summary refs log tree commit diff
path: root/gnu/packages/patches/gd-CVE-2016-5766.patch
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/packages/patches/gd-CVE-2016-5766.patch')
-rw-r--r--gnu/packages/patches/gd-CVE-2016-5766.patch81
1 files changed, 0 insertions, 81 deletions
diff --git a/gnu/packages/patches/gd-CVE-2016-5766.patch b/gnu/packages/patches/gd-CVE-2016-5766.patch
deleted file mode 100644
index 400cb0ab48..0000000000
--- a/gnu/packages/patches/gd-CVE-2016-5766.patch
+++ /dev/null
@@ -1,81 +0,0 @@
-Fix CVE-2016-5766 (Integer Overflow in _gd2GetHeader() resulting in heap
-overflow).
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5766
-
-Adapted from upstream commits:
-https://github.com/libgd/libgd/commit/aba3db8ba159465ecec1089027a24835a6da9cc0
-https://github.com/libgd/libgd/commit/a6a0e7feabb2a9738086a5dc96348f233c87fa79
-
-Since `patch` cannot apply Git binary diffs, we omit the addition of
-'tests/gd2/php_bug_72339.c' and its associated binary data.
-
-From aba3db8ba159465ecec1089027a24835a6da9cc0 Mon Sep 17 00:00:00 2001
-From: Pierre Joye <pierre.php@gmail.com>
-Date: Tue, 28 Jun 2016 16:23:42 +0700
-Subject: [PATCH] fix php bug 72339 (CVE-2016-5766), Integer Overflow in
- _gd2GetHeader() resulting in heap overflow
-
----
- src/gd_gd2.c                    |   5 ++++-
- tests/gd2/CMakeLists.txt        |   1 +
- tests/gd2/Makemodule.am         |   6 ++++--
- tests/gd2/php_bug_72339.c       |  21 +++++++++++++++++++++
- tests/gd2/php_bug_72339_exp.gd2 | Bin 0 -> 67108882 bytes
- 5 files changed, 30 insertions(+), 3 deletions(-)
- create mode 100644 tests/gd2/php_bug_72339.c
- create mode 100644 tests/gd2/php_bug_72339_exp.gd2
-
-diff --git a/src/gd_gd2.c b/src/gd_gd2.c
-index fd1e0c9..bdbbecf 100644
---- a/src/gd_gd2.c
-+++ b/src/gd_gd2.c
-@@ -154,8 +154,11 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy,
- 		nc = (*ncx) * (*ncy);
- 		GD2_DBG (printf ("Reading %d chunk index entries\n", nc));
- 		sidx = sizeof (t_chunk_info) * nc;
-+		if (overflow2(sidx, nc)) {
-+			goto fail1;
-+		}
- 		cidx = gdCalloc (sidx, 1);
--		if (!cidx) {
-+		if (cidx == NULL) {
- 			goto fail1;
- 		}
- 		for (i = 0; i < nc; i++) {
-From a6a0e7feabb2a9738086a5dc96348f233c87fa79 Mon Sep 17 00:00:00 2001
-From: Pierre Joye <pierre.php@gmail.com>
-Date: Wed, 29 Jun 2016 09:36:26 +0700
-Subject: [PATCH] fix php bug 72339 (CVE-2016-5766), Integer Overflow in
- _gd2GetHeader() resulting in heap overflow. Sync with php's sync
-
----
- src/gd_gd2.c              | 7 ++++++-
- tests/gd2/php_bug_72339.c | 2 +-
- 2 files changed, 7 insertions(+), 2 deletions(-)
-
-diff --git a/src/gd_gd2.c b/src/gd_gd2.c
-index bdbbecf..2837456 100644
---- a/src/gd_gd2.c
-+++ b/src/gd_gd2.c
-@@ -152,11 +152,16 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy,
- 
- 	if (gd2_compressed (*fmt)) {
- 		nc = (*ncx) * (*ncy);
-+
- 		GD2_DBG (printf ("Reading %d chunk index entries\n", nc));
-+		if (overflow2(sizeof(t_chunk_info), nc)) {
-+			goto fail1;
-+		}
- 		sidx = sizeof (t_chunk_info) * nc;
--		if (overflow2(sidx, nc)) {
-+		if (sidx <= 0) {
- 			goto fail1;
- 		}
-+
- 		cidx = gdCalloc (sidx, 1);
- 		if (cidx == NULL) {
- 			goto fail1;
--- 
-2.9.1
-