CVE-2021-40812
Description
Missing return value checks on gdPutBuf in LibGD up to 2.3.2 can cause out-of-bounds read when writing crafted BMP or other image files.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Missing return value checks on gdPutBuf in LibGD up to 2.3.2 can cause out-of-bounds read when writing crafted BMP or other image files.
Vulnerability
The GD Graphics Library (LibGD) through version 2.3.2 contains an out-of-bounds read flaw due to missing return value checks on gdPutBuf and gdGetBuf calls [2]. In gd_bmp.c, the functions _gdImageBmpCtx at lines 269 and 328 call gdPutBuf without verifying that the number of bytes written matches the expected size [1][2]. Similar unchecked calls exist in gd_webp.c and gd_gif_out.c [2]. The lack of validation allows an attacker to supply crafted image data that causes a short write, leading to an out-of-bounds read when subsequent operations rely on the assumed buffer length.
Exploitation
An attacker must supply a specially crafted BMP file (or other affected format) to an application using the vulnerable LibGD version [2]. The attacker does not need authentication if the application accepts user-uploaded images. When the library writes the processed image data via gdPutBuf, the unchecked return value allows the code to continue with a partially written buffer. This results in reading memory beyond the intended buffer boundaries [1][2].
Impact
Successful exploitation results in an out-of-bounds read, potentially disclosing sensitive information from adjacent memory. The vulnerability does not directly allow arbitrary code execution, but memory disclosure can aid further attacks. No privilege escalation is achieved; the impact is limited to information disclosure within the context of the process using the library [2].
Mitigation
The fix was committed in commit 6f5136821be86e7068fcdf651ae9420b5d42e9a9 [1], which adds return value checks for gdPutBuf in _gdImageBmpCtx and ensures proper error handling [1]. This commit was merged into the master branch and should be included in releases after 2.3.2. Users should update to a patched version of LibGD. No workarounds are documented; any application using LibGD to process untrusted image data should apply the patch.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
13- LibGD/LibGDdescription
- Range: <=2.3.2
- osv-coords11 versionspkg:rpm/opensuse/gd&distro=openSUSE%20Leap%2015.3pkg:rpm/suse/gd&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP2pkg:rpm/suse/gd&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3pkg:rpm/suse/gd&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP2pkg:rpm/suse/gd&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP3pkg:rpm/suse/gd&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP2pkg:rpm/suse/gd&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP3pkg:rpm/suse/gd&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/gd&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/gd&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5pkg:rpm/suse/gd&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP5
< 2.2.5-11.3.1+ 10 more
- (no CPE)range: < 2.2.5-11.3.1
- (no CPE)range: < 2.2.5-11.3.1
- (no CPE)range: < 2.2.5-11.3.1
- (no CPE)range: < 2.2.5-11.3.1
- (no CPE)range: < 2.2.5-11.3.1
- (no CPE)range: < 2.2.5-11.3.1
- (no CPE)range: < 2.2.5-11.3.1
- (no CPE)range: < 2.1.0-24.20.1
- (no CPE)range: < 2.1.0-24.20.1
- (no CPE)range: < 2.1.0-24.20.1
- (no CPE)range: < 2.1.0-24.20.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The GD Graphics Library (LibGD) fails to check the return values of `gdGetBuf` and `gdPutBuf`, leading to out-of-bounds reads."
Attack vector
An attacker can trigger this vulnerability by providing a specially crafted BMP image file to an application that uses the LibGD library for image processing. The vulnerability is triggered during the decompression or writing of image data, specifically when the return value of `gdPutBuf` is not checked against the expected size. This can lead to an out-of-bounds read when processing malformed BMP data.
Affected code
The vulnerability resides in the `_gdImageBmpCtx` function within the BMP handling code of the GD Graphics Library. Specifically, lines around 269 and 332 in the original code, which are modified in the patch, are affected. The patch modifies the calls to `gdPutBuf` to include return value checks.
What the fix does
The patch introduces checks for the return values of `gdPutBuf` within the `_gdImageBmpCtx` function. If `gdPutBuf` does not write the expected number of bytes, an error is logged using `gd_error`, and an error flag is set, preventing further processing and potential crashes. This ensures that the library handles incomplete writes gracefully, mitigating the out-of-bounds read.
Preconditions
- inputThe application must process a BMP image file.
Generated on Jun 7, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.