Package: libgd2-xpm
Version: 2.0.33-1.1sarge1
Severity: grave
Tags: security patch
Justification: user security hole
libgd2 crashes on some corrupt GIFs [1] . This issue was found in PHP (php bug
#38112 [2]). With php4 + php4-gd the segfault can be triggered by executing the
PoC at [3]. The attached patch has been adapted from the bug report and seems to
fix the problem.
[1] http://people.debian.org/~seanius/security/php/poc/38112.gif
[2] http://bugs.php.net/bug.php?id=38112
[3] http://people.debian.org/~seanius/security/php/poc/38112.poc
Severity grave because this might lead to arbitrary code execution in php
(although I haven't tried to analyze the problem further).
--- libgd2-2.0.33/gd_gif_in.c 2006-08-27 10:34:02.021822968 +0200
+++ libgd2-2.0.33.patched/gd_gif_in.c 2006-08-27 01:01:05.050952000 +0200
@@ -208,6 +208,12 @@
if (!im) {
return 0;
}
+
+ if (!im->colorsTotal) {
+ gdImageDestroy(im);
+ return 0;
+ }
+
/* Check for open colors at the end, so
we can reduce colorsTotal and ultimately
BitsPerPixel */
@@ -497,6 +503,19 @@
int v;
int xpos = 0, ypos = 0, pass = 0;
int i;
+
+ /*
+ ** Initialize the Compression routines
+ */
+ if (! ReadOK(fd,&c,1)) {
+ return;
+ }
+
+ if (c > MAX_LWZ_BITS) {
+ return;
+ }
+
+
/* Stash the color map into the image */
for (i=0; (i<gdMaxColors); i++) {
im->red[i] = cmap[CM_RED][i];
@@ -506,12 +525,6 @@
}
/* Many (perhaps most) of these colors will remain marked open. */
im->colorsTotal = gdMaxColors;
- /*
- ** Initialize the Compression routines
- */
- if (! ReadOK(fd,&c,1)) {
- return;
- }
if (LWZReadByte(fd, TRUE, c, ZeroDataBlockP) < 0) {
return;
}
