Fix invalid read in gdImageCreateFromTiffPtr() ( CVE-2016-6911)

- Fix stack based buffer overflow when passing negative `rlen` as size to
  memcpy() (CVE-2016-8670)
- Fix possible overflow in gdImageWebpCtx (CVE-2016-7568)
This commit is contained in:
Marek Skalický 2016-12-06 12:03:49 +01:00
parent faebf7f082
commit 4588f4972b
4 changed files with 72 additions and 1 deletions

View File

@ -0,0 +1,26 @@
From 53110871935244816bbb9d131da0bccff734bfe9 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Wed, 12 Oct 2016 11:15:32 +0200
Subject: [PATCH] Avoid potentially dangerous signed to unsigned conversion
We make sure to never pass a negative `rlen` as size to memcpy(). See
also <https://bugs.php.net/bug.php?id=73280>.
Patch provided by Emmanuel Law.
---
src/gd_io_dp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/gd_io_dp.c b/src/gd_io_dp.c
index 135eda3..228bfa5 100644
--- a/src/gd_io_dp.c
+++ b/src/gd_io_dp.c
@@ -276,7 +276,7 @@ static int dynamicGetbuf(gdIOCtxPtr ctx, void *buf, int len)
if(remain >= len) {
rlen = len;
} else {
- if(remain == 0) {
+ if(remain <= 0) {
/* 2.0.34: EOF is incorrect. We use 0 for
* errors and EOF, just like fileGetbuf,
* which is a simple fread() wrapper.

View File

@ -0,0 +1,27 @@
diff --git a/src/gd_webp.c b/src/gd_webp.c
index fae3861..a7ed222 100644
--- a/src/gd_webp.c
+++ b/src/gd_webp.c
@@ -179,6 +179,22 @@ BGD_DECLARE(void) gdImageWebpCtx (gdImagePtr im, gdIOCtx * outfile, int quantiza
/* Conversion to Y,U,V buffer */
yuv_width = (width + 1) >> 1;
yuv_height = (height + 1) >> 1;
+
+ if (overflow2(width, height)) {
+ return;
+ }
+
+ if (overflow2(2, yuv_width)) {
+ return;
+ }
+
+ if (overflow2(2 * yuv_width, yuv_height)) {
+ return;
+ }
+
+ if (overflow2(width * height + 2 * yuv_width * yuv_height, 1)) {
+ return;
+ }
yuv_nbytes = width * height + 2 * yuv_width * yuv_height;
if ((Y = (unsigned char *)gdCalloc(yuv_nbytes, sizeof(unsigned char))) == NULL) {

20
gd.spec
View File

@ -5,7 +5,7 @@
Summary: A graphics library for quick creation of PNG or JPEG images Summary: A graphics library for quick creation of PNG or JPEG images
Name: gd Name: gd
Version: 2.1.1 Version: 2.1.1
Release: 10%{?prever}%{?short}%{?dist} Release: 11%{?prever}%{?short}%{?dist}
Group: System Environment/Libraries Group: System Environment/Libraries
License: MIT License: MIT
URL: http://libgd.bitbucket.org/ URL: http://libgd.bitbucket.org/
@ -41,6 +41,14 @@ Patch8: gd-2.2.3-CVE-2016-6161.patch
# CVE-2016-6207 # CVE-2016-6207
# cherry-picked 0dd40 d3258 ff911 f60ec 7a28c commits from libgd master # cherry-picked 0dd40 d3258 ff911 f60ec 7a28c commits from libgd master
Patch9: gd-2.2.3-CVE-2016-6207.patch Patch9: gd-2.2.3-CVE-2016-6207.patch
# CVE-2016-7568
Patch10: gd-2.2.3-overflow-in-gdImageWebpCtx.patch
# CVE-2016-8670
Patch11: gd-2.2.3-dynamicGetbuf-negative-rlen.patch
# CVE-2016-6911
# TODO - created by one of upstream maintainers, but not in upstream yet
# https://github.com/libgd/libgd/pull/353
Patch12: gd-2.2.x-fix-invalid-read-in-gdImageCreateFromTiffPtr.patch
BuildRequires: freetype-devel BuildRequires: freetype-devel
@ -107,6 +115,10 @@ files for gd, a graphics library for creating PNG and JPEG graphics.
%patch7 -p1 -b .cve-2016-5766 %patch7 -p1 -b .cve-2016-5766
%patch8 -p1 -b .cve-2016-6161 %patch8 -p1 -b .cve-2016-6161
%patch9 -p1 -b .cve-2016-6207 %patch9 -p1 -b .cve-2016-6207
%patch10 -p1 -b .gdImageWebpCtx
%patch11 -p1 -b .dynamicGetbuf
# Patch5 adds some non-text files (.tiff)
patch -p1 --binary < %{PATCH12}
# Workaround for missing file # Workaround for missing file
cp %{SOURCE2} config/getver.pl cp %{SOURCE2} config/getver.pl
@ -179,6 +191,12 @@ grep %{version} $RPM_BUILD_ROOT%{_libdir}/pkgconfig/gdlib.pc
%changelog %changelog
* Tue Dec 06 2016 Marek Skalický <mskalick@redhat.com> - 2.1.1-11
- Fix invalid read in gdImageCreateFromTiffPtr() ( CVE-2016-6911)
- Fix stack based buffer overflow when passing negative `rlen` as size to
memcpy() (CVE-2016-8670)
- Fix possible overflow in gdImageWebpCtx (CVE-2016-7568)
* Mon Sep 19 2016 Marek Skalický <mskalick@redhat.com> - 2.1.1-10 * Mon Sep 19 2016 Marek Skalický <mskalick@redhat.com> - 2.1.1-10
- Fix CVE-2016-6207 - Fix CVE-2016-6207