-= CVE-2007-0455 =-

Vulnerable versions: LibGD <= 2.0.33
File(s): gdft.c
Download from:
  http://www.libgd.org/releases/oldreleases/gd-2.0.33.tar.gz

Domain: Graphics Library

_ Vulnerable Functions and Buffers _

This is actually an out-of-bounds read, but it seems structurally the
same as the out-of-bounds writes, and was reported using the term
"buffer overflow."

A buffer, string[], is a parameter to the function
gdImageStringFTEx(). This string is traversed using a loop containing
a switch statement, with cases based on the character encoding of the
string. If the string is JIS-encoded, the iterator variable can be
incremented twice. The second increment is performed without first
checking for the end-of-string character, which can thus cause the
loop reading the string to access out-of-bounds memory. This can lead
to a crash.

I've chopped out the stuff that doesn't relate to how the iterator is
incremented -- we don't care about cruft for which we just need to
know "there is some path through this."

The variants in the program actually come from variations in the
algorithm used to parse Unicode characters. Since Unicode characters
are encoded using a variable number of bytes, the iterator over
string[] can be advanced by a variable number of bytes on each
iteration. The helper function for reading Unicode recognizes HTML 4.0
entities; I've made versions of this function dealing with different
subsets of the characters recognized by the original.

_ Decomposed Programs _

gd.h

gdImageStringFTEx/
  gd_simp_bad.c
  gd_no_entities_bad.c
  gd_some_entities_bad.c
  gd_full_bad.c

