mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-06-04 14:39:54 +00:00
gd : CVE-2016-10167, CVE-2016-10168
The gdImageCreateFromGd2Ctx function in gd_gd2.c in the GD Graphics Library (aka libgd) before 2.2.4 allows remote attackers to cause a denial of service (application crash) via a crafted image file. Integer overflow in gd_io.c in the GD Graphics Library (aka libgd) before 2.2.4 allows remote attackers to have unspecified impact via vectors involving the number of horizontal and vertical chunks in an image. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10167 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10168 Upstream patches: https://github.com/libgd/libgd/commit/fe9ed49dafa993e3af96b6a5a589efeea9bfb36f https://github.com/libgd/libgd/commit/69d2fd2c597ffc0c217de1238b9bf4d4bceba8e6 Signed-off-by: Catalin Enache <catalin.enache@windriver.com> Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
This commit is contained in:
Catalin Enache
committed by
Martin Jansa
Martin Jansa
parent
dcd6d5b240
commit
f66465d4d5
@@ -0,0 +1,48 @@
|
|||||||
|
From 6ab531ef0d82efb9e00236ee5ea23928335d221f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Catalin Enache <catalin.enache@windriver.com>
|
||||||
|
Date: Fri, 7 Apr 2017 12:30:22 +0300
|
||||||
|
Subject: [PATCH] Fix DOS vulnerability in gdImageCreateFromGd2Ctx()
|
||||||
|
|
||||||
|
We must not pretend that there are image data if there are none. Instead
|
||||||
|
we fail reading the image file gracefully.
|
||||||
|
|
||||||
|
Upstream-Status: Backport
|
||||||
|
CVE: CVE-2016-10167
|
||||||
|
|
||||||
|
Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
|
||||||
|
---
|
||||||
|
src/gd_gd2.c | 14 ++++++--------
|
||||||
|
1 file changed, 6 insertions(+), 8 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/gd_gd2.c b/src/gd_gd2.c
|
||||||
|
index 8df93c1..bae65ea 100644
|
||||||
|
--- a/src/gd_gd2.c
|
||||||
|
+++ b/src/gd_gd2.c
|
||||||
|
@@ -445,18 +445,16 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromGd2Ctx (gdIOCtxPtr in)
|
||||||
|
|
||||||
|
if (im->trueColor) {
|
||||||
|
if (!gdGetInt (&im->tpixels[y][x], in)) {
|
||||||
|
- /*printf("EOF while reading\n"); */
|
||||||
|
- /*gdImageDestroy(im); */
|
||||||
|
- /*return 0; */
|
||||||
|
- im->tpixels[y][x] = 0;
|
||||||
|
+ gd_error("gd2: EOF while reading\n");
|
||||||
|
+ gdImageDestroy(im);
|
||||||
|
+ return NULL;
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
int ch;
|
||||||
|
if (!gdGetByte (&ch, in)) {
|
||||||
|
- /*printf("EOF while reading\n"); */
|
||||||
|
- /*gdImageDestroy(im); */
|
||||||
|
- /*return 0; */
|
||||||
|
- ch = 0;
|
||||||
|
+ gd_error("gd2: EOF while reading\n");
|
||||||
|
+ gdImageDestroy(im);
|
||||||
|
+ return NULL;
|
||||||
|
}
|
||||||
|
im->pixels[y][x] = ch;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.10.2
|
||||||
|
|
||||||
@@ -0,0 +1,38 @@
|
|||||||
|
From 2d37bdc03a6e2b820fe380016f22592a7733e0be Mon Sep 17 00:00:00 2001
|
||||||
|
From: Catalin Enache <catalin.enache@windriver.com>
|
||||||
|
Date: Fri, 7 Apr 2017 12:32:49 +0300
|
||||||
|
Subject: [PATCH] Fix #354: Signed Integer Overflow gd_io.c
|
||||||
|
|
||||||
|
GD2 stores the number of horizontal and vertical chunks as words (i.e. 2
|
||||||
|
byte unsigned). These values are multiplied and assigned to an int when
|
||||||
|
reading the image, what can cause integer overflows. We have to avoid
|
||||||
|
that, and also make sure that either chunk count is actually greater
|
||||||
|
than zero. If illegal chunk counts are detected, we bail out from
|
||||||
|
reading the image.
|
||||||
|
|
||||||
|
Upstream-Status: Backport
|
||||||
|
CVE: CVE-2016-10168
|
||||||
|
|
||||||
|
Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
|
||||||
|
---
|
||||||
|
src/gd_gd2.c | 4 ++++
|
||||||
|
1 file changed, 4 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/gd_gd2.c b/src/gd_gd2.c
|
||||||
|
index bae65ea..9006bd2 100644
|
||||||
|
--- a/src/gd_gd2.c
|
||||||
|
+++ b/src/gd_gd2.c
|
||||||
|
@@ -151,6 +151,10 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy,
|
||||||
|
GD2_DBG (printf ("%d Chunks vertically\n", *ncy));
|
||||||
|
|
||||||
|
if (gd2_compressed (*fmt)) {
|
||||||
|
+ if (*ncx <= 0 || *ncy <= 0 || *ncx > INT_MAX / *ncy) {
|
||||||
|
+ GD2_DBG(printf ("Illegal chunk counts: %d * %d\n", *ncx, *ncy));
|
||||||
|
+ goto fail1;
|
||||||
|
+ }
|
||||||
|
nc = (*ncx) * (*ncy);
|
||||||
|
|
||||||
|
GD2_DBG (printf ("Reading %d chunk index entries\n", nc));
|
||||||
|
--
|
||||||
|
2.10.2
|
||||||
|
|
||||||
@@ -14,7 +14,9 @@ DEPENDS = "freetype libpng jpeg zlib tiff"
|
|||||||
|
|
||||||
SRC_URI = "git://github.com/libgd/libgd.git;branch=GD-2.2 \
|
SRC_URI = "git://github.com/libgd/libgd.git;branch=GD-2.2 \
|
||||||
file://fix-gcc-unused-functions.patch \
|
file://fix-gcc-unused-functions.patch \
|
||||||
file://CVE-2016-10166.patch"
|
file://CVE-2016-10166.patch \
|
||||||
|
file://CVE-2016-10167.patch \
|
||||||
|
file://CVE-2016-10168.patch"
|
||||||
|
|
||||||
SRCREV = "46ceef5970bf3a847ff61d1bdde7501d66c11d0c"
|
SRCREV = "46ceef5970bf3a847ff61d1bdde7501d66c11d0c"
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user