fix integer Overflow in _gd2GetHeader() (CVE-2016-5766)
This commit is contained in:
parent
1fb3530455
commit
da9eaac8b5
|
@ -0,0 +1,37 @@
|
||||||
|
Backported for 2.1, without binary patch, from:
|
||||||
|
|
||||||
|
|
||||||
|
From 78d83ac76c16d269b538a7cef4120a5fb5177b6d Mon Sep 17 00:00:00 2001
|
||||||
|
From: Pierre Joye <pierre.php@gmail.com>
|
||||||
|
Date: Tue, 28 Jun 2016 16:23:42 +0700
|
||||||
|
Subject: [PATCH] fix php bug 72339 (CVE-2016-5766), Integer Overflow in
|
||||||
|
_gd2GetHeader() resulting in heap overflow
|
||||||
|
|
||||||
|
---
|
||||||
|
src/gd_gd2.c | 5 ++++-
|
||||||
|
tests/gd2/CMakeLists.txt | 1 +
|
||||||
|
tests/gd2/Makemodule.am | 6 ++++--
|
||||||
|
tests/gd2/php_bug_72339.c | 21 +++++++++++++++++++++
|
||||||
|
tests/gd2/php_bug_72339_exp.gd2 | Bin 0 -> 67108882 bytes
|
||||||
|
5 files changed, 30 insertions(+), 3 deletions(-)
|
||||||
|
create mode 100644 tests/gd2/php_bug_72339.c
|
||||||
|
create mode 100644 tests/gd2/php_bug_72339_exp.gd2
|
||||||
|
|
||||||
|
diff --git a/src/gd_gd2.c b/src/gd_gd2.c
|
||||||
|
index fd1e0c9..bdbbecf 100644
|
||||||
|
--- a/src/gd_gd2.c
|
||||||
|
+++ b/src/gd_gd2.c
|
||||||
|
@@ -154,8 +154,11 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy,
|
||||||
|
nc = (*ncx) * (*ncy);
|
||||||
|
GD2_DBG (printf ("Reading %d chunk index entries\n", nc));
|
||||||
|
sidx = sizeof (t_chunk_info) * nc;
|
||||||
|
+ if (overflow2(sidx, nc)) {
|
||||||
|
+ goto fail1;
|
||||||
|
+ }
|
||||||
|
cidx = gdCalloc (sidx, 1);
|
||||||
|
- if (!cidx) {
|
||||||
|
+ if (cidx == NULL) {
|
||||||
|
goto fail1;
|
||||||
|
}
|
||||||
|
for (i = 0; i < nc; i++) {
|
||||||
|
|
8
gd.spec
8
gd.spec
|
@ -5,7 +5,7 @@
|
||||||
Summary: A graphics library for quick creation of PNG or JPEG images
|
Summary: A graphics library for quick creation of PNG or JPEG images
|
||||||
Name: gd
|
Name: gd
|
||||||
Version: 2.1.1
|
Version: 2.1.1
|
||||||
Release: 7%{?prever}%{?short}%{?dist}
|
Release: 8%{?prever}%{?short}%{?dist}
|
||||||
Group: System Environment/Libraries
|
Group: System Environment/Libraries
|
||||||
License: MIT
|
License: MIT
|
||||||
URL: http://libgd.bitbucket.org/
|
URL: http://libgd.bitbucket.org/
|
||||||
|
@ -31,6 +31,8 @@ Patch4: gd-2.1.1-gdImagreScaleTwoPass-leak.patch
|
||||||
Patch5: gd-2.1.1-xbm-large-names-overflow.patch
|
Patch5: gd-2.1.1-xbm-large-names-overflow.patch
|
||||||
# CVE-2015-8874
|
# CVE-2015-8874
|
||||||
Patch6: gd-2.1.1-CVE-2015-8874.patch
|
Patch6: gd-2.1.1-CVE-2015-8874.patch
|
||||||
|
# CVE-2016-5766
|
||||||
|
Patch7: gd-2.1.1-CVE-2016-5766.patch
|
||||||
|
|
||||||
BuildRequires: freetype-devel
|
BuildRequires: freetype-devel
|
||||||
BuildRequires: fontconfig-devel
|
BuildRequires: fontconfig-devel
|
||||||
|
@ -93,6 +95,7 @@ files for gd, a graphics library for creating PNG and JPEG graphics.
|
||||||
%patch4 -p1 -b .image-scale
|
%patch4 -p1 -b .image-scale
|
||||||
%patch5 -p1 -b .xbm-overflow
|
%patch5 -p1 -b .xbm-overflow
|
||||||
%patch6 -p1 -b .cve-2015-8874
|
%patch6 -p1 -b .cve-2015-8874
|
||||||
|
%patch7 -p1 -b .cve-2016-5766
|
||||||
|
|
||||||
# Workaround for missing file
|
# Workaround for missing file
|
||||||
cp %{SOURCE2} config/getver.pl
|
cp %{SOURCE2} config/getver.pl
|
||||||
|
@ -163,6 +166,9 @@ grep %{version} $RPM_BUILD_ROOT%{_libdir}/pkgconfig/gdlib.pc
|
||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Jun 28 2016 Remi Collet <remi@fedoraproject.org> - 2.1.1-8
|
||||||
|
- fix integer Overflow in _gd2GetHeader() (CVE-2016-5766)
|
||||||
|
|
||||||
* Fri Jun 24 2016 Remi Collet <remi@fedoraproject.org> - 2.1.1-7
|
* Fri Jun 24 2016 Remi Collet <remi@fedoraproject.org> - 2.1.1-7
|
||||||
- fix for stack overflow with gdImageFillToBorder (CVE-2015-8874)
|
- fix for stack overflow with gdImageFillToBorder (CVE-2015-8874)
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue