diff options
author | Lance Wang <wang0z@gmx.com> | 2019-08-26 11:07:24 +0800 |
---|---|---|
committer | Mike Frysinger <vapier@gentoo.org> | 2019-09-02 04:27:33 -0400 |
commit | d507fbbd1f804a27bdc9e304d7b0b1c592c9b887 (patch) | |
tree | 4d71eddc0aba5e57f6c2230dfa31a9cf4145cd19 /tests | |
parent | e13a342c079aeb73e31dfa19eaca119761bac3f3 (diff) | |
download | libgd-d507fbbd1f804a27bdc9e304d7b0b1c592c9b887.tar.gz |
Add a test for issue libgd#501 CVE-2019-11038
When using gdImageCreateFromXbm() it is possible to supply data that
will cause the function to use the value of uninitialized variable.
Diffstat (limited to 'tests')
-rw-r--r-- | tests/xbm/.gitignore | 1 | ||||
-rw-r--r-- | tests/xbm/CMakeLists.txt | 4 | ||||
-rw-r--r-- | tests/xbm/Makemodule.am | 6 | ||||
-rw-r--r-- | tests/xbm/github_bug_501.c | 39 | ||||
-rw-r--r-- | tests/xbm/github_bug_501.xbm | 4 |
5 files changed, 53 insertions, 1 deletions
diff --git a/tests/xbm/.gitignore b/tests/xbm/.gitignore index a43d9d8..8a2565a 100644 --- a/tests/xbm/.gitignore +++ b/tests/xbm/.gitignore @@ -1,3 +1,4 @@ /github_bug_109 /github_bug_170 +/github_bug_501 /x10_basic_read diff --git a/tests/xbm/CMakeLists.txt b/tests/xbm/CMakeLists.txt index 3e3bb69..48ed360 100644 --- a/tests/xbm/CMakeLists.txt +++ b/tests/xbm/CMakeLists.txt @@ -1,3 +1,7 @@ +LIST(APPEND TESTS_FILES + github_bug_501 +) + IF(PNG_FOUND) LIST(APPEND TESTS_FILES github_bug_109 diff --git a/tests/xbm/Makemodule.am b/tests/xbm/Makemodule.am index a9a293d..17e44bb 100644 --- a/tests/xbm/Makemodule.am +++ b/tests/xbm/Makemodule.am @@ -1,3 +1,6 @@ +libgd_test_programs += \ + xbm/github_bug_501 + if HAVE_LIBPNG libgd_test_programs += \ xbm/github_bug_109 \ @@ -10,4 +13,5 @@ EXTRA_DIST += \ xbm/github_bug_109.xbm \ xbm/github_bug_109_exp.png \ xbm/x10_basic_read.xbm \ - xbm/x10_basic_read_exp.png + xbm/x10_basic_read_exp.png \ + xbm/github_bug_501.xbm diff --git a/tests/xbm/github_bug_501.c b/tests/xbm/github_bug_501.c new file mode 100644 index 0000000..5d8bfd7 --- /dev/null +++ b/tests/xbm/github_bug_501.c @@ -0,0 +1,39 @@ +/* + Test reading an invalid XBM image. + + The pixels of the XBM image are invalid hex which makes the uninitialezed + variable be encoded into the output image i.e. information disclosure. + The image is 8*2. + + See also <https://github.com/libgd/libgd/issues/501>. +*/ + +#include "gd.h" +#include "gdtest.h" + +int main() +{ + + gdImagePtr im; + FILE *fp; + + fp = gdTestFileOpen2("xbm", "github_bug_501.xbm"); + im = gdImageCreateFromXbm(fp); + + gdTestAssert(im == NULL); + + if (im) { + gdTestErrorMsg("Info Disclosed\n"); + int i; + for (i = 0; i < 8; i++) { + printf("Pixel(%d, 0) %0x\n", i, gdImageGetPixel(im, i, 0)); + } + for (i = 0; i < 8; i++) { + printf("Pixel(%d, 1) %0x\n", i, gdImageGetPixel(im, i, 1)); + } + gdImageDestroy(im); + } + + fclose(fp); + return gdNumFailures(); +} diff --git a/tests/xbm/github_bug_501.xbm b/tests/xbm/github_bug_501.xbm new file mode 100644 index 0000000..41ad301 --- /dev/null +++ b/tests/xbm/github_bug_501.xbm @@ -0,0 +1,4 @@ +#define width 8 +#define height 2 +static char bits[] ={ +xzzxzz |