Date: Friday, May 6, 2016 @ 10:34:45 Author: pierre Revision: 267011 Fix CVE-2016-3074
Added: gd/trunk/CVE-2016-3074.patch Modified: gd/trunk/PKGBUILD ---------------------+ CVE-2016-3074.patch | 104 ++++++++++++++++++++++++++++++++++++++++++++++++++ PKGBUILD | 8 ++- 2 files changed, 109 insertions(+), 3 deletions(-) Added: CVE-2016-3074.patch =================================================================== --- CVE-2016-3074.patch (rev 0) +++ CVE-2016-3074.patch 2016-05-06 08:34:45 UTC (rev 267011) @@ -0,0 +1,105 @@ +From 2bb97f407c1145c850416a3bfbcc8cf124e68a19 Mon Sep 17 00:00:00 2001 +From: Mike Frysinger <vap...@gentoo.org> +Date: Sat, 16 Apr 2016 03:51:22 -0400 +Subject: gd2: handle corrupt images better (CVE-2016-3074) + +Make sure we do some range checking on corrupted chunks. + +Thanks to Hans Jerry Illikainen <h...@dyntopia.com> for indepth report +and reproducer information. Made for easy test case writing :). +--- + .gitignore | 1 + + src/gd_gd2.c | 2 ++ + tests/Makefile.am | 3 ++- + tests/gd2/gd2_read_corrupt.c | 25 +++++++++++++++++++++++++ + tests/gd2/invalid_neg_size.gd2 | Bin 0 -> 1676 bytes + 5 files changed, 30 insertions(+), 1 deletion(-) + create mode 100644 tests/gd2/gd2_read_corrupt.c + create mode 100644 tests/gd2/invalid_neg_size.gd2 + +diff --git a/.gitignore b/.gitignore +index a68f3b9..35acd71 100644 +--- a/.gitignore ++++ b/.gitignore +@@ -150,6 +150,7 @@ Makefile.in + /tests/gd2/gd2_im2im + /tests/gd2/gd2_null + /tests/gd2/gd2_read ++/tests/gd2/gd2_read_corrupt + /tests/gdimagearc/bug00079 + /tests/gdimageline/gdimageline_aa + /tests/gdimageline/bug00072 +diff --git a/src/gd_gd2.c b/src/gd_gd2.c +index 6f28461..a50b33d 100644 +--- a/src/gd_gd2.c ++++ b/src/gd_gd2.c +@@ -165,6 +165,8 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy, + if (gdGetInt (&cidx[i].size, in) != 1) { + goto fail2; + }; ++ if (cidx[i].offset < 0 || cidx[i].size < 0) ++ goto fail2; + }; + *chunkIdx = cidx; + }; +diff --git a/tests/Makefile.am b/tests/Makefile.am +index ed2c35b..b582266 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -129,7 +129,8 @@ endif + + if HAVE_LIBZ + check_PROGRAMS += \ +- gd2/gd2_null ++ gd2/gd2_null \ ++ gd2/gd2_read_corrupt + endif + + if HAVE_LIBPNG +diff --git a/tests/gd2/gd2_read_corrupt.c b/tests/gd2/gd2_read_corrupt.c +new file mode 100644 +index 0000000..11f6a67 +--- /dev/null ++++ b/tests/gd2/gd2_read_corrupt.c +@@ -0,0 +1,25 @@ ++/* Just try to read the invalid gd2 image & not crash. */ ++#include "gd.h" ++#include <stdio.h> ++#include <stdlib.h> ++#include "gdtest.h" ++ ++int main() ++{ ++ gdImagePtr im; ++ FILE *fp; ++ char path[1024]; ++ ++ /* Read the corrupt image. */ ++ sprintf(path, "%s/gd2/invalid_neg_size.gd2", GDTEST_TOP_DIR); ++ fp = fopen(path, "rb"); ++ if (!fp) { ++ printf("failed, cannot open file\n"); ++ return 1; ++ } ++ im = gdImageCreateFromGd2(fp); ++ fclose(fp); ++ ++ /* Should have failed & rejected it. */ ++ return im == NULL ? 0 : 1; ++} +diff --git a/tests/gd2/invalid_neg_size.gd2 b/tests/gd2/invalid_neg_size.gd2 +new file mode 100644 +index 0000000..3075f15 +--- /dev/null ++++ b/tests/gd2/invalid_neg_size.gd2 +@@ -0,0 +1,5 @@ ++gd2 @ ) o ����� xd ��AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA�e߲l�P���toW�;`�`�8jTH����#&? ��Y���$�T�/� �g�B�f�<7��k���ԟ<P������y������)`9����갘� ++�BE3?s�쾴yhc��7K+`rq��������WEE�b��2S�J�MXnx�Ԋ���H��V�QpY���^�lNl���j����cF ++Y��^o;r��5x��%�<�1�v���|?�$�]֢�������R�]����͇�}ѥ��9$�,w�[jA��[ܞ��=������3۫>.~!ƧX������Y�&�[T7S��I�&� �7`M1�lO�Ta$ͮ�� ++�ae��ʅ���~��}�i�}��[)N���+%s75'=�_�ҍ��ȽyMD1`�t������� ++p~,`:?�a�V�?��*����P��IYb��ϰ<�S$V�6P���7�{9��6�1�=�D�C�1} �X~P������I�v��3���oGK� +x�1*x�� � +\ No newline at end of file +-- +2.8.2 + Modified: PKGBUILD =================================================================== --- PKGBUILD 2016-05-06 07:46:14 UTC (rev 267010) +++ PKGBUILD 2016-05-06 08:34:45 UTC (rev 267011) @@ -2,7 +2,7 @@ pkgname=gd pkgver=2.1.1 -pkgrel=3 +pkgrel=4 pkgdesc="Library for the dynamic creation of images by programmers" arch=('i686' 'x86_64') url="http://www.libgd.org/" @@ -11,14 +11,16 @@ makedepends=('git') optdepends=('perl: bdftogd script') source=("${pkgname}::git+https://github.com/libgd/libgd.git#tag=${pkgname}-${pkgver}" - gd-2.1.1-libvpx-1.4.0.patch) + 'gd-2.1.1-libvpx-1.4.0.patch' 'CVE-2016-3074.patch') md5sums=('SKIP' - '9114dd8259aaa88b0a09188fe7b19afc') + '9114dd8259aaa88b0a09188fe7b19afc' + '60d9ef94a60d9a77232b79da4b80626e') prepare() { cd ${pkgname} ./bootstrap.sh patch -p1 -i "${srcdir}/gd-2.1.1-libvpx-1.4.0.patch" + patch -p1 -i "${srcdir}/CVE-2016-3074.patch" } build() {