Skip to content

Commit 11d701a

Browse files
cmb69cmb69
authored
Port fix for libgd bug 447 (GH-17320)
That bug has been potentially exploitable[1], but the GD extension was not affected by that, because `gdImageBmpPtr()` is never called. Still it seems to be reasonable to port the fix; if only to keep bundled and external libgd synced. [1] <GHSA-hc3p-jvff-jfw5>
1 parent 2dfe927 commit 11d701a

File tree

1 file changed

+13
-3
lines changed

1 file changed

+13
-3
lines changed

ext/gd/libgd/gd_bmp.c

Lines changed: 13 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -40,6 +40,8 @@ static int bmp_read_4bit(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info, bmp
4040
static int bmp_read_8bit(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info, bmp_hdr_t *header);
4141
static int bmp_read_rle(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info);
4242

43+
static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression);
44+
4345
#define BMP_DEBUG(s)
4446

4547
static int gdBMPPutWord(gdIOCtx *out, int w)
@@ -68,8 +70,10 @@ void * gdImageBmpPtr(gdImagePtr im, int *size, int compression)
6870
void *rv;
6971
gdIOCtx *out = gdNewDynamicCtx(2048, NULL);
7072
if (out == NULL) return NULL;
71-
gdImageBmpCtx(im, out, compression);
72-
rv = gdDPExtractData(out, size);
73+
if (!_gdImageBmpCtx(im, out, compression))
74+
rv = gdDPExtractData(out, size);
75+
else
76+
rv = NULL;
7377
out->gd_free(out);
7478
return rv;
7579
}
@@ -90,12 +94,17 @@ void gdImageBmp(gdImagePtr im, FILE *outFile, int compression)
9094
*/
9195
void gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
9296
{
97+
_gdImageBmpCtx(im, out, compression);
98+
}
99+
100+
static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression){
93101
int bitmap_size = 0, info_size, total_size, padding;
94102
int i, row, xpos, pixel;
95103
int error = 0;
96104
unsigned char *uncompressed_row = NULL, *uncompressed_row_start = NULL;
97105
FILE *tmpfile_for_compression = NULL;
98106
gdIOCtxPtr out_original = NULL;
107+
int ret = 1;
99108

100109
/* No compression if its true colour or we don't support seek */
101110
if (im->trueColor) {
@@ -273,6 +282,7 @@ void gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
273282
out_original = NULL;
274283
}
275284

285+
ret = 0;
276286
cleanup:
277287
if (tmpfile_for_compression) {
278288
#ifdef _WIN32
@@ -286,7 +296,7 @@ void gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
286296
if (out_original) {
287297
out_original->gd_free(out_original);
288298
}
289-
return;
299+
return ret;
290300
}
291301

292302
static int compress_row(unsigned char *row, int length)

0 commit comments

Comments
 (0)