Compare commits
9 Commits
Author | SHA1 | Date |
---|---|---|
|
4588f4972b | |
|
faebf7f082 | |
|
91f922d872 | |
|
da9eaac8b5 | |
|
1fb3530455 | |
|
9db5e2bdaa | |
|
1bd3819e67 | |
|
81914b0d59 | |
|
8bd65163f5 |
Binary file not shown.
|
@ -0,0 +1,31 @@
|
|||
From 4d29684fd4ddbd6bb4dbde805f0fdaa84b0f66f2 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
|
||||
Date: Fri, 20 May 2016 09:39:38 +0200
|
||||
Subject: [PATCH] CVE-2015-8874
|
||||
|
||||
---
|
||||
src/gd.c | 11 +++++++++++
|
||||
1 file changed, 11 insertions(+)
|
||||
|
||||
diff --git a/src/gd.c b/src/gd.c
|
||||
index 300dfce..0603247 100644
|
||||
--- a/src/gd.c
|
||||
+++ b/src/gd.c
|
||||
@@ -1938,6 +1938,17 @@ BGD_DECLARE(void) gdImageFillToBorder (gdImagePtr im, int x, int y, int border,
|
||||
restoreAlphaBleding = im->alphaBlendingFlag;
|
||||
im->alphaBlendingFlag = 0;
|
||||
|
||||
+ if (x >= im->sx) {
|
||||
+ x = im->sx - 1;
|
||||
+ } else if (x < 0) {
|
||||
+ x = 0;
|
||||
+ }
|
||||
+ if (y >= im->sy) {
|
||||
+ y = im->sy - 1;
|
||||
+ } else if (y < 0) {
|
||||
+ y = 0;
|
||||
+ }
|
||||
+
|
||||
for (i = x; (i >= 0); i--) {
|
||||
if (gdImageGetPixel (im, i, y) == border) {
|
||||
break;
|
|
@ -0,0 +1,37 @@
|
|||
Backported for 2.1, without binary patch, from:
|
||||
|
||||
|
||||
From 78d83ac76c16d269b538a7cef4120a5fb5177b6d Mon Sep 17 00:00:00 2001
|
||||
From: Pierre Joye <pierre.php@gmail.com>
|
||||
Date: Tue, 28 Jun 2016 16:23:42 +0700
|
||||
Subject: [PATCH] fix php bug 72339 (CVE-2016-5766), Integer Overflow in
|
||||
_gd2GetHeader() resulting in heap overflow
|
||||
|
||||
---
|
||||
src/gd_gd2.c | 5 ++++-
|
||||
tests/gd2/CMakeLists.txt | 1 +
|
||||
tests/gd2/Makemodule.am | 6 ++++--
|
||||
tests/gd2/php_bug_72339.c | 21 +++++++++++++++++++++
|
||||
tests/gd2/php_bug_72339_exp.gd2 | Bin 0 -> 67108882 bytes
|
||||
5 files changed, 30 insertions(+), 3 deletions(-)
|
||||
create mode 100644 tests/gd2/php_bug_72339.c
|
||||
create mode 100644 tests/gd2/php_bug_72339_exp.gd2
|
||||
|
||||
diff --git a/src/gd_gd2.c b/src/gd_gd2.c
|
||||
index fd1e0c9..bdbbecf 100644
|
||||
--- a/src/gd_gd2.c
|
||||
+++ b/src/gd_gd2.c
|
||||
@@ -154,8 +154,11 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy,
|
||||
nc = (*ncx) * (*ncy);
|
||||
GD2_DBG (printf ("Reading %d chunk index entries\n", nc));
|
||||
sidx = sizeof (t_chunk_info) * nc;
|
||||
+ if (overflow2(sidx, nc)) {
|
||||
+ goto fail1;
|
||||
+ }
|
||||
cidx = gdCalloc (sidx, 1);
|
||||
- if (!cidx) {
|
||||
+ if (cidx == NULL) {
|
||||
goto fail1;
|
||||
}
|
||||
for (i = 0; i < nc; i++) {
|
||||
|
|
@ -0,0 +1,27 @@
|
|||
From 4751b606fa38edc456d627140898a7ec679fcc24 Mon Sep 17 00:00:00 2001
|
||||
From: Vladimir Mitrovic <vladimir.x.mitrovic@gmail.com>
|
||||
Date: Wed, 5 Aug 2015 03:01:06 +0200
|
||||
Subject: [PATCH] gdImageScaleTwoPass memory leak fix
|
||||
|
||||
Fixing memory leak in gdImageScaleTwoPass, as reported by @cmb69 and
|
||||
confirmed by @vapier. This bug actually bit me in production and I'm
|
||||
very thankful that it was reported with an easy fix.
|
||||
|
||||
Fixes #173.
|
||||
---
|
||||
src/gd_interpolation.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/gd_interpolation.c b/src/gd_interpolation.c
|
||||
index fcc11e6..f00c946 100644
|
||||
--- a/src/gd_interpolation.c
|
||||
+++ b/src/gd_interpolation.c
|
||||
@@ -1087,7 +1087,7 @@ gdImageScaleTwoPass(const gdImagePtr src, const unsigned int new_width,
|
||||
}/* if */
|
||||
|
||||
if (src != tmp_im) {
|
||||
- gdFree(tmp_im);
|
||||
+ gdImageDestroy(tmp_im);
|
||||
}/* if */
|
||||
|
||||
return dst;
|
|
@ -0,0 +1,89 @@
|
|||
From 4dc1a2d7931017d3625f2d7cff70a17ce58b53b4 Mon Sep 17 00:00:00 2001
|
||||
From: Mike Frysinger <vapier@gentoo.org>
|
||||
Date: Sat, 14 May 2016 01:38:18 -0400
|
||||
Subject: [PATCH] xbm: avoid stack overflow (read) with large names #211
|
||||
|
||||
We use the name passed in to printf into a local stack buffer which is
|
||||
limited to 4000 bytes. So given a large enough value, lots of stack
|
||||
data is leaked. Rewrite the code to do simple memory copies with most
|
||||
of the strings to avoid that issue, and only use stack buffer for small
|
||||
numbers of constant size.
|
||||
|
||||
This closes #211.
|
||||
---
|
||||
src/gd_xbm.c | 34 +++++++++++++++++++++++++++-------
|
||||
1 file changed, 27 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/src/gd_xbm.c b/src/gd_xbm.c
|
||||
index 74d839b..d28fdfc 100644
|
||||
--- a/src/gd_xbm.c
|
||||
+++ b/src/gd_xbm.c
|
||||
@@ -180,7 +180,7 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromXbm(FILE * fd)
|
||||
/* {{{ gdCtxPrintf */
|
||||
static void gdCtxPrintf(gdIOCtx * out, const char *format, ...)
|
||||
{
|
||||
- char buf[4096];
|
||||
+ char buf[1024];
|
||||
int len;
|
||||
va_list args;
|
||||
|
||||
@@ -191,6 +191,9 @@ static void gdCtxPrintf(gdIOCtx * out, const char *format, ...)
|
||||
}
|
||||
/* }}} */
|
||||
|
||||
+/* The compiler will optimize strlen(constant) to a constant number. */
|
||||
+#define gdCtxPuts(out, s) out->putBuf(out, s, strlen(s))
|
||||
+
|
||||
/* {{{ gdImageXbmCtx */
|
||||
BGD_DECLARE(void) gdImageXbmCtx(gdImagePtr image, char* file_name, int fg, gdIOCtx * out)
|
||||
{
|
||||
@@ -215,9 +218,26 @@ BGD_DECLARE(void) gdImageXbmCtx(gdImagePtr image, char* file_name, int fg, gdIOC
|
||||
}
|
||||
}
|
||||
|
||||
- gdCtxPrintf(out, "#define %s_width %d\n", name, gdImageSX(image));
|
||||
- gdCtxPrintf(out, "#define %s_height %d\n", name, gdImageSY(image));
|
||||
- gdCtxPrintf(out, "static unsigned char %s_bits[] = {\n ", name);
|
||||
+ /* Since "name" comes from the user, run it through a direct puts.
|
||||
+ * Trying to printf it into a local buffer means we'd need a large
|
||||
+ * or dynamic buffer to hold it all. */
|
||||
+
|
||||
+ /* #define <name>_width 1234 */
|
||||
+ gdCtxPuts(out, "#define ");
|
||||
+ gdCtxPuts(out, name);
|
||||
+ gdCtxPuts(out, "_width ");
|
||||
+ gdCtxPrintf(out, "%d\n", gdImageSX(image));
|
||||
+
|
||||
+ /* #define <name>_height 1234 */
|
||||
+ gdCtxPuts(out, "#define ");
|
||||
+ gdCtxPuts(out, name);
|
||||
+ gdCtxPuts(out, "_height ");
|
||||
+ gdCtxPrintf(out, "%d\n", gdImageSY(image));
|
||||
+
|
||||
+ /* static unsigned char <name>_bits[] = {\n */
|
||||
+ gdCtxPuts(out, "static unsigned char ");
|
||||
+ gdCtxPuts(out, name);
|
||||
+ gdCtxPuts(out, "_bits[] = {\n ");
|
||||
|
||||
free(name);
|
||||
|
||||
@@ -234,9 +254,9 @@ BGD_DECLARE(void) gdImageXbmCtx(gdImagePtr image, char* file_name, int fg, gdIOC
|
||||
if ((b == 128) || (x == sx && y == sy)) {
|
||||
b = 1;
|
||||
if (p) {
|
||||
- gdCtxPrintf(out, ", ");
|
||||
+ gdCtxPuts(out, ", ");
|
||||
if (!(p%12)) {
|
||||
- gdCtxPrintf(out, "\n ");
|
||||
+ gdCtxPuts(out, "\n ");
|
||||
p = 12;
|
||||
}
|
||||
}
|
||||
@@ -248,6 +268,6 @@ BGD_DECLARE(void) gdImageXbmCtx(gdImagePtr image, char* file_name, int fg, gdIOC
|
||||
}
|
||||
}
|
||||
}
|
||||
- gdCtxPrintf(out, "};\n");
|
||||
+ gdCtxPuts(out, "};\n");
|
||||
}
|
||||
/* }}} */
|
|
@ -0,0 +1,119 @@
|
|||
From 82b80dcb70a7ca8986125ff412bceddafc896842 Mon Sep 17 00:00:00 2001
|
||||
From: Mike Frysinger <vapier@gentoo.org>
|
||||
Date: Sat, 14 May 2016 02:13:15 -0400
|
||||
Subject: [PATCH] gif: avoid out-of-bound reads of masks array #209
|
||||
|
||||
When given invalid inputs, we might be fed the EOF marker before it is
|
||||
actually the EOF. The gif logic assumes once it sees the EOF marker,
|
||||
there won't be any more data, so it leaves the cur_bits index possibly
|
||||
negative. So when we get more data, we underflow the masks array.
|
||||
|
||||
Flag it so we don't try to output anything more. The image is invalid,
|
||||
so we shouldn't be truncating any valid inputs.
|
||||
|
||||
This fixes #209.
|
||||
---
|
||||
src/gd_gif_out.c | 12 +++++++++++-
|
||||
1 file changed, 11 insertions(+), 1 deletion(-)
|
||||
|
||||
From 315dbfb0e75895e3ba84f649c491956e75f1106c Mon Sep 17 00:00:00 2001
|
||||
From: "Christoph M. Becker" <cmbecker69@gmx.de>
|
||||
Date: Tue, 19 Jul 2016 10:43:55 +0200
|
||||
Subject: [PATCH] Add test case for issue #209
|
||||
|
||||
---
|
||||
tests/gif/.gitignore | 1 +
|
||||
tests/gif/CMakeLists.txt | 1 +
|
||||
tests/gif/Makemodule.am | 4 +++-
|
||||
tests/gif/bug00209.c | 29 +++++++++++++++++++++++++++++
|
||||
tests/gif/bug00209.gd2 | Bin 0 -> 1050 bytes
|
||||
5 files changed, 34 insertions(+), 1 deletion(-)
|
||||
create mode 100644 tests/gif/bug00209.c
|
||||
create mode 100644 tests/gif/bug00209.gd2
|
||||
|
||||
diff --git a/src/gd_gif_out.c b/src/gd_gif_out.c
|
||||
index 51ceb75..3099d49 100644
|
||||
--- a/src/gd_gif_out.c
|
||||
+++ b/src/gd_gif_out.c
|
||||
@@ -1442,15 +1442,23 @@ static void compress(int init_bits, gdIOCtxPtr outfile, gdImagePtr im, GifCtx *c
|
||||
* code in turn. When the buffer fills up empty it and start over.
|
||||
*/
|
||||
|
||||
-static unsigned long masks[] = {
|
||||
+static const unsigned long masks[] = {
|
||||
0x0000, 0x0001, 0x0003, 0x0007, 0x000F,
|
||||
0x001F, 0x003F, 0x007F, 0x00FF,
|
||||
0x01FF, 0x03FF, 0x07FF, 0x0FFF,
|
||||
0x1FFF, 0x3FFF, 0x7FFF, 0xFFFF
|
||||
};
|
||||
|
||||
+/* Arbitrary value to mark output is done. When we see EOFCode, then we don't
|
||||
+ * expect to see any more data. If we do (e.g. corrupt image inputs), cur_bits
|
||||
+ * might be negative, so flag it to return early.
|
||||
+ */
|
||||
+#define CUR_BITS_FINISHED -1000
|
||||
+
|
||||
static void output(code_int code, GifCtx *ctx)
|
||||
{
|
||||
+ if (ctx->cur_bits == CUR_BITS_FINISHED)
|
||||
+ return;
|
||||
ctx->cur_accum &= masks[ctx->cur_bits];
|
||||
|
||||
if(ctx->cur_bits > 0) {
|
||||
@@ -1492,6 +1500,8 @@ static void output(code_int code, GifCtx *ctx)
|
||||
ctx->cur_accum >>= 8;
|
||||
ctx->cur_bits -= 8;
|
||||
}
|
||||
+ /* Flag that it's done to prevent re-entry. */
|
||||
+ ctx->cur_bits = CUR_BITS_FINISHED;
|
||||
|
||||
flush_char(ctx);
|
||||
}
|
||||
|
||||
diff --git a/tests/gif/CMakeLists.txt b/tests/gif/CMakeLists.txt
|
||||
index 92010c3..d26b1fe 100644
|
||||
--- a/tests/gif/CMakeLists.txt
|
||||
+++ b/tests/gif/CMakeLists.txt
|
||||
@@ -7,6 +7,7 @@ LIST(APPEND TESTS_FILES
|
||||
bug00060
|
||||
bug00066
|
||||
bug00181
|
||||
+ bug00209
|
||||
bug00227
|
||||
)
|
||||
|
||||
diff --git a/tests/gif/bug00209.c b/tests/gif/bug00209.c
|
||||
new file mode 100644
|
||||
index 0000000..6eafc32
|
||||
--- /dev/null
|
||||
+++ b/tests/gif/bug00209.c
|
||||
@@ -0,0 +1,29 @@
|
||||
+/* Test case for <https://github.com/libgd/libgd/issues/209>. */
|
||||
+
|
||||
+#include "gd.h"
|
||||
+#include "gdtest.h"
|
||||
+
|
||||
+int main()
|
||||
+{
|
||||
+ gdImagePtr im;
|
||||
+ FILE *fp;
|
||||
+
|
||||
+ /* printf("start\n"); */
|
||||
+
|
||||
+ fp = gdTestFileOpen("gif/bug00209.gd2");
|
||||
+ gdTestAssert(fp != NULL);
|
||||
+ im = gdImageCreateFromGd2(fp);
|
||||
+ gdTestAssert(im != NULL);
|
||||
+ fclose(fp);
|
||||
+ /* printf("loaded\n"); */
|
||||
+
|
||||
+ fp = gdTestTempFp();
|
||||
+ gdTestAssert(fp != NULL);
|
||||
+ gdImageGif(im, fp);
|
||||
+ fclose(fp);
|
||||
+ /* printf("saved\n"); */
|
||||
+
|
||||
+ gdImageDestroy(im);
|
||||
+
|
||||
+ return gdNumFailures();
|
||||
+}
|
|
@ -0,0 +1,108 @@
|
|||
diff --git a/src/gd_interpolation.c b/src/gd_interpolation.c
|
||||
index a829d4f..ed2b743 100644
|
||||
--- a/src/gd_interpolation.c
|
||||
+++ b/src/gd_interpolation.c
|
||||
@@ -888,6 +888,7 @@ static inline LineContribType * _gdContributionsAlloc(unsigned int line_length,
|
||||
{
|
||||
unsigned int u = 0;
|
||||
LineContribType *res;
|
||||
+ int overflow_error = 0;
|
||||
|
||||
res = (LineContribType *) gdMalloc(sizeof(LineContribType));
|
||||
if (!res) {
|
||||
@@ -895,10 +896,31 @@ static inline LineContribType * _gdContributionsAlloc(unsigned int line_length,
|
||||
}
|
||||
res->WindowSize = windows_size;
|
||||
res->LineLength = line_length;
|
||||
+ if (overflow2(line_length, sizeof(ContributionType))) {
|
||||
+ gdFree(res);
|
||||
+ return NULL;
|
||||
+ }
|
||||
res->ContribRow = (ContributionType *) gdMalloc(line_length * sizeof(ContributionType));
|
||||
-
|
||||
+ if (res->ContribRow == NULL) {
|
||||
+ gdFree(res);
|
||||
+ return NULL;
|
||||
+ }
|
||||
for (u = 0 ; u < line_length ; u++) {
|
||||
- res->ContribRow[u].Weights = (double *) gdMalloc(windows_size * sizeof(double));
|
||||
+ if (overflow2(windows_size, sizeof(double))) {
|
||||
+ overflow_error = 1;
|
||||
+ } else {
|
||||
+ res->ContribRow[u].Weights = (double *) gdMalloc(windows_size * sizeof(double));
|
||||
+ }
|
||||
+ if (overflow_error == 1 || res->ContribRow[u].Weights == NULL) {
|
||||
+ unsigned int i;
|
||||
+ u--;
|
||||
+ for (i=0;i<=u;i++) {
|
||||
+ gdFree(res->ContribRow[i].Weights);
|
||||
+ }
|
||||
+ gdFree(res->ContribRow);
|
||||
+ gdFree(res);
|
||||
+ return NULL;
|
||||
+ }
|
||||
}
|
||||
return res;
|
||||
}
|
||||
@@ -931,7 +953,9 @@ static inline LineContribType *_gdContributionsCalc(unsigned int line_size, unsi
|
||||
|
||||
windows_size = 2 * (int)ceil(width_d) + 1;
|
||||
res = _gdContributionsAlloc(line_size, windows_size);
|
||||
-
|
||||
+ if (res == NULL) {
|
||||
+ return NULL;
|
||||
+ }
|
||||
for (u = 0; u < line_size; u++) {
|
||||
const double dCenter = (double)u / scale_d;
|
||||
/* get the significant edge points affecting the pixel */
|
||||
@@ -1036,7 +1060,6 @@ _gdScalePass(const gdImagePtr pSrc, const unsigned int src_len,
|
||||
_gdScaleOneAxis(pSrc, pDst, dst_len, line_ndx, contrib, axis);
|
||||
}
|
||||
_gdContributionsFree (contrib);
|
||||
-
|
||||
return 1;
|
||||
}/* _gdScalePass*/
|
||||
|
||||
@@ -1049,6 +1072,7 @@ gdImageScaleTwoPass(const gdImagePtr src, const unsigned int new_width,
|
||||
const unsigned int src_height = src->sy;
|
||||
gdImagePtr tmp_im = NULL;;
|
||||
gdImagePtr dst = NULL;
|
||||
+ int scale_pass_res;
|
||||
|
||||
/* First, handle the trivial case. */
|
||||
if (src_width == new_width && src_height == new_height) {
|
||||
@@ -1070,7 +1094,11 @@ gdImageScaleTwoPass(const gdImagePtr src, const unsigned int new_width,
|
||||
}
|
||||
gdImageSetInterpolationMethod(tmp_im, src->interpolation_id);
|
||||
|
||||
- _gdScalePass(src, src_width, tmp_im, new_width, src_height, HORIZONTAL);
|
||||
+ scale_pass_res = _gdScalePass(src, src_width, tmp_im, new_width, src_height, HORIZONTAL);
|
||||
+ if (scale_pass_res != 1) {
|
||||
+ gdImageDestroy(tmp_im);
|
||||
+ return NULL;
|
||||
+ }
|
||||
}/* if .. else*/
|
||||
|
||||
/* If vertical sizes match, we're done. */
|
||||
@@ -1083,11 +1111,18 @@ gdImageScaleTwoPass(const gdImagePtr src, const unsigned int new_width,
|
||||
dst = gdImageCreateTrueColor(new_width, new_height);
|
||||
if (dst != NULL) {
|
||||
gdImageSetInterpolationMethod(dst, src->interpolation_id);
|
||||
- _gdScalePass(tmp_im, src_height, dst, new_height, new_width, VERTICAL);
|
||||
+ scale_pass_res = _gdScalePass(tmp_im, src_height, dst, new_height, new_width, VERTICAL);
|
||||
+ if (scale_pass_res != 1) {
|
||||
+ gdImageDestroy(dst);
|
||||
+ if (src != tmp_im && tmp_im != NULL) {
|
||||
+ gdImageDestroy(tmp_im);
|
||||
+ }
|
||||
+ return NULL;
|
||||
+ }
|
||||
}/* if */
|
||||
|
||||
- if (src != tmp_im) {
|
||||
- gdFree(tmp_im);
|
||||
+ if (tmp_im != NULL && src != tmp_im) {
|
||||
+ gdImageDestroy(tmp_im);
|
||||
}/* if */
|
||||
|
||||
return dst;
|
|
@ -0,0 +1,26 @@
|
|||
From 53110871935244816bbb9d131da0bccff734bfe9 Mon Sep 17 00:00:00 2001
|
||||
From: "Christoph M. Becker" <cmbecker69@gmx.de>
|
||||
Date: Wed, 12 Oct 2016 11:15:32 +0200
|
||||
Subject: [PATCH] Avoid potentially dangerous signed to unsigned conversion
|
||||
|
||||
We make sure to never pass a negative `rlen` as size to memcpy(). See
|
||||
also <https://bugs.php.net/bug.php?id=73280>.
|
||||
|
||||
Patch provided by Emmanuel Law.
|
||||
---
|
||||
src/gd_io_dp.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/gd_io_dp.c b/src/gd_io_dp.c
|
||||
index 135eda3..228bfa5 100644
|
||||
--- a/src/gd_io_dp.c
|
||||
+++ b/src/gd_io_dp.c
|
||||
@@ -276,7 +276,7 @@ static int dynamicGetbuf(gdIOCtxPtr ctx, void *buf, int len)
|
||||
if(remain >= len) {
|
||||
rlen = len;
|
||||
} else {
|
||||
- if(remain == 0) {
|
||||
+ if(remain <= 0) {
|
||||
/* 2.0.34: EOF is incorrect. We use 0 for
|
||||
* errors and EOF, just like fileGetbuf,
|
||||
* which is a simple fread() wrapper.
|
|
@ -0,0 +1,27 @@
|
|||
diff --git a/src/gd_webp.c b/src/gd_webp.c
|
||||
index fae3861..a7ed222 100644
|
||||
--- a/src/gd_webp.c
|
||||
+++ b/src/gd_webp.c
|
||||
@@ -179,6 +179,22 @@ BGD_DECLARE(void) gdImageWebpCtx (gdImagePtr im, gdIOCtx * outfile, int quantiza
|
||||
/* Conversion to Y,U,V buffer */
|
||||
yuv_width = (width + 1) >> 1;
|
||||
yuv_height = (height + 1) >> 1;
|
||||
+
|
||||
+ if (overflow2(width, height)) {
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ if (overflow2(2, yuv_width)) {
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ if (overflow2(2 * yuv_width, yuv_height)) {
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ if (overflow2(width * height + 2 * yuv_width * yuv_height, 1)) {
|
||||
+ return;
|
||||
+ }
|
||||
yuv_nbytes = width * height + 2 * yuv_width * yuv_height;
|
||||
|
||||
if ((Y = (unsigned char *)gdCalloc(yuv_nbytes, sizeof(unsigned char))) == NULL) {
|
Binary file not shown.
|
@ -0,0 +1,59 @@
|
|||
diff --git a/src/gd_gd2.c b/src/gd_gd2.c
|
||||
index 6f28461..a50b33d 100644
|
||||
--- a/src/gd_gd2.c
|
||||
+++ b/src/gd_gd2.c
|
||||
@@ -165,6 +165,8 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy,
|
||||
if (gdGetInt (&cidx[i].size, in) != 1) {
|
||||
goto fail2;
|
||||
};
|
||||
+ if (cidx[i].offset < 0 || cidx[i].size < 0)
|
||||
+ goto fail2;
|
||||
};
|
||||
*chunkIdx = cidx;
|
||||
};
|
||||
diff --git a/tests/Makefile.am b/tests/Makefile.am
|
||||
index ed2c35b..b582266 100644
|
||||
--- a/tests/Makefile.am
|
||||
+++ b/tests/Makefile.am
|
||||
@@ -129,7 +129,8 @@ endif
|
||||
|
||||
if HAVE_LIBZ
|
||||
check_PROGRAMS += \
|
||||
- gd2/gd2_null
|
||||
+ gd2/gd2_null \
|
||||
+ gd2/gd2_read_corrupt
|
||||
endif
|
||||
|
||||
if HAVE_LIBPNG
|
||||
diff --git a/tests/gd2/gd2_read_corrupt.c b/tests/gd2/gd2_read_corrupt.c
|
||||
new file mode 100644
|
||||
index 0000000..11f6a67
|
||||
--- /dev/null
|
||||
+++ b/tests/gd2/gd2_read_corrupt.c
|
||||
@@ -0,0 +1,25 @@
|
||||
+/* Just try to read the invalid gd2 image & not crash. */
|
||||
+#include "gd.h"
|
||||
+#include <stdio.h>
|
||||
+#include <stdlib.h>
|
||||
+#include "gdtest.h"
|
||||
+
|
||||
+int main()
|
||||
+{
|
||||
+ gdImagePtr im;
|
||||
+ FILE *fp;
|
||||
+ char path[1024];
|
||||
+
|
||||
+ /* Read the corrupt image. */
|
||||
+ sprintf(path, "%s/gd2/invalid_neg_size.gd2", GDTEST_TOP_DIR);
|
||||
+ fp = fopen(path, "rb");
|
||||
+ if (!fp) {
|
||||
+ printf("failed, cannot open file\n");
|
||||
+ return 1;
|
||||
+ }
|
||||
+ im = gdImageCreateFromGd2(fp);
|
||||
+ fclose(fp);
|
||||
+
|
||||
+ /* Should have failed & rejected it. */
|
||||
+ return im == NULL ? 0 : 1;
|
||||
+}
|
||||
|
71
gd.spec
71
gd.spec
|
@ -5,7 +5,7 @@
|
|||
Summary: A graphics library for quick creation of PNG or JPEG images
|
||||
Name: gd
|
||||
Version: 2.1.1
|
||||
Release: 4%{?prever}%{?short}%{?dist}
|
||||
Release: 11%{?prever}%{?short}%{?dist}
|
||||
Group: System Environment/Libraries
|
||||
License: MIT
|
||||
URL: http://libgd.bitbucket.org/
|
||||
|
@ -18,9 +18,38 @@ Source0: https://bitbucket.org/libgd/gd-libgd/downloads/libgd-%{version}%{
|
|||
%endif
|
||||
# Missing in official archive, need for autoreconf
|
||||
Source2: getver.pl
|
||||
# Test data for CVE-2016-3074 test
|
||||
Source3: invalid_neg_size.gd2
|
||||
# Test data for CVE-2016-6161 test
|
||||
Source4: bug00209.gd2
|
||||
|
||||
Patch1: gd-2.1.0-multilib.patch
|
||||
Patch2: gd-2.1.1-libvpx.patch
|
||||
# CVE-2016-3074
|
||||
Patch3: gd-heap-overflow.patch
|
||||
# CVE-2015-8877
|
||||
# (included in patch gd-2.2.3-CVE-2016-6207.patch)
|
||||
#Patch4: gd-2.1.1-gdImagreScaleTwoPass-leak.patch
|
||||
# CVE-2016-5116
|
||||
Patch5: gd-2.1.1-xbm-large-names-overflow.patch
|
||||
# CVE-2015-8874
|
||||
Patch6: gd-2.1.1-CVE-2015-8874.patch
|
||||
# CVE-2016-5766
|
||||
Patch7: gd-2.1.1-CVE-2016-5766.patch
|
||||
# CVE-2016-6161
|
||||
Patch8: gd-2.2.3-CVE-2016-6161.patch
|
||||
# CVE-2016-6207
|
||||
# cherry-picked 0dd40 d3258 ff911 f60ec 7a28c commits from libgd master
|
||||
Patch9: gd-2.2.3-CVE-2016-6207.patch
|
||||
# CVE-2016-7568
|
||||
Patch10: gd-2.2.3-overflow-in-gdImageWebpCtx.patch
|
||||
# CVE-2016-8670
|
||||
Patch11: gd-2.2.3-dynamicGetbuf-negative-rlen.patch
|
||||
# CVE-2016-6911
|
||||
# TODO - created by one of upstream maintainers, but not in upstream yet
|
||||
# https://github.com/libgd/libgd/pull/353
|
||||
Patch12: gd-2.2.x-fix-invalid-read-in-gdImageCreateFromTiffPtr.patch
|
||||
|
||||
|
||||
BuildRequires: freetype-devel
|
||||
BuildRequires: fontconfig-devel
|
||||
|
@ -79,10 +108,22 @@ files for gd, a graphics library for creating PNG and JPEG graphics.
|
|||
%setup -q -n libgd-%{version}%{?prever:-%{prever}}
|
||||
%patch1 -p1 -b .mlib
|
||||
%patch2 -p1 -b .vpx
|
||||
%patch3 -p1
|
||||
#%patch4 -p1 -b .image-scale
|
||||
%patch5 -p1 -b .xbm-overflow
|
||||
%patch6 -p1 -b .cve-2015-8874
|
||||
%patch7 -p1 -b .cve-2016-5766
|
||||
%patch8 -p1 -b .cve-2016-6161
|
||||
%patch9 -p1 -b .cve-2016-6207
|
||||
%patch10 -p1 -b .gdImageWebpCtx
|
||||
%patch11 -p1 -b .dynamicGetbuf
|
||||
# Patch5 adds some non-text files (.tiff)
|
||||
patch -p1 --binary < %{PATCH12}
|
||||
|
||||
# Workaround for missing file
|
||||
cp %{SOURCE2} config/getver.pl
|
||||
|
||||
|
||||
: $(perl config/getver.pl)
|
||||
|
||||
: regenerate autotool stuff
|
||||
|
@ -117,6 +158,9 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libgd.a
|
|||
|
||||
|
||||
%check
|
||||
cp %SOURCE3 tests/gd2/
|
||||
cp %SOURCE4 tests/gif/
|
||||
|
||||
: Upstream test suite
|
||||
make check
|
||||
|
||||
|
@ -147,6 +191,31 @@ grep %{version} $RPM_BUILD_ROOT%{_libdir}/pkgconfig/gdlib.pc
|
|||
|
||||
|
||||
%changelog
|
||||
* Tue Dec 06 2016 Marek Skalický <mskalick@redhat.com> - 2.1.1-11
|
||||
- Fix invalid read in gdImageCreateFromTiffPtr() ( CVE-2016-6911)
|
||||
- Fix stack based buffer overflow when passing negative `rlen` as size to
|
||||
memcpy() (CVE-2016-8670)
|
||||
- Fix possible overflow in gdImageWebpCtx (CVE-2016-7568)
|
||||
|
||||
* Mon Sep 19 2016 Marek Skalický <mskalick@redhat.com> - 2.1.1-10
|
||||
- Fix CVE-2016-6207
|
||||
|
||||
* Mon Sep 19 2016 Marek Skalický <mskalick@redhat.com> - 2.1.1-9
|
||||
- Fix out of bounds read when encoding gif from malformed input with gd2togif
|
||||
(CVE-2016-6161)
|
||||
|
||||
* Tue Jun 28 2016 Remi Collet <remi@fedoraproject.org> - 2.1.1-8
|
||||
- fix integer Overflow in _gd2GetHeader() (CVE-2016-5766)
|
||||
|
||||
* Fri Jun 24 2016 Remi Collet <remi@fedoraproject.org> - 2.1.1-7
|
||||
- fix for stack overflow with gdImageFillToBorder (CVE-2015-8874)
|
||||
|
||||
* Tue May 31 2016 Marek Skalicky <mskalick@redhat.com> - 2.1.1-6
|
||||
- Backported fixes of two memory leaks (CVE-2015-8877, CVE-2016-5116)
|
||||
|
||||
* Thu Apr 28 2016 Marek Skalicky <mskalick@redhat.com> - 2.1.1-5
|
||||
- Fixed heap overflow (CVE-2016-3074)
|
||||
|
||||
* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.1.1-4
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
|
||||
|
||||
|
|
Binary file not shown.
Loading…
Reference in New Issue