diff --git a/bug00209.gd2 b/bug00209.gd2 new file mode 100644 index 0000000..1c797d1 Binary files /dev/null and b/bug00209.gd2 differ diff --git a/gd-2.2.3-CVE-2016-6161.patch b/gd-2.2.3-CVE-2016-6161.patch new file mode 100644 index 0000000..4ecabec --- /dev/null +++ b/gd-2.2.3-CVE-2016-6161.patch @@ -0,0 +1,119 @@ +From 82b80dcb70a7ca8986125ff412bceddafc896842 Mon Sep 17 00:00:00 2001 +From: Mike Frysinger +Date: Sat, 14 May 2016 02:13:15 -0400 +Subject: [PATCH] gif: avoid out-of-bound reads of masks array #209 + +When given invalid inputs, we might be fed the EOF marker before it is +actually the EOF. The gif logic assumes once it sees the EOF marker, +there won't be any more data, so it leaves the cur_bits index possibly +negative. So when we get more data, we underflow the masks array. + +Flag it so we don't try to output anything more. The image is invalid, +so we shouldn't be truncating any valid inputs. + +This fixes #209. +--- + src/gd_gif_out.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +From 315dbfb0e75895e3ba84f649c491956e75f1106c Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" +Date: Tue, 19 Jul 2016 10:43:55 +0200 +Subject: [PATCH] Add test case for issue #209 + +--- + tests/gif/.gitignore | 1 + + tests/gif/CMakeLists.txt | 1 + + tests/gif/Makemodule.am | 4 +++- + tests/gif/bug00209.c | 29 +++++++++++++++++++++++++++++ + tests/gif/bug00209.gd2 | Bin 0 -> 1050 bytes + 5 files changed, 34 insertions(+), 1 deletion(-) + create mode 100644 tests/gif/bug00209.c + create mode 100644 tests/gif/bug00209.gd2 + +diff --git a/src/gd_gif_out.c b/src/gd_gif_out.c +index 51ceb75..3099d49 100644 +--- a/src/gd_gif_out.c ++++ b/src/gd_gif_out.c +@@ -1442,15 +1442,23 @@ static void compress(int init_bits, gdIOCtxPtr outfile, gdImagePtr im, GifCtx *c + * code in turn. When the buffer fills up empty it and start over. + */ + +-static unsigned long masks[] = { ++static const unsigned long masks[] = { + 0x0000, 0x0001, 0x0003, 0x0007, 0x000F, + 0x001F, 0x003F, 0x007F, 0x00FF, + 0x01FF, 0x03FF, 0x07FF, 0x0FFF, + 0x1FFF, 0x3FFF, 0x7FFF, 0xFFFF + }; + ++/* Arbitrary value to mark output is done. When we see EOFCode, then we don't ++ * expect to see any more data. If we do (e.g. corrupt image inputs), cur_bits ++ * might be negative, so flag it to return early. ++ */ ++#define CUR_BITS_FINISHED -1000 ++ + static void output(code_int code, GifCtx *ctx) + { ++ if (ctx->cur_bits == CUR_BITS_FINISHED) ++ return; + ctx->cur_accum &= masks[ctx->cur_bits]; + + if(ctx->cur_bits > 0) { +@@ -1492,6 +1500,8 @@ static void output(code_int code, GifCtx *ctx) + ctx->cur_accum >>= 8; + ctx->cur_bits -= 8; + } ++ /* Flag that it's done to prevent re-entry. */ ++ ctx->cur_bits = CUR_BITS_FINISHED; + + flush_char(ctx); + } + +diff --git a/tests/gif/CMakeLists.txt b/tests/gif/CMakeLists.txt +index 92010c3..d26b1fe 100644 +--- a/tests/gif/CMakeLists.txt ++++ b/tests/gif/CMakeLists.txt +@@ -7,6 +7,7 @@ LIST(APPEND TESTS_FILES + bug00060 + bug00066 + bug00181 ++ bug00209 + bug00227 + ) + +diff --git a/tests/gif/bug00209.c b/tests/gif/bug00209.c +new file mode 100644 +index 0000000..6eafc32 +--- /dev/null ++++ b/tests/gif/bug00209.c +@@ -0,0 +1,29 @@ ++/* Test case for . */ ++ ++#include "gd.h" ++#include "gdtest.h" ++ ++int main() ++{ ++ gdImagePtr im; ++ FILE *fp; ++ ++ /* printf("start\n"); */ ++ ++ fp = gdTestFileOpen("gif/bug00209.gd2"); ++ gdTestAssert(fp != NULL); ++ im = gdImageCreateFromGd2(fp); ++ gdTestAssert(im != NULL); ++ fclose(fp); ++ /* printf("loaded\n"); */ ++ ++ fp = gdTestTempFp(); ++ gdTestAssert(fp != NULL); ++ gdImageGif(im, fp); ++ fclose(fp); ++ /* printf("saved\n"); */ ++ ++ gdImageDestroy(im); ++ ++ return gdNumFailures(); ++} diff --git a/gd.spec b/gd.spec index 4351e33..21f0a74 100644 --- a/gd.spec +++ b/gd.spec @@ -5,7 +5,7 @@ Summary: A graphics library for quick creation of PNG or JPEG images Name: gd Version: 2.1.1 -Release: 8%{?prever}%{?short}%{?dist} +Release: 9%{?prever}%{?short}%{?dist} Group: System Environment/Libraries License: MIT URL: http://libgd.bitbucket.org/ @@ -20,6 +20,8 @@ Source0: https://bitbucket.org/libgd/gd-libgd/downloads/libgd-%{version}%{ Source2: getver.pl # Test data for CVE-2016-3074 test Source3: invalid_neg_size.gd2 +# Test data for CVE-2016-6161 test +Source4: bug00209.gd2 Patch1: gd-2.1.0-multilib.patch Patch2: gd-2.1.1-libvpx.patch @@ -33,6 +35,9 @@ Patch5: gd-2.1.1-xbm-large-names-overflow.patch Patch6: gd-2.1.1-CVE-2015-8874.patch # CVE-2016-5766 Patch7: gd-2.1.1-CVE-2016-5766.patch +# CVE-2016-6161 +Patch8: gd-2.2.3-CVE-2016-6161.patch + BuildRequires: freetype-devel BuildRequires: fontconfig-devel @@ -96,10 +101,12 @@ files for gd, a graphics library for creating PNG and JPEG graphics. %patch5 -p1 -b .xbm-overflow %patch6 -p1 -b .cve-2015-8874 %patch7 -p1 -b .cve-2016-5766 +%patch8 -p1 -b .cve-2016-6161 # Workaround for missing file cp %{SOURCE2} config/getver.pl + : $(perl config/getver.pl) : regenerate autotool stuff @@ -135,6 +142,7 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libgd.a %check cp %SOURCE3 tests/gd2/ +cp %SOURCE4 tests/gif/ : Upstream test suite make check @@ -166,13 +174,17 @@ grep %{version} $RPM_BUILD_ROOT%{_libdir}/pkgconfig/gdlib.pc %changelog +* Mon Sep 19 2016 Marek Skalický - 2.1.1-9 +- Fix out of bounds read when encoding gif from malformed input with gd2togif + (CVE-2016-6161) + * Tue Jun 28 2016 Remi Collet - 2.1.1-8 - fix integer Overflow in _gd2GetHeader() (CVE-2016-5766) * Fri Jun 24 2016 Remi Collet - 2.1.1-7 - fix for stack overflow with gdImageFillToBorder (CVE-2015-8874) -* Thu May 31 2016 Marek Skalicky - 2.1.1-6 +* Tue May 31 2016 Marek Skalicky - 2.1.1-6 - Backported fixes of two memory leaks (CVE-2015-8877, CVE-2016-5116) * Thu Apr 28 2016 Marek Skalicky - 2.1.1-5