From 4588f4972b210b7f7db97bd521c1ffe5af818475 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Skalick=C3=BD?= Date: Tue, 6 Dec 2016 12:03:49 +0100 Subject: [PATCH] Fix invalid read in gdImageCreateFromTiffPtr() ( CVE-2016-6911) - Fix stack based buffer overflow when passing negative `rlen` as size to memcpy() (CVE-2016-8670) - Fix possible overflow in gdImageWebpCtx (CVE-2016-7568) --- gd-2.2.3-dynamicGetbuf-negative-rlen.patch | 26 +++++++++++++++++ gd-2.2.3-overflow-in-gdImageWebpCtx.patch | 27 ++++++++++++++++++ ...lid-read-in-gdImageCreateFromTiffPtr.patch | Bin 0 -> 10937 bytes gd.spec | 20 ++++++++++++- 4 files changed, 72 insertions(+), 1 deletion(-) create mode 100644 gd-2.2.3-dynamicGetbuf-negative-rlen.patch create mode 100644 gd-2.2.3-overflow-in-gdImageWebpCtx.patch create mode 100644 gd-2.2.x-fix-invalid-read-in-gdImageCreateFromTiffPtr.patch diff --git a/gd-2.2.3-dynamicGetbuf-negative-rlen.patch b/gd-2.2.3-dynamicGetbuf-negative-rlen.patch new file mode 100644 index 0000000..24ebd9b --- /dev/null +++ b/gd-2.2.3-dynamicGetbuf-negative-rlen.patch @@ -0,0 +1,26 @@ +From 53110871935244816bbb9d131da0bccff734bfe9 Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" +Date: Wed, 12 Oct 2016 11:15:32 +0200 +Subject: [PATCH] Avoid potentially dangerous signed to unsigned conversion + +We make sure to never pass a negative `rlen` as size to memcpy(). See +also . + +Patch provided by Emmanuel Law. +--- + src/gd_io_dp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/gd_io_dp.c b/src/gd_io_dp.c +index 135eda3..228bfa5 100644 +--- a/src/gd_io_dp.c ++++ b/src/gd_io_dp.c +@@ -276,7 +276,7 @@ static int dynamicGetbuf(gdIOCtxPtr ctx, void *buf, int len) + if(remain >= len) { + rlen = len; + } else { +- if(remain == 0) { ++ if(remain <= 0) { + /* 2.0.34: EOF is incorrect. We use 0 for + * errors and EOF, just like fileGetbuf, + * which is a simple fread() wrapper. diff --git a/gd-2.2.3-overflow-in-gdImageWebpCtx.patch b/gd-2.2.3-overflow-in-gdImageWebpCtx.patch new file mode 100644 index 0000000..84fa82e --- /dev/null +++ b/gd-2.2.3-overflow-in-gdImageWebpCtx.patch @@ -0,0 +1,27 @@ +diff --git a/src/gd_webp.c b/src/gd_webp.c +index fae3861..a7ed222 100644 +--- a/src/gd_webp.c ++++ b/src/gd_webp.c +@@ -179,6 +179,22 @@ BGD_DECLARE(void) gdImageWebpCtx (gdImagePtr im, gdIOCtx * outfile, int quantiza + /* Conversion to Y,U,V buffer */ + yuv_width = (width + 1) >> 1; + yuv_height = (height + 1) >> 1; ++ ++ if (overflow2(width, height)) { ++ return; ++ } ++ ++ if (overflow2(2, yuv_width)) { ++ return; ++ } ++ ++ if (overflow2(2 * yuv_width, yuv_height)) { ++ return; ++ } ++ ++ if (overflow2(width * height + 2 * yuv_width * yuv_height, 1)) { ++ return; ++ } + yuv_nbytes = width * height + 2 * yuv_width * yuv_height; + + if ((Y = (unsigned char *)gdCalloc(yuv_nbytes, sizeof(unsigned char))) == NULL) { diff --git a/gd-2.2.x-fix-invalid-read-in-gdImageCreateFromTiffPtr.patch b/gd-2.2.x-fix-invalid-read-in-gdImageCreateFromTiffPtr.patch new file mode 100644 index 0000000000000000000000000000000000000000..78a80b447e3bcfd49d5712391ee870b6803198dd GIT binary patch literal 10937 zcmeHN-E-T<5r^|NA)53n>BlsE*s3!LD3TxuN}?#ms$^MmG*xVkB{!XEIxGkrNW>t( z0YFPi?3p~}sn4BB`_}$D?Q8qo{~&LDYx>*6fubnM5^ar}htL*rxZB;^+x^|{-VL{t zc(6iqoBbq6vv}C24^6ry+=n8WqxaoGS2ma0>%GB|>4`P{wv&k!Iv9y6*|ah0k!>}W zs9~=(td(YyDwb_o`u?cd7b_PyQY~no=+nD|!@cq3k zG0M80q1jOk9cD1Ohk}&cI7vpstV&Mgk?V|7k)k;*T)$X&mAa#hqBy%y2cvA#L0^zN z3WrIM>6q0!j+{Z@-Vs@M`VJVfn7RVZ$b+~luP;}VCngI6sUk^4HcBE)X}G=#lMV)0W@}N{ZKqu}bsg>s zqTckXNgVZqZjeDr-^uU=6Xo8ZgPrYdI*do5M`;#>A-U44I@1K~Wh_ESZ%MX%egYmw zf?{8?--og8-?_CRL1C2HF6<;}TH%@cM=(e%XU=^e3Jl6w3hdnPbsaGJP7qRXzEB=Z zvA_fNN06qNz7I5Zg^1v-VVqd2DBB{_MKz&!L+GxM}WiedKh$jo*5@S zQ?J!(I;DwQ?|Gdd?s!AfrE@=zi5iPkk)KH>hV?}}1SY$sn7|1>{^*p6G)wEuTHpN8 zc_?Y4UTdI5Uef)a-n@m1gJ5ZKUfShtXQC7i8qrr-0j?>d=G86Gvp*%U$1D zG)>_-wh&!q62|@+89E?DXXLD}Q_Ws#R+p&4j~1aL%@E{VdK4ogsF1if%HXBMNV8<* zW}F}HZDvO_?`B6F%%CxRQ*wqw5qY=sfNXdetgU&&D!to)y6ZDk4b`$mi?W*tw28_35asR70{NshnKJ zJc4qrXDA|Q`WcjE)&#FrOf+zUXjPZCXxUX8`^|1OtM=lAHJ)*%5?g_8lHm=d$)H!6 z6@xKK-Vg(YmC&JAN{Ef1l(~i8$J!r1E>aDxffgeOtKoj|sVHL+l~PHCYikuRPjti- z^zdp}GN{A27q~eC)e2EOci;MOgZ?j=Dlh@22rL{FuR6}s(2fe2|cKI|d+ znG7E08QYDpguC|+r1}_xNl(Uj-3(bglwk^}z&2<6RgrL_wR7E++jY``ll~}tHxL7N zcx*_t8aZ;yWEi~lXuizco|8FLDLjb?$%^sT0-AEzRBp;Xbe$VfR8|`Yg8W^@lkS4w z5KB$dZ2Gq4E}kDx6vwG>qWX9TwHDhPP53bxO?dyDQxnMQWS+oZEvio5y1{_s3G?(t z(CcTwWH6|$rN_L|5&D}p@uo(lHPMrx%HWN_eCfz_MVhi1h+&$dghN>vBgVRM7>^Pf zhy-xyaeT>~q=%ZNhvJtjq8yb#9}stl|0pd`3ym^J0@mC($^>Sp$uS2lR3O7dAaQY_ zhmhuk!@fh(Rig+sm+Zt=KuGGxG0I{YYFe#EwXqCKamcZzLd~qEDnNVZc4vEIXZOMV zEw&4Tv{qsppDy8~xeo&`>sOV5xsqjTR2}Xjdv~^D_a5 zHV_xh%8tYQ&dHVlSHxlDDkb0Wq<0>Ykmkc`A8 zziqJh3^p1#?&loULc*P?_glrgqs%5_VhS(~gCoQpg*6}~KWF67Q$a|bg!V{0QtFJ31nJZ*yx!l`w{+Zn^vrqoTJ6T58wuP`-X|+$+YR?c| z^RO7jhe(x-SA|rLipaCr6nPZuBENXN`w|4eAVRs$q0{4i zF%g~iA8c-J?e8<1RSrIh)H2uB=TGOYi%(SD`h{aEpIJ?RscE^Ux!myWrqw)MA79L! z=eCQ-*%J-Uat)c|blTaL0i&~h@4?;MNL{--`v=Cx-rm;T+jOwCf3V-#-r3#Shv7I= zc7lN&3}Au$CBJ-;cPRxyGz!C_?F|E+$`=~tj0~JvPg&+10zDFkvf!FLNEJ4-s<8fm5;=G2@)hu$c!g>QNj6uUrt?C zJ=^`$JZS(%0V1kkj#6D;|d=JJeKzjDH(w&%%Zy3 z#FSHaTG#;cIHFhXKG@wYn|g%{LA~-z)Ux3S2hBO$DfH(~cknV~CsR(InB=WUhu5I$ zwl1!Ca786J1}nl81$+m`53Ih!f+opTS%a`ItG-EYo{D!m7x=h}t9+(c_*!9N#MM_^BSOnMeD6P&KLTNswW$yQjU@*2$PR2N6aH;7y%Fw(&RIh3RaWw4Yi@@Pp zw#J4k_~rU}CEF0V=VX1`kXV{SVK{+bHkQxFRv-Hr*Yh@{L4P-@W6mpn^6+Wd; zK|P@q(-el`x!E7a*#2y|*f-`?2aa5Y{3=Xw?i?q=ZjOmh^!42kX8^T0o?Bw1Fy#rI z+D(NpEau78lR$CZ_w-Cq+;v?g9S93oO|97bZnA}2IuO4!+%*FN};rhWbG=adEh z`!)YN`?;w9Eam^F=c@W$mF`8Y;#u{1R=(?6*LBT*U2?8#UEfqWFUn5WJ>(aoyItn`=7e_i93>2=xob?NcEa;Ej1et%y1FN(j=yLi5+d9Q1pX}zc4 zuWO!f|oYQKcGUYQtp^Ttcs zhv@th7=Cc$6)E)fCtv*K#}hO^Qf(Go^v|RH6Ggv{lKy8mUX{FSkn@geZ=?P52|30@ zyNos~1NF5v&~y6>(EkeU*UZcZ$9NW}S z4X$!*Yd06%rdXW)*rw(<_t^Gb*#2{k_Lg5i0Uraa03Z8|!6*CBF2MIH+6DMtM*Cdw z{Q+EK@PX)uQqW(eumXH6xB#C)^=6Ra-)>|07DgZzJ%9t5|%a+$%Y%jK&4cBQ4z|d{m0?>0B{*vR{EvM@= zT8)<33;Y~_Ghk2sSmzS#sh_J{1$(w7yyaG7cI>G+zA4y~NYXCFo~Hc=fp1j;^#x+D R*?b1 - 2.1.1-11 +- Fix invalid read in gdImageCreateFromTiffPtr() ( CVE-2016-6911) +- Fix stack based buffer overflow when passing negative `rlen` as size to + memcpy() (CVE-2016-8670) +- Fix possible overflow in gdImageWebpCtx (CVE-2016-7568) + * Mon Sep 19 2016 Marek Skalický - 2.1.1-10 - Fix CVE-2016-6207