fix integer Overflow in _gd2GetHeader() (CVE-2016-5766)

2016-06-28 12:37:50 +02:00 · 2016-06-28 12:37:50 +02:00 · da9eaac8b5
parent 1fb3530455
commit da9eaac8b5
2 changed files with 44 additions and 1 deletions
--- a/gd-2.1.1-CVE-2016-5766.patch
+++ b/gd-2.1.1-CVE-2016-5766.patch
@ -0,0 +1,37 @@
+Backported for 2.1, without binary patch, from:
+
+
+From 78d83ac76c16d269b538a7cef4120a5fb5177b6d Mon Sep 17 00:00:00 2001
+From: Pierre Joye <pierre.php@gmail.com>
+Date: Tue, 28 Jun 2016 16:23:42 +0700
+Subject: [PATCH] fix php bug 72339 (CVE-2016-5766), Integer Overflow in
+ _gd2GetHeader() resulting in heap overflow
+
+---
+ src/gd_gd2.c                    |   5 ++++-
+ tests/gd2/CMakeLists.txt        |   1 +
+ tests/gd2/Makemodule.am         |   6 ++++--
+ tests/gd2/php_bug_72339.c       |  21 +++++++++++++++++++++
+ tests/gd2/php_bug_72339_exp.gd2 | Bin 0 -> 67108882 bytes
+ 5 files changed, 30 insertions(+), 3 deletions(-)
+ create mode 100644 tests/gd2/php_bug_72339.c
+ create mode 100644 tests/gd2/php_bug_72339_exp.gd2
+
+diff --git a/src/gd_gd2.c b/src/gd_gd2.c
+index fd1e0c9..bdbbecf 100644
+--- a/src/gd_gd2.c
+++ b/src/gd_gd2.c
+@@ -154,8 +154,11 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy,
+ 		nc = (*ncx) * (*ncy);
+ 		GD2_DBG (printf ("Reading %d chunk index entries\n", nc));
+ 		sidx = sizeof (t_chunk_info) * nc;
+		if (overflow2(sidx, nc)) {
+			goto fail1;
+		}
+ 		cidx = gdCalloc (sidx, 1);
+-		if (!cidx) {
+		if (cidx == NULL) {
+ 			goto fail1;
+ 		}
+ 		for (i = 0; i < nc; i++) {
+
--- a/gd.spec
+++ b/gd.spec
@ -5,7 +5,7 @@
 Summary:       A graphics library for quick creation of PNG or JPEG images
 Name:          gd
 Version:       2.1.1
-Release:       7%{?prever}%{?short}%{?dist}
+Release:       8%{?prever}%{?short}%{?dist}
 Group:         System Environment/Libraries
 License:       MIT
 URL:           http://libgd.bitbucket.org/
@ -31,6 +31,8 @@ Patch4:        gd-2.1.1-gdImagreScaleTwoPass-leak.patch
 Patch5:        gd-2.1.1-xbm-large-names-overflow.patch
 # CVE-2015-8874
 Patch6:        gd-2.1.1-CVE-2015-8874.patch
+# CVE-2016-5766
+Patch7:        gd-2.1.1-CVE-2016-5766.patch

 BuildRequires: freetype-devel
 BuildRequires: fontconfig-devel
@ -93,6 +95,7 @@ files for gd, a graphics library for creating PNG and JPEG graphics.
 %patch4 -p1 -b .image-scale
 %patch5 -p1 -b .xbm-overflow
 %patch6 -p1 -b .cve-2015-8874
+%patch7 -p1 -b .cve-2016-5766

 # Workaround for missing file
 cp %{SOURCE2} config/getver.pl
@ -163,6 +166,9 @@ grep %{version} $RPM_BUILD_ROOT%{_libdir}/pkgconfig/gdlib.pc


 %changelog
+* Tue Jun 28 2016 Remi Collet <remi@fedoraproject.org> - 2.1.1-8
+- fix integer Overflow in _gd2GetHeader() (CVE-2016-5766)
+
 * Fri Jun 24 2016 Remi Collet <remi@fedoraproject.org> - 2.1.1-7
 - fix for stack overflow with gdImageFillToBorder (CVE-2015-8874)