mirror of
https://git.in.rschanz.org/ryan77627/guix.git
synced 2024-12-27 14:52:05 -05:00
a1537ac2ba
* gnu/packages/patches/gd-CVE-2016-5766.patch, gnu/packages/patches/gd-CVE-2016-6128.patch, gnu/packages/patches/gd-CVE-2016-6132.patch, gnu/packages/patches/gd-CVE-2016-6214.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/gd.scm (gd): Use patches.
81 lines
2.5 KiB
Diff
81 lines
2.5 KiB
Diff
Fix CVE-2016-5766 (Integer Overflow in _gd2GetHeader() resulting in heap
|
|
overflow).
|
|
|
|
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5766
|
|
|
|
Adapted from upstream commits:
|
|
https://github.com/libgd/libgd/commit/aba3db8ba159465ecec1089027a24835a6da9cc0
|
|
https://github.com/libgd/libgd/commit/a6a0e7feabb2a9738086a5dc96348f233c87fa79
|
|
|
|
Since `patch` cannot apply Git binary diffs, we omit the addition of
|
|
'tests/gd2/php_bug_72339.c' and its associated binary data.
|
|
|
|
From aba3db8ba159465ecec1089027a24835a6da9cc0 Mon Sep 17 00:00:00 2001
|
|
From: Pierre Joye <pierre.php@gmail.com>
|
|
Date: Tue, 28 Jun 2016 16:23:42 +0700
|
|
Subject: [PATCH] fix php bug 72339 (CVE-2016-5766), Integer Overflow in
|
|
_gd2GetHeader() resulting in heap overflow
|
|
|
|
---
|
|
src/gd_gd2.c | 5 ++++-
|
|
tests/gd2/CMakeLists.txt | 1 +
|
|
tests/gd2/Makemodule.am | 6 ++++--
|
|
tests/gd2/php_bug_72339.c | 21 +++++++++++++++++++++
|
|
tests/gd2/php_bug_72339_exp.gd2 | Bin 0 -> 67108882 bytes
|
|
5 files changed, 30 insertions(+), 3 deletions(-)
|
|
create mode 100644 tests/gd2/php_bug_72339.c
|
|
create mode 100644 tests/gd2/php_bug_72339_exp.gd2
|
|
|
|
diff --git a/src/gd_gd2.c b/src/gd_gd2.c
|
|
index fd1e0c9..bdbbecf 100644
|
|
--- a/src/gd_gd2.c
|
|
+++ b/src/gd_gd2.c
|
|
@@ -154,8 +154,11 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy,
|
|
nc = (*ncx) * (*ncy);
|
|
GD2_DBG (printf ("Reading %d chunk index entries\n", nc));
|
|
sidx = sizeof (t_chunk_info) * nc;
|
|
+ if (overflow2(sidx, nc)) {
|
|
+ goto fail1;
|
|
+ }
|
|
cidx = gdCalloc (sidx, 1);
|
|
- if (!cidx) {
|
|
+ if (cidx == NULL) {
|
|
goto fail1;
|
|
}
|
|
for (i = 0; i < nc; i++) {
|
|
From a6a0e7feabb2a9738086a5dc96348f233c87fa79 Mon Sep 17 00:00:00 2001
|
|
From: Pierre Joye <pierre.php@gmail.com>
|
|
Date: Wed, 29 Jun 2016 09:36:26 +0700
|
|
Subject: [PATCH] fix php bug 72339 (CVE-2016-5766), Integer Overflow in
|
|
_gd2GetHeader() resulting in heap overflow. Sync with php's sync
|
|
|
|
---
|
|
src/gd_gd2.c | 7 ++++++-
|
|
tests/gd2/php_bug_72339.c | 2 +-
|
|
2 files changed, 7 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/src/gd_gd2.c b/src/gd_gd2.c
|
|
index bdbbecf..2837456 100644
|
|
--- a/src/gd_gd2.c
|
|
+++ b/src/gd_gd2.c
|
|
@@ -152,11 +152,16 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy,
|
|
|
|
if (gd2_compressed (*fmt)) {
|
|
nc = (*ncx) * (*ncy);
|
|
+
|
|
GD2_DBG (printf ("Reading %d chunk index entries\n", nc));
|
|
+ if (overflow2(sizeof(t_chunk_info), nc)) {
|
|
+ goto fail1;
|
|
+ }
|
|
sidx = sizeof (t_chunk_info) * nc;
|
|
- if (overflow2(sidx, nc)) {
|
|
+ if (sidx <= 0) {
|
|
goto fail1;
|
|
}
|
|
+
|
|
cidx = gdCalloc (sidx, 1);
|
|
if (cidx == NULL) {
|
|
goto fail1;
|
|
--
|
|
2.9.1
|
|
|