summary refs log tree commit diff
path: root/gnu/packages/patches/gd-CVE-2016-6128.patch
blob: 45ee6b0cfa3744a9f1947b24bc2143dbc7dcbcf1 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
Fix CVE-2016-6128 (invalid color index is not properly handled leading
to denial of service).

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-6128

Copied from upstream commits:
https://github.com/libgd/libgd/compare/3fe0a7128bac5000fdcfab888bd2a75ec0c9447d...fd623025505e87bba7ec8555eeb72dae4fb0afd

From 1ccfe21e14c4d18336f9da8515cd17db88c3de61 Mon Sep 17 00:00:00 2001
From: Pierre Joye <pierre.php@gmail.com>
Date: Mon, 27 Jun 2016 11:17:39 +0700
Subject: [PATCH 1/8] fix php 72494, invalid color index not handled, can lead
 to crash

---
 src/gd_crop.c        | 4 ++++
 tests/CMakeLists.txt | 1 +
 tests/Makefile.am    | 1 +
 3 files changed, 6 insertions(+)

diff --git a/src/gd_crop.c b/src/gd_crop.c
index 0296633..532b49b 100644
--- a/src/gd_crop.c
+++ b/src/gd_crop.c
@@ -136,6 +136,10 @@ BGD_DECLARE(gdImagePtr) gdImageCropThreshold(gdImagePtr im, const unsigned int c
 		return NULL;
 	}
 
+	if (color < 0 || (!gdImageTrueColor(im) && color >= gdImageColorsTotal(im))) {
+		return NULL;
+	}
+
 	/* TODO: Add gdImageGetRowPtr and works with ptr at the row level
 	 * for the true color and palette images
 	 * new formats will simply work with ptr
diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
index 6f5c786..5093d52 100644
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt
@@ -31,6 +31,7 @@ if (BUILD_TEST)
 		gdimagecolortransparent
 		gdimagecopy
 		gdimagecopyrotated
+        gdimagecrop
 		gdimagefile
 		gdimagefill
 		gdimagefilledellipse
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 4f6e756..5a0ebe8 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -25,6 +25,7 @@ include gdimagecolorresolve/Makemodule.am
 include gdimagecolortransparent/Makemodule.am
 include gdimagecopy/Makemodule.am
 include gdimagecopyrotated/Makemodule.am
+include gdimagecrop/Makemodule.am
 include gdimagefile/Makemodule.am
 include gdimagefill/Makemodule.am
 include gdimagefilledellipse/Makemodule.am
-- 
2.9.1

From 8c9f39c7cb1f62ea00bc7a48aff64d3811c2d6d0 Mon Sep 17 00:00:00 2001
From: Pierre Joye <pierre.php@gmail.com>
Date: Mon, 27 Jun 2016 11:20:07 +0700
Subject: [PATCH 2/8] fix php 72494, invalid color index not handled, can lead
 to crash

---
 tests/gdimagecrop/.gitignore | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 tests/gdimagecrop/.gitignore

diff --git a/tests/gdimagecrop/.gitignore b/tests/gdimagecrop/.gitignore
new file mode 100644
index 0000000..8e8c9c3
--- /dev/null
+++ b/tests/gdimagecrop/.gitignore
@@ -0,0 +1 @@
+/php_bug_72494
-- 
2.9.1

From 8de370b7b6263a02268037a7cd13ddd991b43ea9 Mon Sep 17 00:00:00 2001
From: Pierre Joye <pierre.php@gmail.com>
Date: Mon, 27 Jun 2016 11:24:50 +0700
Subject: [PATCH 3/8] fix php 72494, invalid color index not handled, can lead
 to crash

---
 tests/gdimagecrop/CMakeLists.txt | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 tests/gdimagecrop/CMakeLists.txt

diff --git a/tests/gdimagecrop/CMakeLists.txt b/tests/gdimagecrop/CMakeLists.txt
new file mode 100644
index 0000000..f7e4c7e
--- /dev/null
+++ b/tests/gdimagecrop/CMakeLists.txt
@@ -0,0 +1,5 @@
+SET(TESTS_FILES
+	php_bug_72494
+)
+
+ADD_GD_TESTS()
-- 
2.9.1

From bca12e4e11ecda8a0ea719472700ad5c2b36a0d6 Mon Sep 17 00:00:00 2001
From: Pierre Joye <pierre.php@gmail.com>
Date: Mon, 27 Jun 2016 11:25:12 +0700
Subject: [PATCH 4/8] fix php 72494, invalid color index not handled, can lead
 to crash

---
 tests/gdimagecrop/Makemodule.am | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 tests/gdimagecrop/Makemodule.am

diff --git a/tests/gdimagecrop/Makemodule.am b/tests/gdimagecrop/Makemodule.am
new file mode 100644
index 0000000..210888b
--- /dev/null
+++ b/tests/gdimagecrop/Makemodule.am
@@ -0,0 +1,5 @@
+libgd_test_programs += \
+	gdimagecrop/php_bug_72494
+
+EXTRA_DIST += \
+	gdimagecrop/CMakeLists.txt
-- 
2.9.1

From 6ff72ae40c7c20ece939afb362d98cc37f4a1c96 Mon Sep 17 00:00:00 2001
From: Pierre Joye <pierre.php@gmail.com>
Date: Mon, 27 Jun 2016 11:25:40 +0700
Subject: [PATCH 5/8] fix php 72494, invalid color index not handled, can lead
 to crash

---
 tests/gdimagecrop/php_bug_72494.c | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 tests/gdimagecrop/php_bug_72494.c

diff --git a/tests/gdimagecrop/php_bug_72494.c b/tests/gdimagecrop/php_bug_72494.c
new file mode 100644
index 0000000..adaa379
--- /dev/null
+++ b/tests/gdimagecrop/php_bug_72494.c
@@ -0,0 +1,23 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include "gd.h"
+
+#include "gdtest.h"
+
+int main()
+{
+	gdImagePtr im, exp;
+	int error = 0;
+
+	im = gdImageCreate(50, 50);
+
+	if (!im) {
+		gdTestErrorMsg("gdImageCreate failed.\n");
+		return 1;
+	}
+
+	gdImageCropThreshold(im, 1337, 0);
+	gdImageDestroy(im);
+	/* this bug tests a crash, it never reaches this point if the bug exists*/
+	return 0;
+}
-- 
2.9.1

From a0f9f8f7bd0d3a6c6afd6d180b8e75d93aadddfa Mon Sep 17 00:00:00 2001
From: Pierre Joye <pierre.php@gmail.com>
Date: Mon, 27 Jun 2016 11:38:07 +0700
Subject: [PATCH 6/8] fix php 72494, CID 149753, color is unsigned int, remove
 useless <0 comparison

---
 src/gd_crop.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/gd_crop.c b/src/gd_crop.c
index 532b49b..d51ad67 100644
--- a/src/gd_crop.c
+++ b/src/gd_crop.c
@@ -136,7 +136,7 @@ BGD_DECLARE(gdImagePtr) gdImageCropThreshold(gdImagePtr im, const unsigned int c
 		return NULL;
 	}
 
-	if (color < 0 || (!gdImageTrueColor(im) && color >= gdImageColorsTotal(im))) {
+	if (!gdImageTrueColor(im) && color >= gdImageColorsTotal(im)) {
 		return NULL;
 	}
 
-- 
2.9.1

From 907115fbb980862934d0de91af4977a216745039 Mon Sep 17 00:00:00 2001
From: Pierre Joye <pierre.php@gmail.com>
Date: Mon, 27 Jun 2016 11:51:40 +0700
Subject: [PATCH 7/8] fix php 72494, CID 149753, color is unsigned int, remove
 useless <0 comparison

---
 tests/gdimagecrop/php_bug_72494.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/gdimagecrop/php_bug_72494.c b/tests/gdimagecrop/php_bug_72494.c
index adaa379..5cb589b 100644
--- a/tests/gdimagecrop/php_bug_72494.c
+++ b/tests/gdimagecrop/php_bug_72494.c
@@ -6,7 +6,7 @@
 
 int main()
 {
-	gdImagePtr im, exp;
+	gdImagePtr im;
 	int error = 0;
 
 	im = gdImageCreate(50, 50);
-- 
2.9.1

From fd623025505e87bba7ec8555eeb72dae4fb0afdc Mon Sep 17 00:00:00 2001
From: Pierre Joye <pierre.php@gmail.com>
Date: Mon, 27 Jun 2016 12:04:25 +0700
Subject: [PATCH 8/8] fix php 72494, CID 149753, color is unsigned int, remove
 useless <0 comparison

---
 tests/gdimagecrop/php_bug_72494.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/tests/gdimagecrop/php_bug_72494.c b/tests/gdimagecrop/php_bug_72494.c
index 5cb589b..3bd19be 100644
--- a/tests/gdimagecrop/php_bug_72494.c
+++ b/tests/gdimagecrop/php_bug_72494.c
@@ -7,7 +7,6 @@
 int main()
 {
 	gdImagePtr im;
-	int error = 0;
 
 	im = gdImageCreate(50, 50);
 
-- 
2.9.1