Fix #74435: Buffer over-read into uninitialized memory

The stack allocated color map buffers were not zeroed before usage, and so undefined palette indexes could cause information leakage.
2024-11-23 18:04:36 +08:00 · 2017-06-20 16:45:42 +02:00 · 2017-06-20 16:45:42 +02:00 · 8dc4f4dc9e
commit 8dc4f4dc9e
parent 5f8380d33e
3 changed files with 30 additions and 0 deletions
--- a/ext/gd/libgd/gd_gif_in.c
+++ b/ext/gd/libgd/gd_gif_in.c
@ -147,6 +147,9 @@ gdImagePtr gdImageCreateFromGifCtx(gdIOCtxPtr fd) /* {{{ */
 	int haveGlobalColormap;
 	gdImagePtr im = 0;

+	memset(ColorMap, 0, 3 * MAXCOLORMAPSIZE);
+	memset(localColorMap, 0, 3 * MAXCOLORMAPSIZE);
+
 	/*1.4//imageNumber = 1; */
 	if (! ReadOK(fd,buf,6)) {
 		return 0;
--- a/ext/gd/tests/bug74435.gif
+++ b/ext/gd/tests/bug74435.gif
--- a/ext/gd/tests/bug74435.phpt
+++ b/ext/gd/tests/bug74435.phpt
@ -0,0 +1,27 @@
+--TEST--
+Bug #74435 (Buffer over-read into uninitialized memory)
+--SKIPIF--
+<?php
+if (!extension_loaded('gd')) die('skip gd extension not available');
+?>
+--FILE--
+<?php
+$im = imagecreatefromgif(__DIR__ . DIRECTORY_SEPARATOR . 'bug74435.gif');
+var_dump($im);
+$width = imagesx($im);
+$height = imagesy($im);
+for ($i = 0; $i < $width; $i += 16) {
+    for ($j = 0; $j < $height; $j += 16) {
+        if (($index = imagecolorat($im, $i, $j)) >= 2) {
+            list($red, $green, $blue, $alpha) = array_values(imagecolorsforindex($im, $index));
+            if ($red !== 0 || $green !== 0 || $blue !== 0 || $alpha !== 0) {
+                echo "unexpected color at ($i, $j)\n";
+            }
+        }
+    }
+}
+?>
+===DONE===
+--EXPECTF--
+resource(%d) of type (gd)
+===DONE===