Headline
CVE-2014-9709: libgd / gd-libgd - 47eb44b
The GetCode_ function in gd_gif_in.c in GD 2.1.1 and earlier, as used in PHP before 5.5.21 and 5.6.x before 5.6.5, allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted GIF image that is improperly handled by the gdImageCreateFromGif function.
committed 47eb44b 2014-12-13
Fix possible buffer read overflow
detected by -fsanitize=address, thanks to Jan Bee
Comments (0)
Files changed (1)
+9 -2
M src/gd_gif_in.c
File src/gd_gif_in.c Modified
- Ignore whitespace
- Hide word diff
#define STACK_SIZE ((1<<(MAX_LWZ_BITS))*2)
+#define CSD_BUF_SIZE 280
- unsigned char buf[280];
unsigned char buf[CSD_BUF_SIZE];
for (i = scd->curbit, j = 0; j < code_size; ++i, ++j) {
- ret |= ((scd->buf[i / 8] & (1 << (i % 8))) != 0) << j;
if (i < CSD\_BUF\_SIZE \* 8) {ret |= ((scd->buf\[i / 8\] & (1 << (i % 8))) != 0) << j;scd->curbit += code_size;
Related news
spl_array.c in the SPL extension in PHP before 5.5.37 and 5.6.x before 5.6.23 improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and application crash) via crafted serialized data.
The cdf_check_stream_offset function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, relies on incorrect sector-size data, which allows remote attackers to cause a denial of service (application crash) via a crafted stream offset in a CDF file.