Fixed heap overflow (CVE-2016-3074)

This commit is contained in:
Marek Skalický 2016-04-28 12:46:48 +02:00
parent 7423ea762d
commit 96326ff6bd
3 changed files with 69 additions and 1 deletions

59
gd-heap-overflow.patch Normal file
View File

@ -0,0 +1,59 @@
diff --git a/src/gd_gd2.c b/src/gd_gd2.c
index 6f28461..a50b33d 100644
--- a/src/gd_gd2.c
+++ b/src/gd_gd2.c
@@ -165,6 +165,8 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy,
if (gdGetInt (&cidx[i].size, in) != 1) {
goto fail2;
};
+ if (cidx[i].offset < 0 || cidx[i].size < 0)
+ goto fail2;
};
*chunkIdx = cidx;
};
diff --git a/tests/Makefile.am b/tests/Makefile.am
index ed2c35b..b582266 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -129,7 +129,8 @@ endif
if HAVE_LIBZ
check_PROGRAMS += \
- gd2/gd2_null
+ gd2/gd2_null \
+ gd2/gd2_read_corrupt
endif
if HAVE_LIBPNG
diff --git a/tests/gd2/gd2_read_corrupt.c b/tests/gd2/gd2_read_corrupt.c
new file mode 100644
index 0000000..11f6a67
--- /dev/null
+++ b/tests/gd2/gd2_read_corrupt.c
@@ -0,0 +1,25 @@
+/* Just try to read the invalid gd2 image & not crash. */
+#include "gd.h"
+#include <stdio.h>
+#include <stdlib.h>
+#include "gdtest.h"
+
+int main()
+{
+ gdImagePtr im;
+ FILE *fp;
+ char path[1024];
+
+ /* Read the corrupt image. */
+ sprintf(path, "%s/gd2/invalid_neg_size.gd2", GDTEST_TOP_DIR);
+ fp = fopen(path, "rb");
+ if (!fp) {
+ printf("failed, cannot open file\n");
+ return 1;
+ }
+ im = gdImageCreateFromGd2(fp);
+ fclose(fp);
+
+ /* Should have failed & rejected it. */
+ return im == NULL ? 0 : 1;
+}

11
gd.spec
View File

@ -5,7 +5,7 @@
Summary: A graphics library for quick creation of PNG or JPEG images Summary: A graphics library for quick creation of PNG or JPEG images
Name: gd Name: gd
Version: 2.1.1 Version: 2.1.1
Release: 6%{?prever}%{?short}%{?dist} Release: 7%{?prever}%{?short}%{?dist}
Group: System Environment/Libraries Group: System Environment/Libraries
License: MIT License: MIT
URL: http://libgd.bitbucket.org/ URL: http://libgd.bitbucket.org/
@ -18,9 +18,12 @@ Source0: https://bitbucket.org/libgd/gd-libgd/downloads/libgd-%{version}%{
%endif %endif
# Missing in official archive, need for autoreconf # Missing in official archive, need for autoreconf
Source2: getver.pl Source2: getver.pl
# Test data for CVE-2016-3074 test
Source3: invalid_neg_size.gd2
Patch1: gd-2.1.0-multilib.patch Patch1: gd-2.1.0-multilib.patch
Patch2: gd-2.1.1-libvpx.patch Patch2: gd-2.1.1-libvpx.patch
Patch3: gd-heap-overflow.patch
BuildRequires: freetype-devel BuildRequires: freetype-devel
BuildRequires: fontconfig-devel BuildRequires: fontconfig-devel
@ -79,6 +82,7 @@ files for gd, a graphics library for creating PNG and JPEG graphics.
%setup -q -n libgd-%{version}%{?prever:-%{prever}} %setup -q -n libgd-%{version}%{?prever:-%{prever}}
%patch1 -p1 -b .mlib %patch1 -p1 -b .mlib
%patch2 -p1 -b .vpx %patch2 -p1 -b .vpx
%patch3 -p1
# Workaround for missing file # Workaround for missing file
cp %{SOURCE2} config/getver.pl cp %{SOURCE2} config/getver.pl
@ -117,6 +121,8 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libgd.a
%check %check
cp %SOURCE3 tests/gd2/
: Upstream test suite : Upstream test suite
make check make check
@ -147,6 +153,9 @@ grep %{version} $RPM_BUILD_ROOT%{_libdir}/pkgconfig/gdlib.pc
%changelog %changelog
* Thu Apr 28 2016 Marek Skalicky <mskalick@redhat.com> - 2.1.1-7
- Fixed heap overflow (CVE-2016-3074)
* Wed Feb 03 2016 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.1-6 * Wed Feb 03 2016 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.1-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild

BIN
invalid_neg_size.gd2 Normal file

Binary file not shown.