Fix CVE-2016-6207

2016-09-19 15:17:14 +02:00 · 2016-09-19 15:17:14 +02:00 · faebf7f082
commit faebf7f082
parent 91f922d872
2 changed files with 119 additions and 3 deletions
--- a/gd-2.2.3-CVE-2016-6207.patch
+++ b/gd-2.2.3-CVE-2016-6207.patch
@ -0,0 +1,108 @@
+diff --git a/src/gd_interpolation.c b/src/gd_interpolation.c
+index a829d4f..ed2b743 100644
+--- a/src/gd_interpolation.c
+++ b/src/gd_interpolation.c
+@@ -888,6 +888,7 @@ static inline LineContribType * _gdContributionsAlloc(unsigned int line_length,
+ {
+ 	unsigned int u = 0;
+ 	LineContribType *res;
+	int overflow_error = 0;
+ 
+ 	res = (LineContribType *) gdMalloc(sizeof(LineContribType));
+ 	if (!res) {
+@@ -895,10 +896,31 @@ static inline LineContribType * _gdContributionsAlloc(unsigned int line_length,
+ 	}
+ 	res->WindowSize = windows_size;
+ 	res->LineLength = line_length;
+	if (overflow2(line_length, sizeof(ContributionType))) {
+		gdFree(res);
+		return NULL;
+	}
+ 	res->ContribRow = (ContributionType *) gdMalloc(line_length * sizeof(ContributionType));
+-
+	if (res->ContribRow == NULL) {
+		gdFree(res);
+		return NULL;
+	}
+ 	for (u = 0 ; u < line_length ; u++) {
+-		res->ContribRow[u].Weights = (double *) gdMalloc(windows_size * sizeof(double));
+		if (overflow2(windows_size, sizeof(double))) {
+			overflow_error = 1;
+		} else {
+			res->ContribRow[u].Weights = (double *) gdMalloc(windows_size * sizeof(double));
+		}
+		if (overflow_error == 1 || res->ContribRow[u].Weights == NULL) {
+			unsigned int i;
+			u--;
+			for (i=0;i<=u;i++) {
+				gdFree(res->ContribRow[i].Weights);
+			}
+			gdFree(res->ContribRow);
+			gdFree(res);
+			return NULL;
+		}
+ 	}
+ 	return res;
+ }
+@@ -931,7 +953,9 @@ static inline LineContribType *_gdContributionsCalc(unsigned int line_size, unsi
+ 
+ 	windows_size = 2 * (int)ceil(width_d) + 1;
+ 	res = _gdContributionsAlloc(line_size, windows_size);
+-
+	if (res == NULL) {
+		return NULL;
+	}
+ 	for (u = 0; u < line_size; u++) {
+ 		const double dCenter = (double)u / scale_d;
+ 		/* get the significant edge points affecting the pixel */
+@@ -1036,7 +1060,6 @@ _gdScalePass(const gdImagePtr pSrc, const unsigned int src_len,
+         _gdScaleOneAxis(pSrc, pDst, dst_len, line_ndx, contrib, axis);
+ 	}
+ 	_gdContributionsFree (contrib);
+-
+     return 1;
+ }/* _gdScalePass*/
+ 
+@@ -1049,6 +1072,7 @@ gdImageScaleTwoPass(const gdImagePtr src, const unsigned int new_width,
+     const unsigned int src_height = src->sy;
+ 	gdImagePtr tmp_im = NULL;;
+ 	gdImagePtr dst = NULL;
+	int scale_pass_res;
+ 
+     /* First, handle the trivial case. */
+     if (src_width == new_width && src_height == new_height) {
+@@ -1070,7 +1094,11 @@ gdImageScaleTwoPass(const gdImagePtr src, const unsigned int new_width,
+         }
+         gdImageSetInterpolationMethod(tmp_im, src->interpolation_id);
+ 
+-        _gdScalePass(src, src_width, tmp_im, new_width, src_height, HORIZONTAL);
+		scale_pass_res = _gdScalePass(src, src_width, tmp_im, new_width, src_height, HORIZONTAL);
+		if (scale_pass_res != 1) {
+			gdImageDestroy(tmp_im);
+			return NULL;
+		}
+     }/* if .. else*/
+ 
+     /* If vertical sizes match, we're done. */
+@@ -1083,11 +1111,18 @@ gdImageScaleTwoPass(const gdImagePtr src, const unsigned int new_width,
+ 	dst = gdImageCreateTrueColor(new_width, new_height);
+ 	if (dst != NULL) {
+         gdImageSetInterpolationMethod(dst, src->interpolation_id);
+-        _gdScalePass(tmp_im, src_height, dst, new_height, new_width, VERTICAL);
+        scale_pass_res = _gdScalePass(tmp_im, src_height, dst, new_height, new_width, VERTICAL);
+		if (scale_pass_res != 1) {
+			gdImageDestroy(dst);
+			if (src != tmp_im && tmp_im != NULL) {
+				gdImageDestroy(tmp_im);
+			}
+			return NULL;
+	   }
+     }/* if */
+ 
+-    if (src != tmp_im) {
+-        gdFree(tmp_im);
+	if (tmp_im != NULL && src != tmp_im) {
+        gdImageDestroy(tmp_im);
+     }/* if */
+ 
+ 	return dst;
--- a/gd.spec
+++ b/gd.spec
@ -5,7 +5,7 @@
 Summary:       A graphics library for quick creation of PNG or JPEG images
 Name:          gd
 Version:       2.1.1
-Release:       9%{?prever}%{?short}%{?dist}
+Release:       10%{?prever}%{?short}%{?dist}
 Group:         System Environment/Libraries
 License:       MIT
 URL:           http://libgd.bitbucket.org/
@ -28,7 +28,8 @@ Patch2:        gd-2.1.1-libvpx.patch
 # CVE-2016-3074
 Patch3:        gd-heap-overflow.patch
 # CVE-2015-8877
-Patch4:        gd-2.1.1-gdImagreScaleTwoPass-leak.patch
+# (included in patch gd-2.2.3-CVE-2016-6207.patch)
+#Patch4:        gd-2.1.1-gdImagreScaleTwoPass-leak.patch
 # CVE-2016-5116
 Patch5:        gd-2.1.1-xbm-large-names-overflow.patch
 # CVE-2015-8874
@ -37,6 +38,9 @@ Patch6:        gd-2.1.1-CVE-2015-8874.patch
 Patch7:        gd-2.1.1-CVE-2016-5766.patch
 # CVE-2016-6161
 Patch8:        gd-2.2.3-CVE-2016-6161.patch
+# CVE-2016-6207
+# cherry-picked 0dd40 d3258 ff911 f60ec 7a28c commits from libgd master
+Patch9:        gd-2.2.3-CVE-2016-6207.patch


 BuildRequires: freetype-devel
@ -97,11 +101,12 @@ files for gd, a graphics library for creating PNG and JPEG graphics.
 %patch1 -p1 -b .mlib
 %patch2 -p1 -b .vpx
 %patch3 -p1
-%patch4 -p1 -b .image-scale
+#%patch4 -p1 -b .image-scale
 %patch5 -p1 -b .xbm-overflow
 %patch6 -p1 -b .cve-2015-8874
 %patch7 -p1 -b .cve-2016-5766
 %patch8 -p1 -b .cve-2016-6161
+%patch9 -p1 -b .cve-2016-6207

 # Workaround for missing file
 cp %{SOURCE2} config/getver.pl
@ -174,6 +179,9 @@ grep %{version} $RPM_BUILD_ROOT%{_libdir}/pkgconfig/gdlib.pc


 %changelog
+* Mon Sep 19 2016 Marek Skalický <mskalick@redhat.com> - 2.1.1-10
+- Fix CVE-2016-6207
+
 * Mon Sep 19 2016 Marek Skalický <mskalick@redhat.com> - 2.1.1-9
 - Fix out of bounds read when encoding gif from malformed input with gd2togif
  (CVE-2016-6161)