GD is an open source code library for the dynamic creation of images by programmers. GD is written in C, and “wrappers” are available for Perl, PHP and other languages. GD creates PNG, JPEG and GIF images, among other formats. GD is commonly used to generate charts, graphics, thumbnails, and most anything else, on the fly. While not restricted to use on the web, the most common applications of GD involve web site development.
See the GD website for more informations.
FS#87 — fix segfault when an invalid color index is present in the image data
Opened by Pierre Joye (Pierre) - Friday, 08 June 2007, 07:20 GMT+2
Last edited by Pierre Joye (Pierre) - Friday, 08 June 2007, 07:24 GMT+2
|
DetailsReport from Elliot <wccoder at gmail dot com> In gd_gif_in.c:567 Values read from the data stream are not bounds-checked. An attacker can create values of v (type int) which are larger than the array im→open (256 bytes). If the value of im→open[v] happens to be non-zero, it is overwritten with a zero on line 593. This corrupts the heap. The attacker can’t control what value is overwritten (always 0), but they could control which bytes are overwritten. libgd should clamp values of v to be between acceptable values [0,255]. Note that values of v are clamped to 4096, since this is the maximum number of bits per codeword that gd will accept, so it isn’t an arbitrary overwrite. It is enough to corrupt the heap and cause a DoS though. |
Friday, 08 June 2007, 07:24 GMT+2
Reason for closing: Fixed
Additional comments about closing: Will be in 2.0.35