summary refs log tree commit diff
path: root/gnu/packages/patches/gd-CVE-2016-3074.patch
blob: a90c51d77b203690f1ef6cbb86912ee575d0941b (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
Adapted from upstream commit 2bb97f407c1145c850416a3bfbcc8cf124e68a19
(gd2: handle corrupt images better (CVE-2016-3074)).

This patch omits the upstream changes to '.gitignore', and the test
added in files 'tests/Makefile.am', 'tests/gd2/gd2_read_corrupt.c', and
'tests/gd2/invalid_neg_size.gd2'.

We omit the test because its input data,
'tests/gd2/invalid_neg_size.gd2', is provided as a binary Git diff,
which is not supported by `patch`.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3074
https://github.com/libgd/libgd/commit/2bb97f407c1145c850416a3bfbcc8cf124e68a19
---
 .gitignore                     |   1 +
 src/gd_gd2.c                   |   2 ++
 tests/Makefile.am              |   3 ++-
 tests/gd2/gd2_read_corrupt.c   |  25 +++++++++++++++++++++++++
 tests/gd2/invalid_neg_size.gd2 | Bin 0 -> 1676 bytes
 5 files changed, 30 insertions(+), 1 deletion(-)
 create mode 100644 tests/gd2/gd2_read_corrupt.c
 create mode 100644 tests/gd2/invalid_neg_size.gd2

diff --git a/src/gd_gd2.c b/src/gd_gd2.c
index 6f28461..a50b33d 100644
--- a/src/gd_gd2.c
+++ b/src/gd_gd2.c
@@ -165,6 +165,8 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy,
 			if (gdGetInt (&cidx[i].size, in) != 1) {
 				goto fail2;
 			};
+			if (cidx[i].offset < 0 || cidx[i].size < 0)
+				goto fail2;
 		};
 		*chunkIdx = cidx;
 	};