Kees Cook from Ubuntu reported a "off-the-end-of-string increment", which could
theoretically lead ot a buffer overflow.
This flaw would only be exploitable if a JIS-encoded font is used when
processing a special malicious string.
The issue here is that the NULL terminator is incremented, which could lead to
unknown results during the processing of the malicious string.
RCS file: /repository/gd/libgd/gdft.c,v
retrieving revision 1.28
diff -u -p -r1.28 gdft.c
--- gdft.c 3 Jan 2007 21:21:21 -0000 1.28
+++ gdft.c 24 Jan 2007 23:00:55 -0000
@@ -1178,7 +1178,7 @@ fprintf(stderr,"dpi=%d,%d metric_res=%d
ch = c & 0xFF; /* don't extend sign */
+ if (*next) next++;
This flaw does not affect gd as shipped in RHEL2.1 or RHEL3.
This flaw also affects RHEL5. Once we can assign bugs to that version, I'll
move this from RHEL4.
This issue was addressed in:
Red Hat Application Stack:
Red Hat Enterprise Linux: