]> granicus.if.org Git - graphviz/commitdiff
projects / graphviz / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 76682a7)
Fixed some known gd security holes, per Mark Espie,
authornorth <devnull@localhost>
Thu, 15 Feb 2007 20:10:36 +0000 (20:10 +0000)
committernorth <devnull@localhost>
Thu, 15 Feb 2007 20:10:36 +0000 (20:10 +0000)
from Ubuntu,  http://secunia.com/advisories/20500/

lib/gd/gd_gif_in.c patch | blob | history
lib/gd/gdft.c patch | blob | history

diff --git a/lib/gd/gd_gif_in.c b/lib/gd/gd_gif_in.c
index 18c952674674a15c516089bc0bea28ca037f1e4b..e1f1bdbf6ba1170d534930e53fb0894efc090a48 100644 (file)
--- a/lib/gd/gd_gif_in.c
+++ b/lib/gd/gd_gif_in.c
@@ -122,6 +122,7 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromGifCtx(gdIOCtxPtr fd)
        char            version[4];
        /* 2.0.28: threadsafe storage */
        int ZeroDataBlock = FALSE;
+       int             maxcount = 1024;
 
        gdImagePtr im = 0;
        if (! ReadOK(fd,buf,6)) {
@@ -168,6 +169,8 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromGifCtx(gdIOCtxPtr fd)
                }
 
                if (c != ',') {         /* Not a valid start character */
+                      if (--maxcount < 0)
+                              goto terminated;  /* Looping */
                        continue;
                }
 
@@ -246,6 +249,7 @@ static int
 DoExtension(gdIOCtx *fd, int label, int *Transparent, int *ZeroDataBlockP)
 {
        static unsigned char     buf[256];
+       int                      maxcount = 1024;
 
        switch (label) {
        case 0xf9:              /* Graphic Control Extension */
@@ -258,13 +262,13 @@ DoExtension(gdIOCtx *fd, int label, int *Transparent, int *ZeroDataBlockP)
                if ((buf[0] & 0x1) != 0)
                        *Transparent = buf[3];
 
-               while (GetDataBlock(fd, (unsigned char*) buf, ZeroDataBlockP) != 0)
+               while (GetDataBlock(fd, (unsigned char*) buf, ZeroDataBlockP) != 0 && --maxcount >= 0)
                        ;
                return FALSE;
        default:
                break;
        }
-       while (GetDataBlock(fd, (unsigned char*) buf, ZeroDataBlockP) != 0)
+       while (GetDataBlock(fd, (unsigned char*) buf, ZeroDataBlockP) != 0 && --maxcount >= 0)
                ;
 
        return FALSE;
@@ -423,14 +427,15 @@ LWZReadByte_(gdIOCtx *fd, int flag, int input_code_size, int *ZeroDataBlockP)
                } else if (code == end_code) {
                        int             count;
                        unsigned char   buf[260];
+                      int             maxcount = 1024;
 
                        if (*ZeroDataBlockP)
                                return -2;
 
-                       while ((count = GetDataBlock(fd, buf, ZeroDataBlockP)) > 0)
+                       while ((count = GetDataBlock(fd, buf, ZeroDataBlockP)) > 0  && --maxcount >= 0)
                                ;
 
-                       if (count != 0)
+                       if (count != 0 || maxcount < 0)
                        return -2;
                }
 
diff --git a/lib/gd/gdft.c b/lib/gd/gdft.c
index 4c814db6efa7cf92668666f5fcfd9bb59c76719c..922a53c2ef18d4c28fa98951f68faf9fe6fd2097 100644 (file)
--- a/lib/gd/gdft.c
+++ b/lib/gd/gdft.c
@@ -1180,7 +1180,7 @@ fprintf(stderr,"dpi=%d,%d metric_res=%d ptsize=%g\n",hdpi,vdpi,METRIC_RES,ptsize
               * ftp://ftp.ora.com/pub/examples/nutshell/ujip/doc/japan.inf-032092.sjs
               */
              ch = (*next) & 0xFF;      /* don't extend sign */
-             next++;
+             if (*next) next++;
              if (ch >= 161     /* first code of JIS-8 pair */
                  && *next)
                {               /* don't advance past '\0' */
Unnamed repository; edit this file 'description' to name the repository.