summary refs log tree commit diff
path: root/gnu/packages/patches/gd-CVE-2016-3074.patch
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/packages/patches/gd-CVE-2016-3074.patch')
-rw-r--r--gnu/packages/patches/gd-CVE-2016-3074.patch36
1 files changed, 36 insertions, 0 deletions
diff --git a/gnu/packages/patches/gd-CVE-2016-3074.patch b/gnu/packages/patches/gd-CVE-2016-3074.patch
new file mode 100644
index 0000000000..a90c51d77b
--- /dev/null
+++ b/gnu/packages/patches/gd-CVE-2016-3074.patch
@@ -0,0 +1,36 @@
+Adapted from upstream commit 2bb97f407c1145c850416a3bfbcc8cf124e68a19
+(gd2: handle corrupt images better (CVE-2016-3074)).
+
+This patch omits the upstream changes to '.gitignore', and the test
+added in files 'tests/Makefile.am', 'tests/gd2/gd2_read_corrupt.c', and
+'tests/gd2/invalid_neg_size.gd2'.
+
+We omit the test because its input data,
+'tests/gd2/invalid_neg_size.gd2', is provided as a binary Git diff,
+which is not supported by `patch`.
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3074
+https://github.com/libgd/libgd/commit/2bb97f407c1145c850416a3bfbcc8cf124e68a19
+---
+ .gitignore                     |   1 +
+ src/gd_gd2.c                   |   2 ++
+ tests/Makefile.am              |   3 ++-
+ tests/gd2/gd2_read_corrupt.c   |  25 +++++++++++++++++++++++++
+ tests/gd2/invalid_neg_size.gd2 | Bin 0 -> 1676 bytes
+ 5 files changed, 30 insertions(+), 1 deletion(-)
+ create mode 100644 tests/gd2/gd2_read_corrupt.c
+ create mode 100644 tests/gd2/invalid_neg_size.gd2
+
+diff --git a/src/gd_gd2.c b/src/gd_gd2.c
+index 6f28461..a50b33d 100644
+--- a/src/gd_gd2.c
++++ b/src/gd_gd2.c
+@@ -165,6 +165,8 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy,
+ 			if (gdGetInt (&cidx[i].size, in) != 1) {
+ 				goto fail2;
+ 			};
++			if (cidx[i].offset < 0 || cidx[i].size < 0)
++				goto fail2;
+ 		};
+ 		*chunkIdx = cidx;
+ 	};