Fix stack based buffer overflow when passing negative rlen as size to

memcpy() (CVE-2016-8670)
2016-12-05 10:56:26 +01:00 · 2016-12-05 10:56:26 +01:00 · ba647201d1
commit ba647201d1
parent 23377414c3
2 changed files with 33 additions and 1 deletions
--- a/gd-2.2.3-dynamicGetbuf-negative-rlen.patch
+++ b/gd-2.2.3-dynamicGetbuf-negative-rlen.patch
@ -0,0 +1,26 @@
+From 53110871935244816bbb9d131da0bccff734bfe9 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Wed, 12 Oct 2016 11:15:32 +0200
+Subject: [PATCH] Avoid potentially dangerous signed to unsigned conversion
+
+We make sure to never pass a negative `rlen` as size to memcpy(). See
+also <https://bugs.php.net/bug.php?id=73280>.
+
+Patch provided by Emmanuel Law.
+---
+ src/gd_io_dp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/gd_io_dp.c b/src/gd_io_dp.c
+index 135eda3..228bfa5 100644
+--- a/src/gd_io_dp.c
+++ b/src/gd_io_dp.c
+@@ -276,7 +276,7 @@ static int dynamicGetbuf(gdIOCtxPtr ctx, void *buf, int len)
+ 	if(remain >= len) {
+ 		rlen = len;
+ 	} else {
+-		if(remain == 0) {
+		if(remain <= 0) {
+ 			/* 2.0.34: EOF is incorrect. We use 0 for
+ 			 * errors and EOF, just like fileGetbuf,
+ 			 * which is a simple fread() wrapper.
--- a/gd.spec
+++ b/gd.spec
@ -5,7 +5,7 @@
 Summary:       A graphics library for quick creation of PNG or JPEG images
 Name:          gd
 Version:       2.2.3
-Release:       3%{?prever}%{?short}%{?dist}
+Release:       4%{?prever}%{?short}%{?dist}
 Group:         System Environment/Libraries
 License:       MIT
 URL:           http://libgd.github.io/
@ -20,6 +20,7 @@ Source0:       https://github.com/libgd/libgd/releases/download/gd-%{version}/li
 Patch1:        gd-2.1.0-multilib.patch
 Patch2:        gd-2.2.3-tests.patch
 Patch3:        gd-2.2.3-overflow-in-gdImageWebpCtx.patch
+Patch4:        gd-2.2.3-dynamicGetbuf-negative-rlen.patch

 BuildRequires: freetype-devel
 BuildRequires: fontconfig-devel
@ -80,6 +81,7 @@ files for gd, a graphics library for creating PNG and JPEG graphics.
 %patch1 -p1 -b .mlib
 %patch2 -p1 -b .build
 %patch3 -p1 -b .gdImageWebpCtx
+%patch4 -p1 -b .dynamicGetbuf

 : $(perl config/getver.pl)

@ -154,6 +156,10 @@ grep %{version} $RPM_BUILD_ROOT%{_libdir}/pkgconfig/gdlib.pc


 %changelog
+* Mon Dec 05 2016 Marek Skalický <mskalick@redhat.com> - 2.2.3-4
+- Fix stack based buffer overflow when passing negative `rlen` as size to
+  memcpy() (CVE-2016-8670)
+
 * Mon Dec 05 2016 Marek Skalický <mskalick@redhat.com> - 2.2.3-3
 - Fix possible overflow in gdImageWebpCtx (CVE-2016-7568)