1. libgd
  2. Untitled project
  3. gd-libgd

Commits

pajoye  committed 6855913

- MFB: #86, Possible infinite loop in libgd/gd_png.c

  • Participants
  • Parent commits 57d7bf4
  • Branches master

Comments (0)

Files changed (3)

File src/NEWS

View file
 72, gdImageAALine draws axis lines with two pixels width
 73, TTF usage doesn't work properly on Netware (Guenter Knauf, Scott MacVicar)
 74, gdImageArc CPU usage with large angles
+78, gdImageFilledRectangle regression fixed when used with reversed edges
+86, Possible infinite loop in libgd/gd_png.c, flaw found by Xavier Roche
+    (Pierre)
 
 GD 2.0.34 (2007-02-07)
  3, Initialize variables in tweenColorTest, fix cache

File src/gd_png.c

View file
 static void
 gdPngReadData (png_structp png_ptr, png_bytep data, png_size_t length)
 {
-  gdGetBuf (data, length, (gdIOCtx *) png_get_io_ptr (png_ptr));
+  int check;
+  check = gdGetBuf (data, length, (gdIOCtx *) png_get_io_ptr (png_ptr));
+  if (check != length) {
+    png_error(png_ptr, "Read Error: truncated data");
+  }
 }
 
 static void

File src/tests/png/bug00086.c

View file
+/* $Id$ */
+/* id: gdbad3.c, Xavier Roche, May. 2007 */
+/* gcc gdbad3.c -o bad -lgd && ./bad */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include "gd.h"
+
+static const unsigned char pngdata[93];
+int main(void) {
+	FILE *fp;
+	gdImagePtr im;
+	int i;
+	size_t out;
+
+	if ( ( im = gdImageCreateFromPngPtr(93, (char*) &pngdata[0]) ) == NULL) {
+		fprintf(stderr, "success!\n");
+		return 0;
+	} else {
+		fprintf(stderr, "failed!\n");
+		gdImageDestroy(im);
+		return 1;
+	}
+	return 0;
+}
+
+/* PNG data */
+static const unsigned char pngdata[93] = {137,80,78,71,13,10,26,10,0,0,
+0,13,73,72,68,82,0,0,0,120,0,0,0,131,8,6,0,0,0,70,49,223,8,0,0,0,6,98,
+75,71,68,0,255,0,255,0,255,160,189,167,147,0,0,0,9,112,72,89,115,0,0,92,
+70,0,0,92,70,1,20,148,67,65,0,0,0,9,118,112,65,103,0,0,0,120,0,0,0,131,
+0,226,13,249,45};
+