From 96326ff6bdce0c86aaa97f9f4321deafc2928a9a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Skalick=C3=BD?= <mskalick@redhat.com>
Date: Thu, 28 Apr 2016 12:46:48 +0200
Subject: [PATCH] Fixed heap overflow (CVE-2016-3074)

---
 gd-heap-overflow.patch |  59 +++++++++++++++++++++++++++++++++++++++++
 gd.spec                |  11 +++++++-
 invalid_neg_size.gd2   | Bin 0 -> 1676 bytes
 3 files changed, 69 insertions(+), 1 deletion(-)
 create mode 100644 gd-heap-overflow.patch
 create mode 100644 invalid_neg_size.gd2

diff --git a/gd-heap-overflow.patch b/gd-heap-overflow.patch
new file mode 100644
index 0000000..92a37c5
--- /dev/null
+++ b/gd-heap-overflow.patch
@@ -0,0 +1,59 @@
+diff --git a/src/gd_gd2.c b/src/gd_gd2.c
+index 6f28461..a50b33d 100644
+--- a/src/gd_gd2.c
++++ b/src/gd_gd2.c
+@@ -165,6 +165,8 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy,
+ 			if (gdGetInt (&cidx[i].size, in) != 1) {
+ 				goto fail2;
+ 			};
++			if (cidx[i].offset < 0 || cidx[i].size < 0)
++				goto fail2;
+ 		};
+ 		*chunkIdx = cidx;
+ 	};
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index ed2c35b..b582266 100644
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -129,7 +129,8 @@ endif
+ 
+ if HAVE_LIBZ
+ check_PROGRAMS += \
+-	gd2/gd2_null
++	gd2/gd2_null \
++	gd2/gd2_read_corrupt
+ endif
+ 
+ if HAVE_LIBPNG
+diff --git a/tests/gd2/gd2_read_corrupt.c b/tests/gd2/gd2_read_corrupt.c
+new file mode 100644
+index 0000000..11f6a67
+--- /dev/null
++++ b/tests/gd2/gd2_read_corrupt.c
+@@ -0,0 +1,25 @@
++/* Just try to read the invalid gd2 image & not crash. */
++#include "gd.h"
++#include <stdio.h>
++#include <stdlib.h>
++#include "gdtest.h"
++
++int main()
++{
++	gdImagePtr im;
++	FILE *fp;
++	char path[1024];
++
++	/* Read the corrupt image. */
++	sprintf(path, "%s/gd2/invalid_neg_size.gd2", GDTEST_TOP_DIR);
++	fp = fopen(path, "rb");
++	if (!fp) {
++		printf("failed, cannot open file\n");
++		return 1;
++	}
++	im = gdImageCreateFromGd2(fp);
++	fclose(fp);
++
++	/* Should have failed & rejected it. */
++	return im == NULL ? 0 : 1;
++}
+
diff --git a/gd.spec b/gd.spec
index 73999a5..8a38f54 100644
--- a/gd.spec
+++ b/gd.spec
@@ -5,7 +5,7 @@
 Summary:       A graphics library for quick creation of PNG or JPEG images
 Name:          gd
 Version:       2.1.1
-Release:       6%{?prever}%{?short}%{?dist}
+Release:       7%{?prever}%{?short}%{?dist}
 Group:         System Environment/Libraries
 License:       MIT
 URL:           http://libgd.bitbucket.org/
@@ -18,9 +18,12 @@ Source0:       https://bitbucket.org/libgd/gd-libgd/downloads/libgd-%{version}%{
 %endif
 # Missing in official archive, need for autoreconf
 Source2:       getver.pl
+# Test data for CVE-2016-3074 test
+Source3:       invalid_neg_size.gd2
 
 Patch1:        gd-2.1.0-multilib.patch
 Patch2:        gd-2.1.1-libvpx.patch
+Patch3:        gd-heap-overflow.patch
 
 BuildRequires: freetype-devel
 BuildRequires: fontconfig-devel
@@ -79,6 +82,7 @@ files for gd, a graphics library for creating PNG and JPEG graphics.
 %setup -q -n libgd-%{version}%{?prever:-%{prever}}
 %patch1 -p1 -b .mlib
 %patch2 -p1 -b .vpx
+%patch3 -p1
 
 # Workaround for missing file
 cp %{SOURCE2} config/getver.pl
@@ -117,6 +121,8 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libgd.a
 
 
 %check
+cp %SOURCE3 tests/gd2/
+
 : Upstream test suite
 make check
 
@@ -147,6 +153,9 @@ grep %{version} $RPM_BUILD_ROOT%{_libdir}/pkgconfig/gdlib.pc
 
 
 %changelog
+* Thu Apr 28 2016 Marek Skalicky <mskalick@redhat.com> - 2.1.1-7
+- Fixed heap overflow (CVE-2016-3074)
+
 * Wed Feb 03 2016 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.1-6
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
 
diff --git a/invalid_neg_size.gd2 b/invalid_neg_size.gd2
new file mode 100644
index 0000000000000000000000000000000000000000..3075f15a81a5ac0312f1548ef7733726c58c1f24
GIT binary patch
literal 1676
zcmYdKF=Aj~VqgS92QbaVz`&x(z`&3Xq-XpG0w8-7jE2By2#o9ys9<DFVVM2jkq&_A
zrDUq`{Y^Pj0@g4#f0QiA55HlZ@HF9tMV4@gn1|r?E8jjStJyO=Js<hwb(hMKkhS`+
zIH#n4b81fOwK1Q}GC6xgli<E9^KAlt^6h-|{O7gG+mZ)9yjgNsGr@B1WVxObuQtrM
z#=^yN#mUv!UZ(isn|)g<Gm@q5JT~X>)=nrYtl!eO@Y0j(uP24Oy8cV*JZTi%$LjUn
zHzKcM%atz4N1|6Bc&yqQwj{71^7_XwahG!Za#qgRp0&AK_7P)ivKtpiqy+Qht#SF*
zMaQJhn^t_9qk56qrqA%Mh<Mrlt=-}^_8Zw$*2~9UTQu|P_ebAXt^L@%Vt&w)*ca?Q
zmoGA&ZC@r<dvR&!HA|J%GCJj_qO%-7e~P{{Z%T`}?Mk-4Qs-VbA2hzb+D@-d@!0Z+
zna|e#ek}Mja+lhIXxR|+VBxjjJloZ}IRBU@_!{=-_#X*LR5`n@?<Lo!M7h*c?@zVv
zYd=`G>{#vZ%zd@pEzz2O-%mf&R%I<VH&wT7kAHuuw|n=Ay_LQ$h6%e%zJGeR{l>8q
zf?T2nbvg-FtoADt&xdhev;R0l>jm4q7qbJdANGtCPvX9R`uql)<-sap|IGrVrT6W5
zXnv=f!*bd}GjY+2hGIKyAG$nqUSL?uGc}?vV9J_*x4-T7>?=Ea+<1Qdhx_^N-fMX)
OZWwA+Ogk&gc>@5dGaWbp

literal 0
HcmV?d00001