignore
+++ b/tests/gdimagecolormatch/.gitignore
@@ -1 +1,2 @@
+/cve_2019_6977
 /gdimagecolormatch
diff --git a/tests/gdimagecolormatch/CMakeLists.txt b/tests/gdimagecolormatch/CMakeLists.txt
index 6a191dc..857b99a 100644
--- a/tests/gdimagecolormatch/CMakeLists.txt
+++ b/tests/gdimagecolormatch/CMakeLists.txt
@@ -1,4 +1,5 @@
 LIST(APPEND TESTS_FILES
+	cve_2019_6977
 	gdimagecolormatch
 )
 
diff --git a/tests/gdimagecolormatch/Makemodule.am b/tests/gdimagecolormatch/Makemodule.am
index db6c3d4..4ed48ce 100644
--- a/tests/gdimagecolormatch/Makemodule.am
+++ b/tests/gdimagecolormatch/Makemodule.am
@@ -1,4 +1,5 @@
 libgd_test_programs += \
+	gdimagecolormatch/cve_2019_6977 \
 	gdimagecolormatch/gdimagecolormatch
 
 EXTRA_DIST += \
diff --git a/tests/gdimagecolormatch/cve_2019_6977.c b/tests/gdimagecolormatch/cve_2019_6977.c
new file mode 100644
index 0000000..fdd7af5
--- /dev/null
+++ b/tests/gdimagecolormatch/cve_2019_6977.c
@@ -0,0 +1,25 @@
+/**
+ * Test for CVE-2019-6977
+ */
+
+#include "gd.h"
+
+int main()
+{
+	gdImagePtr im1;
+	gdImagePtr im2;
+
+	im1 = gdImageCreateTrueColor(0xfff, 0xfff);
+	im2 = gdImageCreate(0xfff, 0xfff);
+	if (gdImageColorAllocate(im2, 0, 0, 0) < 0)
+	{
+		gdImageDestroy(im1);
+		gdImageDestroy(im2);
+		return 1;
+	}
+	gdImageSetPixel(im2, 0, 0, 255);
+	gdImageColorMatch(im1, im2);
+	gdImageDestroy(im1);
+	gdImageDestroy(im2);
+	return 0;
+}