summary refs log tree commit diff
path: root/gnu/packages/patches/gd-CVE-2016-6132.patch
blob: 4c475b71b29d44485a0c35b6d251cda6910ab191 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
Fix CVE-2016-6132 (read out-of-bounds when parsing TGA files).

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-6132

Copied from upstream commit:
https://github.com/libgd/libgd/commit/ead349e99868303b37f5e6e9d9d680c9dc71ff8d

From ead349e99868303b37f5e6e9d9d680c9dc71ff8d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
Date: Tue, 12 Jul 2016 11:24:09 +0200
Subject: [PATCH] Fix #247, A read out-of-bands was found in the parsing of TGA
 files (CVE-2016-6132)

---
 src/gd_tga.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/src/gd_tga.c b/src/gd_tga.c
index ef20f86..20fe2d2 100644
--- a/src/gd_tga.c
+++ b/src/gd_tga.c
@@ -237,7 +237,11 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga )
 			return -1;
 		}
 
-		gdGetBuf(conversion_buffer, image_block_size, ctx);
+		if (gdGetBuf(conversion_buffer, image_block_size, ctx) != image_block_size) {
+			gd_error("gd-tga: premature end of image data\n");
+			gdFree(conversion_buffer);
+			return -1;
+		}
 
 		while (buffer_caret < image_block_size) {
 			tga->bitmap[buffer_caret] = (int) conversion_buffer[buffer_caret];
@@ -257,11 +261,16 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga )
 		}
 		conversion_buffer = (unsigned char *) gdMalloc(image_block_size * sizeof(unsigned char));
 		if (conversion_buffer == NULL) {
+			gd_error("gd-tga: premature end of image data\n");
 			gdFree( decompression_buffer );
 			return -1;
 		}
 
-		gdGetBuf( conversion_buffer, image_block_size, ctx );
+		if (gdGetBuf(conversion_buffer, image_block_size, ctx) != image_block_size) {
+			gdFree(conversion_buffer);
+			gdFree(decompression_buffer);
+			return -1;
+		}
 
 		buffer_caret = 0;
 
-- 
2.9.1