diff options
author | Leo Famulari <leo@famulari.name> | 2016-09-29 11:32:34 -0400 |
---|---|---|
committer | Leo Famulari <leo@famulari.name> | 2016-10-01 12:27:37 -0400 |
commit | 917de2511b21fa95d82f199d98e00b420ec20e3e (patch) | |
tree | 87af7b3cd9daf646ba0cdb0f3f120252bc646164 /gnu/packages/patches | |
parent | 43f7af428e139f64b9ec229eb74918e328a63a5a (diff) | |
download | guix-917de2511b21fa95d82f199d98e00b420ec20e3e.tar.gz |
gnu: gd: Fix CVE-2016-7568.
* gnu/packages/patches/gd-CVE-2016-7568.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/gd.scm (gd)[source]: Use it.
Diffstat (limited to 'gnu/packages/patches')
-rw-r--r-- | gnu/packages/patches/gd-CVE-2016-7568.patch | 44 |
1 files changed, 44 insertions, 0 deletions
diff --git a/gnu/packages/patches/gd-CVE-2016-7568.patch b/gnu/packages/patches/gd-CVE-2016-7568.patch new file mode 100644 index 0000000000..6a1a63296c --- /dev/null +++ b/gnu/packages/patches/gd-CVE-2016-7568.patch @@ -0,0 +1,44 @@ +Fix CVE-2016-7568 (integer overflow in gdImageWebpCtx()): + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7568 + +Patch copied from upstream source repository: + +https://github.com/libgd/libgd/commit/2806adfdc27a94d333199345394d7c302952b95f + +From 2806adfdc27a94d333199345394d7c302952b95f Mon Sep 17 00:00:00 2001 +From: trylab <trylab@users.noreply.github.com> +Date: Tue, 6 Sep 2016 18:35:32 +0800 +Subject: [PATCH] Fix integer overflow in gdImageWebpCtx + +Integer overflow can be happened in expression gdImageSX(im) * 4 * +gdImageSY(im). It could lead to heap buffer overflow in the following +code. This issue has been reported to the PHP Bug Tracking System. The +proof-of-concept file will be supplied some days later. This issue was +discovered by Ke Liu of Tencent's Xuanwu LAB. +--- + src/gd_webp.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/src/gd_webp.c b/src/gd_webp.c +index 8eb4dee..9886399 100644 +--- a/src/gd_webp.c ++++ b/src/gd_webp.c +@@ -199,6 +199,14 @@ BGD_DECLARE(void) gdImageWebpCtx (gdImagePtr im, gdIOCtx * outfile, int quality) + quality = 80; + } + ++ if (overflow2(gdImageSX(im), 4)) { ++ return; ++ } ++ ++ if (overflow2(gdImageSX(im) * 4, gdImageSY(im))) { ++ return; ++ } ++ + argb = (uint8_t *)gdMalloc(gdImageSX(im) * 4 * gdImageSY(im)); + if (!argb) { + return; +-- +2.10.0 + |