VYPR
← All advisories
Unrated severityNVD Advisory· Published Feb 11, 2020· Updated Aug 5, 2024

CVE-2018-14553

CVE-2018-14553

Description

A NULL pointer dereference in gdImageClone() allows attackers to crash applications through specific function call sequences, affecting libgd versions 2.1.0-rc2 through 2.2.5.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A NULL pointer dereference in gdImageClone() allows attackers to crash applications through specific function call sequences, affecting libgd versions 2.1.0-rc2 through 2.2.5.

Vulnerability

The gdImageClone() function in gd.c of the GD Graphics Library (libgd) from version 2.1.0-rc2 through 2.2.5 contains a NULL pointer dereference vulnerability [1]. The bug occurs when an image with a style array of zero length is cloned; the code unconditionally attempts to copy style data without checking if src->style is non-NULL. This flaw is reachable only in PHP when it is linked against an external (non-bundled) libgd [1][2].

Exploitation

An attacker does not require authentication or special privileges [1][2]. The attack vector is through a specific call sequence: first call gdImageSetStyle() with an empty style array (or a style pointer that is NULL), then call gdImageClone() on the same image. This sequence triggers a NULL pointer dereference when the function tries to access src->style[i] without prior validation [3]. The attacker would need to craft input that causes an application (such as a PHP script) to invoke this exact sequence.

Impact

Successful exploitation causes the application to crash, resulting in a denial of service (DoS) [1][2]. There is no evidence in the available references of code execution, privilege escalation, or information disclosure beyond a crash. The impact is limited to service availability.

Mitigation

The fix was committed in commit a93eac0e843148dc2d631c3ba80af17e9c8c860f [3]. The fix restructures the style handling so that gdImageSetStyle() is called after cloning only when src->style is non-NULL, and stylePos is set separately [3]. Patched versions were released by Ubuntu in USN-4316-1 (for Ubuntu 18.04 LTS and 16.04 LTS) and USN-4316-2 (for Ubuntu 14.04 ESM) on 2 April 2020 [1][2]. Users should upgrade to libgd version 2.3.0 or later; if an upgrade is not immediately available, ensure that applications do not call gdImageClone() on images that have a NULL or empty style array.

References
  1. USN-4316-2: GD Graphics Library vulnerabilities | Ubuntu security notices | Ubuntu
  2. USN-4316-1: GD Graphics Library vulnerabilities | Ubuntu security notices | Ubuntu
  3. Fix potential NULL pointer dereference in gdImageClone() · libgd/libgd@a93eac0

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

18

Patches

1
a93eac0e8431

Fix potential NULL pointer dereference in gdImageClone()

https://github.com/libgd/libgdFábio Cabral PachecoDec 20, 2019via osv
commit
5 files changed · +35 9
  • src/gd.c+1 8 modified
    @@ -2865,14 +2865,6 @@ BGD_DECLARE(gdImagePtr) gdImageClone (gdImagePtr src) {
 		}
 	}
 
-	if (src->styleLength > 0) {
-		dst->styleLength = src->styleLength;
-		dst->stylePos    = src->stylePos;
-		for (i = 0; i < src->styleLength; i++) {
-			dst->style[i] = src->style[i];
-		}
-	}
-
 	dst->interlace   = src->interlace;
 
 	dst->alphaBlendingFlag = src->alphaBlendingFlag;
@@ -2907,6 +2899,7 @@ BGD_DECLARE(gdImagePtr) gdImageClone (gdImagePtr src) {
 
 	if (src->style) {
 		gdImageSetStyle(dst, src->style, src->styleLength);
+		dst->stylePos = src->stylePos;
 	}
 
 	for (i = 0; i < gdMaxColors; i++) {
  • tests/gdimageclone/CMakeLists.txt+1 0 modified
    @@ -1,5 +1,6 @@
 LIST(APPEND TESTS_FILES
 	bug00300
+	style
 )
 
 ADD_GD_TESTS()
  • tests/gdimageclone/.gitignore+1 0 modified
    @@ -1 +1,2 @@
 /bug00300
+/style
  • tests/gdimageclone/Makemodule.am+2 1 modified
    @@ -1,5 +1,6 @@
 libgd_test_programs += \
-	gdimageclone/bug00300
+	gdimageclone/bug00300 \
+	gdimageclone/style
 
 EXTRA_DIST += \
 	gdimageclone/CMakeLists.txt
  • tests/gdimageclone/style.c+30 0 added
    @@ -0,0 +1,30 @@
+/**
+ * Cloning an image should exactly reproduce all style related data
+ */
+
+
+#include <string.h>
+#include "gd.h"
+#include "gdtest.h"
+
+
+int main()
+{
+    gdImagePtr im, clone;
+    int style[] = {0, 0, 0};
+
+    im = gdImageCreate(8, 8);
+    gdImageSetStyle(im, style, sizeof(style)/sizeof(style[0]));
+
+    clone = gdImageClone(im);
+    gdTestAssert(clone != NULL);
+
+    gdTestAssert(clone->styleLength == im->styleLength);
+    gdTestAssert(clone->stylePos == im->stylePos);
+    gdTestAssert(!memcmp(clone->style, im->style, sizeof(style)/sizeof(style[0])));
+
+    gdImageDestroy(clone);
+    gdImageDestroy(im);
+
+    return gdNumFailures();
+}

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

9

News mentions

0

No linked articles in our index yet.