1. libgd
  2. Untitled project
  3. gd-libgd

Commits

pajoye  committed 6855913

- MFB: #86, Possible infinite loop in libgd/gd_png.c

  • Participants
  • Parent commits 57d7bf4
  • Branches master

Comments (0)

Files changed (3)

File src/NEWS

View file
  • Ignore whitespace
 72, gdImageAALine draws axis lines with two pixels width
 73, TTF usage doesn't work properly on Netware (Guenter Knauf, Scott MacVicar)
 74, gdImageArc CPU usage with large angles
+78, gdImageFilledRectangle regression fixed when used with reversed edges
+86, Possible infinite loop in libgd/gd_png.c, flaw found by Xavier Roche
+    (Pierre)
 
 GD 2.0.34 (2007-02-07)
  3, Initialize variables in tweenColorTest, fix cache

File src/gd_png.c

View file
  • Ignore whitespace
 static void
 gdPngReadData (png_structp png_ptr, png_bytep data, png_size_t length)
 {
-  gdGetBuf (data, length, (gdIOCtx *) png_get_io_ptr (png_ptr));
+  int check;
+  check = gdGetBuf (data, length, (gdIOCtx *) png_get_io_ptr (png_ptr));
+  if (check != length) {
+    png_error(png_ptr, "Read Error: truncated data");
+  }
 }
 
 static void

File src/tests/png/bug00086.c

View file
  • Ignore whitespace
+/* $Id$ */
+/* id: gdbad3.c, Xavier Roche, May. 2007 */
+/* gcc gdbad3.c -o bad -lgd && ./bad */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include "gd.h"
+
+static const unsigned char pngdata[93];
+int main(void) {
+	FILE *fp;
+	gdImagePtr im;
+	int i;
+	size_t out;
+
+	if ( ( im = gdImageCreateFromPngPtr(93, (char*) &pngdata[0]) ) == NULL) {
+		fprintf(stderr, "success!\n");
+		return 0;
+	} else {
+		fprintf(stderr, "failed!\n");
+		gdImageDestroy(im);
+		return 1;
+	}
+	return 0;
+}
+
+/* PNG data */
+static const unsigned char pngdata[93] = {137,80,78,71,13,10,26,10,0,0,
+0,13,73,72,68,82,0,0,0,120,0,0,0,131,8,6,0,0,0,70,49,223,8,0,0,0,6,98,
+75,71,68,0,255,0,255,0,255,160,189,167,147,0,0,0,9,112,72,89,115,0,0,92,
+70,0,0,92,70,1,20,148,67,65,0,0,0,9,118,112,65,103,0,0,0,120,0,0,0,131,
+0,226,13,249,45};
+