Fix CVE-2016-6207

gd-2.2.3-CVE-2016-6207.patch

@@ -0,0 +1,108 @@
+diff --git a/src/gd_interpolation.c b/src/gd_interpolation.c
+index a829d4f..ed2b743 100644
+--- a/src/gd_interpolation.c
++++ b/src/gd_interpolation.c
+@@ -888,6 +888,7 @@ static inline LineContribType * _gdContributionsAlloc(unsigned int line_length,
+ {
+ 	unsigned int u = 0;
+ 	LineContribType *res;
++	int overflow_error = 0;
+ 
+ 	res = (LineContribType *) gdMalloc(sizeof(LineContribType));
+ 	if (!res) {
+@@ -895,10 +896,31 @@ static inline LineContribType * _gdContributionsAlloc(unsigned int line_length,
+ 	}
+ 	res->WindowSize = windows_size;
+ 	res->LineLength = line_length;
++	if (overflow2(line_length, sizeof(ContributionType))) {
++		gdFree(res);
++		return NULL;
++	}
+ 	res->ContribRow = (ContributionType *) gdMalloc(line_length * sizeof(ContributionType));
+-
++	if (res->ContribRow == NULL) {
++		gdFree(res);
++		return NULL;
++	}
+ 	for (u = 0 ; u < line_length ; u++) {
+-		res->ContribRow[u].Weights = (double *) gdMalloc(windows_size * sizeof(double));
++		if (overflow2(windows_size, sizeof(double))) {
++			overflow_error = 1;
++		} else {
++			res->ContribRow[u].Weights = (double *) gdMalloc(windows_size * sizeof(double));
++		}
++		if (overflow_error == 1 || res->ContribRow[u].Weights == NULL) {
++			unsigned int i;
++			u--;
++			for (i=0;i<=u;i++) {
++				gdFree(res->ContribRow[i].Weights);
++			}
++			gdFree(res->ContribRow);
++			gdFree(res);
++			return NULL;
++		}
+ 	}
+ 	return res;
+ }
+@@ -931,7 +953,9 @@ static inline LineContribType *_gdContributionsCalc(unsigned int line_size, unsi
+ 
+ 	windows_size = 2 * (int)ceil(width_d) + 1;
+ 	res = _gdContributionsAlloc(line_size, windows_size);
+-
++	if (res == NULL) {
++		return NULL;
++	}
+ 	for (u = 0; u < line_size; u++) {
+ 		const double dCenter = (double)u / scale_d;
+ 		/* get the significant edge points affecting the pixel */
+@@ -1036,7 +1060,6 @@ _gdScalePass(const gdImagePtr pSrc, const unsigned int src_len,
+         _gdScaleOneAxis(pSrc, pDst, dst_len, line_ndx, contrib, axis);
+ 	}
+ 	_gdContributionsFree (contrib);
+-
+     return 1;
+ }/* _gdScalePass*/
+ 
+@@ -1049,6 +1072,7 @@ gdImageScaleTwoPass(const gdImagePtr src, const unsigned int new_width,
+     const unsigned int src_height = src->sy;
+ 	gdImagePtr tmp_im = NULL;;
+ 	gdImagePtr dst = NULL;
++	int scale_pass_res;
+ 
+     /* First, handle the trivial case. */
+     if (src_width == new_width && src_height == new_height) {
+@@ -1070,7 +1094,11 @@ gdImageScaleTwoPass(const gdImagePtr src, const unsigned int new_width,
+         }
+         gdImageSetInterpolationMethod(tmp_im, src->interpolation_id);
+ 
+-        _gdScalePass(src, src_width, tmp_im, new_width, src_height, HORIZONTAL);
++		scale_pass_res = _gdScalePass(src, src_width, tmp_im, new_width, src_height, HORIZONTAL);
++		if (scale_pass_res != 1) {
++			gdImageDestroy(tmp_im);
++			return NULL;
++		}
+     }/* if .. else*/
+ 
+     /* If vertical sizes match, we're done. */
+@@ -1083,11 +1111,18 @@ gdImageScaleTwoPass(const gdImagePtr src, const unsigned int new_width,
+ 	dst = gdImageCreateTrueColor(new_width, new_height);
+ 	if (dst != NULL) {
+         gdImageSetInterpolationMethod(dst, src->interpolation_id);
+-        _gdScalePass(tmp_im, src_height, dst, new_height, new_width, VERTICAL);
++        scale_pass_res = _gdScalePass(tmp_im, src_height, dst, new_height, new_width, VERTICAL);
++		if (scale_pass_res != 1) {
++			gdImageDestroy(dst);
++			if (src != tmp_im && tmp_im != NULL) {
++				gdImageDestroy(tmp_im);
++			}
++			return NULL;
++	   }
+     }/* if */
+ 
+-    if (src != tmp_im) {
+-        gdFree(tmp_im);
++	if (tmp_im != NULL && src != tmp_im) {
++        gdImageDestroy(tmp_im);
+     }/* if */
+ 
+ 	return dst;

gd.spec

@@ -5,7 +5,7 @@
 Summary:       A graphics library for quick creation of PNG or JPEG images
 Name:          gd
 Version:       2.1.1
-Release:       9%{?prever}%{?short}%{?dist}
+Release:       10%{?prever}%{?short}%{?dist}
 Group:         System Environment/Libraries
 License:       MIT
 URL:           http://libgd.bitbucket.org/
@@ -28,7 +28,8 @@ Patch2:        gd-2.1.1-libvpx.patch
 # CVE-2016-3074
 Patch3:        gd-heap-overflow.patch
 # CVE-2015-8877
-Patch4:        gd-2.1.1-gdImagreScaleTwoPass-leak.patch
+# (included in patch gd-2.2.3-CVE-2016-6207.patch)
+#Patch4:        gd-2.1.1-gdImagreScaleTwoPass-leak.patch
 # CVE-2016-5116
 Patch5:        gd-2.1.1-xbm-large-names-overflow.patch
 # CVE-2015-8874
@@ -37,6 +38,9 @@ Patch6:        gd-2.1.1-CVE-2015-8874.patch
 Patch7:        gd-2.1.1-CVE-2016-5766.patch
 # CVE-2016-6161
 Patch8:        gd-2.2.3-CVE-2016-6161.patch
+# CVE-2016-6207
+# cherry-picked 0dd40 d3258 ff911 f60ec 7a28c commits from libgd master
+Patch9:        gd-2.2.3-CVE-2016-6207.patch
 
 
 BuildRequires: freetype-devel
@@ -97,11 +101,12 @@ files for gd, a graphics library for creating PNG and JPEG graphics.
 %patch1 -p1 -b .mlib
 %patch2 -p1 -b .vpx
 %patch3 -p1
-%patch4 -p1 -b .image-scale
+#%patch4 -p1 -b .image-scale
 %patch5 -p1 -b .xbm-overflow
 %patch6 -p1 -b .cve-2015-8874
 %patch7 -p1 -b .cve-2016-5766
 %patch8 -p1 -b .cve-2016-6161
+%patch9 -p1 -b .cve-2016-6207
 
 # Workaround for missing file
 cp %{SOURCE2} config/getver.pl
@@ -174,6 +179,9 @@ grep %{version} $RPM_BUILD_ROOT%{_libdir}/pkgconfig/gdlib.pc
 
 
 %changelog
+* Mon Sep 19 2016 Marek Skalický <mskalick@redhat.com> - 2.1.1-10
+- Fix CVE-2016-6207
+
 * Mon Sep 19 2016 Marek Skalický <mskalick@redhat.com> - 2.1.1-9
 - Fix out of bounds read when encoding gif from malformed input with gd2togif
   (CVE-2016-6161)