From fd352fa1c0f582096b5c7ddadaccfeb612ad6c87 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Skalick=C3=BD?= Date: Mon, 26 Mar 2018 12:49:23 +0200 Subject: [PATCH] Fix CVE-2018-5711 - Potential infinite loop in gdImageCreateFromGifCtx --- gd-2.2.5-upstream.patch | 62 +++++++++++++++++++++++++++++++++++++++++ gd.spec | 8 +++++- 2 files changed, 69 insertions(+), 1 deletion(-) create mode 100644 gd-2.2.5-upstream.patch diff --git a/gd-2.2.5-upstream.patch b/gd-2.2.5-upstream.patch new file mode 100644 index 0000000..0bc1bcb --- /dev/null +++ b/gd-2.2.5-upstream.patch @@ -0,0 +1,62 @@ +From a11f47475e6443b7f32d21f2271f28f417e2ac04 Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" +Date: Wed, 29 Nov 2017 19:37:38 +0100 +Subject: [PATCH] Fix #420: Potential infinite loop in gdImageCreateFromGifCtx + +Due to a signedness confusion in `GetCode_` a corrupt GIF file can +trigger an infinite loop. Furthermore we make sure that a GIF without +any palette entries is treated as invalid *after* open palette entries +have been removed. + +CVE-2018-5711 + +See also https://bugs.php.net/bug.php?id=75571. +--- + src/gd_gif_in.c | 12 ++++++------ + tests/gif/.gitignore | 1 + + tests/gif/CMakeLists.txt | 1 + + tests/gif/Makemodule.am | 2 ++ + tests/gif/php_bug_75571.c | 28 ++++++++++++++++++++++++++++ + tests/gif/php_bug_75571.gif | Bin 0 -> 1731 bytes + 6 files changed, 38 insertions(+), 6 deletions(-) + create mode 100644 tests/gif/php_bug_75571.c + create mode 100644 tests/gif/php_bug_75571.gif + +diff --git a/src/gd_gif_in.c b/src/gd_gif_in.c +index daf26e79..0a8bd717 100644 +--- a/src/gd_gif_in.c ++++ b/src/gd_gif_in.c +@@ -335,11 +335,6 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromGifCtx(gdIOCtxPtr fd) + return 0; + } + +- if(!im->colorsTotal) { +- gdImageDestroy(im); +- return 0; +- } +- + /* Check for open colors at the end, so + * we can reduce colorsTotal and ultimately + * BitsPerPixel */ +@@ -351,6 +346,11 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromGifCtx(gdIOCtxPtr fd) + } + } + ++ if(!im->colorsTotal) { ++ gdImageDestroy(im); ++ return 0; ++ } ++ + return im; + } + +@@ -447,7 +447,7 @@ static int + GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_size, int flag, int *ZeroDataBlockP) + { + int i, j, ret; +- unsigned char count; ++ int count; + + if(flag) { + scd->curbit = 0; + diff --git a/gd.spec b/gd.spec index 8281bc7..3f8c850 100644 --- a/gd.spec +++ b/gd.spec @@ -1,7 +1,7 @@ Summary: A graphics library for quick creation of PNG or JPEG images Name: gd Version: 2.2.5 -Release: 1%{?prever}%{?short}%{?dist} +Release: 2%{?prever}%{?short}%{?dist} Group: System Environment/Libraries License: MIT URL: http://libgd.github.io/ @@ -14,6 +14,8 @@ Source0: https://github.com/libgd/libgd/releases/download/gd-%{version}/li %endif Patch1: gd-2.1.0-multilib.patch +# CVE-2018-5711 - https://github.com/libgd/libgd/commit/a11f47475e6443b7f32d21f2271f28f417e2ac04 +Patch2: gd-2.2.5-upstream.patch BuildRequires: freetype-devel BuildRequires: fontconfig-devel @@ -74,6 +76,7 @@ files for gd, a graphics library for creating PNG and JPEG graphics. %prep %setup -q -n libgd-%{version}%{?prever:-%{prever}} %patch1 -p1 -b .mlib +%patch2 -p1 -b .upstream : $(perl config/getver.pl) @@ -154,6 +157,9 @@ grep %{version} $RPM_BUILD_ROOT%{_libdir}/pkgconfig/gdlib.pc %changelog +* Mon Mar 26 2018 Marek Skalický - 2.2.5-2 +- Fix CVE-2018-5711 - Potential infinite loop in gdImageCreateFromGifCtx + * Wed Aug 30 2017 Remi Collet - 2.2.5-1 - Update to 2.2.5 - fix double-free in gdImagePngPtr(). CVE-2017-6362