fix integer Overflow in _gd2GetHeader() (CVE-2016-5766)
This commit is contained in:
parent
1fb3530455
commit
da9eaac8b5
37
gd-2.1.1-CVE-2016-5766.patch
Normal file
37
gd-2.1.1-CVE-2016-5766.patch
Normal file
@ -0,0 +1,37 @@
|
||||
Backported for 2.1, without binary patch, from:
|
||||
|
||||
|
||||
From 78d83ac76c16d269b538a7cef4120a5fb5177b6d Mon Sep 17 00:00:00 2001
|
||||
From: Pierre Joye <pierre.php@gmail.com>
|
||||
Date: Tue, 28 Jun 2016 16:23:42 +0700
|
||||
Subject: [PATCH] fix php bug 72339 (CVE-2016-5766), Integer Overflow in
|
||||
_gd2GetHeader() resulting in heap overflow
|
||||
|
||||
---
|
||||
src/gd_gd2.c | 5 ++++-
|
||||
tests/gd2/CMakeLists.txt | 1 +
|
||||
tests/gd2/Makemodule.am | 6 ++++--
|
||||
tests/gd2/php_bug_72339.c | 21 +++++++++++++++++++++
|
||||
tests/gd2/php_bug_72339_exp.gd2 | Bin 0 -> 67108882 bytes
|
||||
5 files changed, 30 insertions(+), 3 deletions(-)
|
||||
create mode 100644 tests/gd2/php_bug_72339.c
|
||||
create mode 100644 tests/gd2/php_bug_72339_exp.gd2
|
||||
|
||||
diff --git a/src/gd_gd2.c b/src/gd_gd2.c
|
||||
index fd1e0c9..bdbbecf 100644
|
||||
--- a/src/gd_gd2.c
|
||||
+++ b/src/gd_gd2.c
|
||||
@@ -154,8 +154,11 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy,
|
||||
nc = (*ncx) * (*ncy);
|
||||
GD2_DBG (printf ("Reading %d chunk index entries\n", nc));
|
||||
sidx = sizeof (t_chunk_info) * nc;
|
||||
+ if (overflow2(sidx, nc)) {
|
||||
+ goto fail1;
|
||||
+ }
|
||||
cidx = gdCalloc (sidx, 1);
|
||||
- if (!cidx) {
|
||||
+ if (cidx == NULL) {
|
||||
goto fail1;
|
||||
}
|
||||
for (i = 0; i < nc; i++) {
|
||||
|
8
gd.spec
8
gd.spec
@ -5,7 +5,7 @@
|
||||
Summary: A graphics library for quick creation of PNG or JPEG images
|
||||
Name: gd
|
||||
Version: 2.1.1
|
||||
Release: 7%{?prever}%{?short}%{?dist}
|
||||
Release: 8%{?prever}%{?short}%{?dist}
|
||||
Group: System Environment/Libraries
|
||||
License: MIT
|
||||
URL: http://libgd.bitbucket.org/
|
||||
@ -31,6 +31,8 @@ Patch4: gd-2.1.1-gdImagreScaleTwoPass-leak.patch
|
||||
Patch5: gd-2.1.1-xbm-large-names-overflow.patch
|
||||
# CVE-2015-8874
|
||||
Patch6: gd-2.1.1-CVE-2015-8874.patch
|
||||
# CVE-2016-5766
|
||||
Patch7: gd-2.1.1-CVE-2016-5766.patch
|
||||
|
||||
BuildRequires: freetype-devel
|
||||
BuildRequires: fontconfig-devel
|
||||
@ -93,6 +95,7 @@ files for gd, a graphics library for creating PNG and JPEG graphics.
|
||||
%patch4 -p1 -b .image-scale
|
||||
%patch5 -p1 -b .xbm-overflow
|
||||
%patch6 -p1 -b .cve-2015-8874
|
||||
%patch7 -p1 -b .cve-2016-5766
|
||||
|
||||
# Workaround for missing file
|
||||
cp %{SOURCE2} config/getver.pl
|
||||
@ -163,6 +166,9 @@ grep %{version} $RPM_BUILD_ROOT%{_libdir}/pkgconfig/gdlib.pc
|
||||
|
||||
|
||||
%changelog
|
||||
* Tue Jun 28 2016 Remi Collet <remi@fedoraproject.org> - 2.1.1-8
|
||||
- fix integer Overflow in _gd2GetHeader() (CVE-2016-5766)
|
||||
|
||||
* Fri Jun 24 2016 Remi Collet <remi@fedoraproject.org> - 2.1.1-7
|
||||
- fix for stack overflow with gdImageFillToBorder (CVE-2015-8874)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user