Common Vulnerabilities and Exposures assigned an identifier CVE-2007-3472 to the following vulnerability: Integer overflow in gdImageCreateTrueColor function in the GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers has unspecified attack vectors and impact. References: http://bugs.libgd.org/?do=details&task_id=89
This just leads to unsuccessful attempt to allocate huge amount of memory and a NULL dereference in turn. Just a crash.
(In reply to comment #1) > This just leads to unsuccessful attempt to allocate huge amount of memory > and a NULL dereference in turn. Just a crash. What you refer to here is more likely: http://bugs.libgd.org/?do=details&task_id=14 http://cvs.php.net/viewcvs.cgi/gd/libgd/src/gd.c?r1=1.44&r2=1.45 Return values of various *alloc functions were not properly checked. In the case described in gd bug 89 -- im->tpixels[i] -- possibly being NULL, it depends on specific use. If attacker may control index used as second array index, he may possibly read / modify arbitrary memory address. Looking into gd_png and gd_jpeg (just a few places where gdImageCreateTrueColor is used), it seems that im->tpixels[i][] is traversed from lower indexes, so likely leading to SEGV soon. Upstream CVS commit for gd bug 89: http://cvs.php.net/viewcvs.cgi/gd/libgd/src/gd.c?r1=1.57&r2=1.58 Additionally, this seems to be same as CVE-2007-3996, part (b) reported for php-gd, described in: http://www.secweb.se/en/advisories/php-imagecreatetruecolor-integer-overflow/ (Text does not seem to be correct in claim that gdImageCreate if affected by overflow too, as char items are allocated.)
SecWeb advisory equivalent for gd: http://www.secweb.se/en/advisories/gd-gdimagecreatetruecolor-integer-overflow/
SecWeb advisory is somewhat misleading, as it describes integer overflow in gdImageCreateTrueColor, but in example PoC uses gdImageCreateFromXbm, which does not use gdImageCreateTrueColor, but gdImageCreate. Crash caused by that PoC seems to be what is known as CVE-2007-3473 (see bug bug #276791).
This issue does not affect versions of gd as shipped in Red Hat Enterprise Linux 2.1 and 3, as they do not provide affected gdImageCreateTrueColor() function.
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-0146.html Fedora: https://admin.fedoraproject.org/updates/F7/FEDORA-2007-2055
Statement: Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates to libwmf on Red Hat Enterprise Linux 5 and 6. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.