Dark Mode

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

Commit 11d701a

Browse files
authored
Port fix for libgd bug 447 (GH-17320)
That bug has been potentially exploitable[1], but the GD extension was not affected by that, because `gdImageBmpPtr()` is never called. Still it seems to be reasonable to port the fix; if only to keep bundled and external libgd synced. [1] <GHSA-hc3p-jvff-jfw5>
1 parent 2dfe927 commit 11d701a

File tree

1 file changed

+13
-3
lines changed
  • ext/gd/libgd
    • gd_bmp.c

1 file changed

+13
-3
lines changed

ext/gd/libgd/gd_bmp.c

Lines changed: 13 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -40,6 +40,8 @@ static int bmp_read_4bit(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info, bmp
4040
static int bmp_read_8bit(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info, bmp_hdr_t *header);
4141
static int bmp_read_rle(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info);
4242

43+
static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression);
44+
4345
#define BMP_DEBUG(s)
4446

4547
static int gdBMPPutWord(gdIOCtx *out, int w)
@@ -68,8 +70,10 @@ void * gdImageBmpPtr(gdImagePtr im, int *size, int compression)
6870
void *rv;
6971
gdIOCtx *out = gdNewDynamicCtx(2048, NULL);
7072
if (out == NULL) return NULL;
71-
gdImageBmpCtx(im, out, compression);
72-
rv = gdDPExtractData(out, size);
73+
if (!_gdImageBmpCtx(im, out, compression))
74+
rv = gdDPExtractData(out, size);
75+
else
76+
rv = NULL;
7377
out->gd_free(out);
7478
return rv;
7579
}
@@ -90,12 +94,17 @@ void gdImageBmp(gdImagePtr im, FILE *outFile, int compression)
9094
*/
9195
void gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
9296
{
97+
_gdImageBmpCtx(im, out, compression);
98+
}
99+
100+
static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression){
93101
int bitmap_size = 0, info_size, total_size, padding;
94102
int i, row, xpos, pixel;
95103
int error = 0;
96104
unsigned char *uncompressed_row = NULL, *uncompressed_row_start = NULL;
97105
FILE *tmpfile_for_compression = NULL;
98106
gdIOCtxPtr out_original = NULL;
107+
int ret = 1;
99108

100109
/* No compression if its true colour or we don't support seek */
101110
if (im->trueColor) {
@@ -273,6 +282,7 @@ void gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
273282
out_original = NULL;
274283
}
275284

285+
ret = 0;
276286
cleanup:
277287
if (tmpfile_for_compression) {
278288
#ifdef _WIN32
@@ -286,7 +296,7 @@ void gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
286296
if (out_original) {
287297
out_original->gd_free(out_original);
288298
}
289-
return;
299+
return ret;
290300
}
291301

292302
static int compress_row(unsigned char *row, int length)

0 commit comments

Comments
(0)