diff options
author | Leo Famulari <leo@famulari.name> | 2016-07-15 14:48:09 -0400 |
---|---|---|
committer | Leo Famulari <leo@famulari.name> | 2016-07-16 12:49:22 -0400 |
commit | a1537ac2bae1d7eae39188317daf1186a673e6a2 (patch) | |
tree | 3c5e48205ba2b657d4f8627461dd83e4db31b95e /gnu/packages/patches/gd-CVE-2016-6214.patch | |
parent | b9174ff4493b8c502c06f8ba80183115f542d90c (diff) | |
download | guix-a1537ac2bae1d7eae39188317daf1186a673e6a2.tar.gz |
gnu: gd: Fix CVE-2016-{5766,6128,6132,6214}.
* gnu/packages/patches/gd-CVE-2016-5766.patch, gnu/packages/patches/gd-CVE-2016-6128.patch, gnu/packages/patches/gd-CVE-2016-6132.patch, gnu/packages/patches/gd-CVE-2016-6214.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/gd.scm (gd): Use patches.
Diffstat (limited to 'gnu/packages/patches/gd-CVE-2016-6214.patch')
-rw-r--r-- | gnu/packages/patches/gd-CVE-2016-6214.patch | 66 |
1 files changed, 66 insertions, 0 deletions
diff --git a/gnu/packages/patches/gd-CVE-2016-6214.patch b/gnu/packages/patches/gd-CVE-2016-6214.patch new file mode 100644 index 0000000000..7894a32bb1 --- /dev/null +++ b/gnu/packages/patches/gd-CVE-2016-6214.patch @@ -0,0 +1,66 @@ +Fix CVE-2016-6214 (read out-of-bounds when parsing TGA files). + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6214 + +Adapted from upstream commit: +https://github.com/libgd/libgd/commit/341aa68843ceceae9ba6e083431f14a07bd92308 + +Since `patch` cannot apply Git binary diffs, we omit the addition of +'tests/tga/bug00247a.c' and its associated binary data. + +From 341aa68843ceceae9ba6e083431f14a07bd92308 Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" <cmbecker69@gmx.de> +Date: Tue, 12 Jul 2016 19:23:13 +0200 +Subject: [PATCH] Unsupported TGA bpp/alphabit combinations should error + gracefully + +Currently, only 24bpp without alphabits and 32bpp with 8 alphabits are +really supported. All other combinations will be rejected with a warning. + +(cherry picked from commit cb1a0b7e54e9aa118270c23a4a6fe560e4590dc9) +--- + src/gd_tga.c | 16 ++++++---------- + tests/tga/.gitignore | 1 + + tests/tga/CMakeLists.txt | 1 + + tests/tga/Makemodule.am | 4 +++- + tests/tga/bug00247a.c | 19 +++++++++++++++++++ + tests/tga/bug00247a.tga | Bin 0 -> 36 bytes + 6 files changed, 30 insertions(+), 11 deletions(-) + create mode 100644 tests/tga/bug00247a.c + create mode 100644 tests/tga/bug00247a.tga + +diff --git a/src/gd_tga.c b/src/gd_tga.c +index 20fe2d2..b4f8fa6 100644 +--- a/src/gd_tga.c ++++ b/src/gd_tga.c +@@ -99,7 +99,7 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromTgaCtx(gdIOCtx* ctx) + if (tga->bits == TGA_BPP_24) { + *tpix = gdTrueColor(tga->bitmap[bitmap_caret + 2], tga->bitmap[bitmap_caret + 1], tga->bitmap[bitmap_caret]); + bitmap_caret += 3; +- } else if (tga->bits == TGA_BPP_32 || tga->alphabits) { ++ } else if (tga->bits == TGA_BPP_32 && tga->alphabits) { + register int a = tga->bitmap[bitmap_caret + 3]; + + *tpix = gdTrueColorAlpha(tga->bitmap[bitmap_caret + 2], tga->bitmap[bitmap_caret + 1], tga->bitmap[bitmap_caret], gdAlphaMax - (a >> 1)); +@@ -159,16 +159,12 @@ int read_header_tga(gdIOCtx *ctx, oTga *tga) + printf("wxh: %i %i\n", tga->width, tga->height); + #endif + +- switch(tga->bits) { +- case 8: +- case 16: +- case 24: +- case 32: +- break; +- default: +- gd_error("bps %i not supported", tga->bits); ++ if (!((tga->bits == TGA_BPP_24 && tga->alphabits == 0) ++ || (tga->bits == TGA_BPP_32 && tga->alphabits == 8))) ++ { ++ gd_error_ex(GD_WARNING, "gd-tga: %u bits per pixel with %u alpha bits not supported\n", ++ tga->bits, tga->alphabits); + return -1; +- break; + } + + tga->ident = NULL; |