Package: libgd2-xpm Version: 2.0.33-1.1sarge1 Severity: grave Tags: security patch Justification: user security hole
libgd2 crashes on some corrupt GIFs [1] . This issue was found in PHP (php bug #38112 [2]). With php4 + php4-gd the segfault can be triggered by executing the PoC at [3]. The attached patch has been adapted from the bug report and seems to fix the problem. [1] http://people.debian.org/~seanius/security/php/poc/38112.gif [2] http://bugs.php.net/bug.php?id=38112 [3] http://people.debian.org/~seanius/security/php/poc/38112.poc Severity grave because this might lead to arbitrary code execution in php (although I haven't tried to analyze the problem further).
--- libgd2-2.0.33/gd_gif_in.c 2006-08-27 10:34:02.021822968 +0200 +++ libgd2-2.0.33.patched/gd_gif_in.c 2006-08-27 01:01:05.050952000 +0200 @@ -208,6 +208,12 @@ if (!im) { return 0; } + + if (!im->colorsTotal) { + gdImageDestroy(im); + return 0; + } + /* Check for open colors at the end, so we can reduce colorsTotal and ultimately BitsPerPixel */ @@ -497,6 +503,19 @@ int v; int xpos = 0, ypos = 0, pass = 0; int i; + + /* + ** Initialize the Compression routines + */ + if (! ReadOK(fd,&c,1)) { + return; + } + + if (c > MAX_LWZ_BITS) { + return; + } + + /* Stash the color map into the image */ for (i=0; (i<gdMaxColors); i++) { im->red[i] = cmap[CM_RED][i]; @@ -506,12 +525,6 @@ } /* Many (perhaps most) of these colors will remain marked open. */ im->colorsTotal = gdMaxColors; - /* - ** Initialize the Compression routines - */ - if (! ReadOK(fd,&c,1)) { - return; - } if (LWZReadByte(fd, TRUE, c, ZeroDataBlockP) < 0) { return; }