Buffer overflow in the gdImageStringFTEx function in gdft.c in GD Graphics Library 2.0.33 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted string with a JIS encoded font.
Seems like it's already fixed in 2.0.34 From source: { ch = c & 0xFF; /* don't extend sign */ } if (*next) next++; } break; case gdFTEX_Big5: From RH patch: RCS file: /repository/gd/libgd/gdft.c,v retrieving revision 1.28 diff -u -p -r1.28 gdft.c --- gdft.c 3 Jan 2007 21:21:21 -0000 1.28 +++ gdft.c 24 Jan 2007 23:00:55 -0000 @@ -1178,7 +1178,7 @@ fprintf(stderr,"dpi=%d,%d metric_res=%d { ch = c & 0xFF; /* don't extend sign */ } - next++; + if (*next) next++; } break; case gdFTEX_Big5:
Seeing the notice on heise.de I had a look at gd-2.0.34 and it's definitely not fixed.
Uh, sorry, looked in the wrong line.
