Memory overrun in gd_interpolation.c

Issue #91 resolved
Chris Reuter
created an issue

gdImageScaleTwoPass() in gd_interpolation.c constructs an array of data structures containing arrays of weights used for interpolating the pixel values. Unfortunately, the arrays of weights are sometimes smaller than their parent structure reports, resulting in reads past the ends of the arrays.

This seems to be harmless most of the time since (I think) malloc() on Linux adds extra space to the end of the array and leaves it initialized to zero.

In order to detect it, you need to first apply the attached patch ("window-assert.patch"). This puts an assert in front of the array access, causing the program to die if the index is too big.

The attached program 'membug.c' tickles the bug. If you compile and run it (or just run it as a shell script), it will trigger the assertion by resizing an image.

(I also have a fix for this; the pull request will be submitted in about five minutes.)

Comments (5)

  1. Chris Reuter reporter

    This bug also causes a huge performance hit on IA-64+Linux. The area after the end of the array (presumably some heap metadata) is interpreted as a legit but very small double and my experiments have determined that multiplying this takes a lot longer than the actual data. I saw a 300% performance increase in image shrinking just by fixing this bug.

  2. Log in to comment