summaryrefslogtreecommitdiff
path: root/gnu/packages/patches/gd-CVE-2016-5766.patch
diff options
context:
space:
mode:
authorLeo Famulari <leo@famulari.name>2016-07-15 14:48:09 -0400
committerLeo Famulari <leo@famulari.name>2016-07-16 12:49:22 -0400
commita1537ac2bae1d7eae39188317daf1186a673e6a2 (patch)
tree3c5e48205ba2b657d4f8627461dd83e4db31b95e /gnu/packages/patches/gd-CVE-2016-5766.patch
parentb9174ff4493b8c502c06f8ba80183115f542d90c (diff)
gnu: gd: Fix CVE-2016-{5766,6128,6132,6214}.
* gnu/packages/patches/gd-CVE-2016-5766.patch, gnu/packages/patches/gd-CVE-2016-6128.patch, gnu/packages/patches/gd-CVE-2016-6132.patch, gnu/packages/patches/gd-CVE-2016-6214.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/gd.scm (gd): Use patches.
Diffstat (limited to 'gnu/packages/patches/gd-CVE-2016-5766.patch')
-rw-r--r--gnu/packages/patches/gd-CVE-2016-5766.patch81
1 files changed, 81 insertions, 0 deletions
diff --git a/gnu/packages/patches/gd-CVE-2016-5766.patch b/gnu/packages/patches/gd-CVE-2016-5766.patch
new file mode 100644
index 0000000000..400cb0ab48
--- /dev/null
+++ b/gnu/packages/patches/gd-CVE-2016-5766.patch
@@ -0,0 +1,81 @@
+Fix CVE-2016-5766 (Integer Overflow in _gd2GetHeader() resulting in heap
+overflow).
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5766
+
+Adapted from upstream commits:
+https://github.com/libgd/libgd/commit/aba3db8ba159465ecec1089027a24835a6da9cc0
+https://github.com/libgd/libgd/commit/a6a0e7feabb2a9738086a5dc96348f233c87fa79
+
+Since `patch` cannot apply Git binary diffs, we omit the addition of
+'tests/gd2/php_bug_72339.c' and its associated binary data.
+
+From aba3db8ba159465ecec1089027a24835a6da9cc0 Mon Sep 17 00:00:00 2001
+From: Pierre Joye <pierre.php@gmail.com>
+Date: Tue, 28 Jun 2016 16:23:42 +0700
+Subject: [PATCH] fix php bug 72339 (CVE-2016-5766), Integer Overflow in
+ _gd2GetHeader() resulting in heap overflow
+
+---
+ src/gd_gd2.c | 5 ++++-
+ tests/gd2/CMakeLists.txt | 1 +
+ tests/gd2/Makemodule.am | 6 ++++--
+ tests/gd2/php_bug_72339.c | 21 +++++++++++++++++++++
+ tests/gd2/php_bug_72339_exp.gd2 | Bin 0 -> 67108882 bytes
+ 5 files changed, 30 insertions(+), 3 deletions(-)
+ create mode 100644 tests/gd2/php_bug_72339.c
+ create mode 100644 tests/gd2/php_bug_72339_exp.gd2
+
+diff --git a/src/gd_gd2.c b/src/gd_gd2.c
+index fd1e0c9..bdbbecf 100644
+--- a/src/gd_gd2.c
++++ b/src/gd_gd2.c
+@@ -154,8 +154,11 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy,
+ nc = (*ncx) * (*ncy);
+ GD2_DBG (printf ("Reading %d chunk index entries\n", nc));
+ sidx = sizeof (t_chunk_info) * nc;
++ if (overflow2(sidx, nc)) {
++ goto fail1;
++ }
+ cidx = gdCalloc (sidx, 1);
+- if (!cidx) {
++ if (cidx == NULL) {
+ goto fail1;
+ }
+ for (i = 0; i < nc; i++) {
+From a6a0e7feabb2a9738086a5dc96348f233c87fa79 Mon Sep 17 00:00:00 2001
+From: Pierre Joye <pierre.php@gmail.com>
+Date: Wed, 29 Jun 2016 09:36:26 +0700
+Subject: [PATCH] fix php bug 72339 (CVE-2016-5766), Integer Overflow in
+ _gd2GetHeader() resulting in heap overflow. Sync with php's sync
+
+---
+ src/gd_gd2.c | 7 ++++++-
+ tests/gd2/php_bug_72339.c | 2 +-
+ 2 files changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/src/gd_gd2.c b/src/gd_gd2.c
+index bdbbecf..2837456 100644
+--- a/src/gd_gd2.c
++++ b/src/gd_gd2.c
+@@ -152,11 +152,16 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy,
+
+ if (gd2_compressed (*fmt)) {
+ nc = (*ncx) * (*ncy);
++
+ GD2_DBG (printf ("Reading %d chunk index entries\n", nc));
++ if (overflow2(sizeof(t_chunk_info), nc)) {
++ goto fail1;
++ }
+ sidx = sizeof (t_chunk_info) * nc;
+- if (overflow2(sidx, nc)) {
++ if (sidx <= 0) {
+ goto fail1;
+ }
++
+ cidx = gdCalloc (sidx, 1);
+ if (cidx == NULL) {
+ goto fail1;
+--
+2.9.1
+