Fix stack based buffer overflow when passing negative rlen as size to

memcpy() (CVE-2016-8670)
This commit is contained in:
Marek Skalický 2016-12-05 10:56:26 +01:00
parent 23377414c3
commit ba647201d1
2 changed files with 33 additions and 1 deletions

View File

@ -0,0 +1,26 @@
From 53110871935244816bbb9d131da0bccff734bfe9 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Wed, 12 Oct 2016 11:15:32 +0200
Subject: [PATCH] Avoid potentially dangerous signed to unsigned conversion
We make sure to never pass a negative `rlen` as size to memcpy(). See
also <https://bugs.php.net/bug.php?id=73280>.
Patch provided by Emmanuel Law.
---
src/gd_io_dp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/gd_io_dp.c b/src/gd_io_dp.c
index 135eda3..228bfa5 100644
--- a/src/gd_io_dp.c
+++ b/src/gd_io_dp.c
@@ -276,7 +276,7 @@ static int dynamicGetbuf(gdIOCtxPtr ctx, void *buf, int len)
if(remain >= len) {
rlen = len;
} else {
- if(remain == 0) {
+ if(remain <= 0) {
/* 2.0.34: EOF is incorrect. We use 0 for
* errors and EOF, just like fileGetbuf,
* which is a simple fread() wrapper.

View File

@ -5,7 +5,7 @@
Summary: A graphics library for quick creation of PNG or JPEG images Summary: A graphics library for quick creation of PNG or JPEG images
Name: gd Name: gd
Version: 2.2.3 Version: 2.2.3
Release: 3%{?prever}%{?short}%{?dist} Release: 4%{?prever}%{?short}%{?dist}
Group: System Environment/Libraries Group: System Environment/Libraries
License: MIT License: MIT
URL: http://libgd.github.io/ URL: http://libgd.github.io/
@ -20,6 +20,7 @@ Source0: https://github.com/libgd/libgd/releases/download/gd-%{version}/li
Patch1: gd-2.1.0-multilib.patch Patch1: gd-2.1.0-multilib.patch
Patch2: gd-2.2.3-tests.patch Patch2: gd-2.2.3-tests.patch
Patch3: gd-2.2.3-overflow-in-gdImageWebpCtx.patch Patch3: gd-2.2.3-overflow-in-gdImageWebpCtx.patch
Patch4: gd-2.2.3-dynamicGetbuf-negative-rlen.patch
BuildRequires: freetype-devel BuildRequires: freetype-devel
BuildRequires: fontconfig-devel BuildRequires: fontconfig-devel
@ -80,6 +81,7 @@ files for gd, a graphics library for creating PNG and JPEG graphics.
%patch1 -p1 -b .mlib %patch1 -p1 -b .mlib
%patch2 -p1 -b .build %patch2 -p1 -b .build
%patch3 -p1 -b .gdImageWebpCtx %patch3 -p1 -b .gdImageWebpCtx
%patch4 -p1 -b .dynamicGetbuf
: $(perl config/getver.pl) : $(perl config/getver.pl)
@ -154,6 +156,10 @@ grep %{version} $RPM_BUILD_ROOT%{_libdir}/pkgconfig/gdlib.pc
%changelog %changelog
* Mon Dec 05 2016 Marek Skalický <mskalick@redhat.com> - 2.2.3-4
- Fix stack based buffer overflow when passing negative `rlen` as size to
memcpy() (CVE-2016-8670)
* Mon Dec 05 2016 Marek Skalický <mskalick@redhat.com> - 2.2.3-3 * Mon Dec 05 2016 Marek Skalický <mskalick@redhat.com> - 2.2.3-3
- Fix possible overflow in gdImageWebpCtx (CVE-2016-7568) - Fix possible overflow in gdImageWebpCtx (CVE-2016-7568)