[arch-commits] Commit in gd/trunk (CVE-2016-3074.patch PKGBUILD)

Pierre Schmitz pierre at archlinux.org
Fri May 6 08:34:45 UTC 2016


    Date: Friday, May 6, 2016 @ 10:34:45
  Author: pierre
Revision: 267011

Fix CVE-2016-3074

Added:
  gd/trunk/CVE-2016-3074.patch
Modified:
  gd/trunk/PKGBUILD

---------------------+
 CVE-2016-3074.patch |  104 ++++++++++++++++++++++++++++++++++++++++++++++++++
 PKGBUILD            |    8 ++-
 2 files changed, 109 insertions(+), 3 deletions(-)

Added: CVE-2016-3074.patch
===================================================================
--- CVE-2016-3074.patch	                        (rev 0)
+++ CVE-2016-3074.patch	2016-05-06 08:34:45 UTC (rev 267011)
@@ -0,0 +1,105 @@
+From 2bb97f407c1145c850416a3bfbcc8cf124e68a19 Mon Sep 17 00:00:00 2001
+From: Mike Frysinger <vapier at gentoo.org>
+Date: Sat, 16 Apr 2016 03:51:22 -0400
+Subject: gd2: handle corrupt images better (CVE-2016-3074)
+
+Make sure we do some range checking on corrupted chunks.
+
+Thanks to Hans Jerry Illikainen <hji at dyntopia.com> for indepth report
+and reproducer information.  Made for easy test case writing :).
+---
+ .gitignore                     |   1 +
+ src/gd_gd2.c                   |   2 ++
+ tests/Makefile.am              |   3 ++-
+ tests/gd2/gd2_read_corrupt.c   |  25 +++++++++++++++++++++++++
+ tests/gd2/invalid_neg_size.gd2 | Bin 0 -> 1676 bytes
+ 5 files changed, 30 insertions(+), 1 deletion(-)
+ create mode 100644 tests/gd2/gd2_read_corrupt.c
+ create mode 100644 tests/gd2/invalid_neg_size.gd2
+
+diff --git a/.gitignore b/.gitignore
+index a68f3b9..35acd71 100644
+--- a/.gitignore
++++ b/.gitignore
+@@ -150,6 +150,7 @@ Makefile.in
+ /tests/gd2/gd2_im2im
+ /tests/gd2/gd2_null
+ /tests/gd2/gd2_read
++/tests/gd2/gd2_read_corrupt
+ /tests/gdimagearc/bug00079
+ /tests/gdimageline/gdimageline_aa
+ /tests/gdimageline/bug00072
+diff --git a/src/gd_gd2.c b/src/gd_gd2.c
+index 6f28461..a50b33d 100644
+--- a/src/gd_gd2.c
++++ b/src/gd_gd2.c
+@@ -165,6 +165,8 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy,
+ 			if (gdGetInt (&cidx[i].size, in) != 1) {
+ 				goto fail2;
+ 			};
++			if (cidx[i].offset < 0 || cidx[i].size < 0)
++				goto fail2;
+ 		};
+ 		*chunkIdx = cidx;
+ 	};
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index ed2c35b..b582266 100644
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -129,7 +129,8 @@ endif
+ 
+ if HAVE_LIBZ
+ check_PROGRAMS += \
+-	gd2/gd2_null
++	gd2/gd2_null \
++	gd2/gd2_read_corrupt
+ endif
+ 
+ if HAVE_LIBPNG
+diff --git a/tests/gd2/gd2_read_corrupt.c b/tests/gd2/gd2_read_corrupt.c
+new file mode 100644
+index 0000000..11f6a67
+--- /dev/null
++++ b/tests/gd2/gd2_read_corrupt.c
+@@ -0,0 +1,25 @@
++/* Just try to read the invalid gd2 image & not crash. */
++#include "gd.h"
++#include <stdio.h>
++#include <stdlib.h>
++#include "gdtest.h"
++
++int main()
++{
++	gdImagePtr im;
++	FILE *fp;
++	char path[1024];
++
++	/* Read the corrupt image. */
++	sprintf(path, "%s/gd2/invalid_neg_size.gd2", GDTEST_TOP_DIR);
++	fp = fopen(path, "rb");
++	if (!fp) {
++		printf("failed, cannot open file\n");
++		return 1;
++	}
++	im = gdImageCreateFromGd2(fp);
++	fclose(fp);
++
++	/* Should have failed & rejected it. */
++	return im == NULL ? 0 : 1;
++}
+diff --git a/tests/gd2/invalid_neg_size.gd2 b/tests/gd2/invalid_neg_size.gd2
+new file mode 100644
+index 0000000..3075f15
+--- /dev/null
++++ b/tests/gd2/invalid_neg_size.gd2
+@@ -0,0 +1,5 @@
++gd2     @     )   o  ˜ÿÿÿÿ                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  
                                                                      xd ›ÿAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAéeß²l”P¬ƒñtoWØ;`å`è8jTH×Ôöð#&? åÏYøëŠ$ÄT­/ê	”göBƒf<7““k°‚¾ÔŸ<Pù¹âçùÖyÛÀðì¤Ã)`9“ŒÈê°˜Ö
++ÔBE3?sÑì¾´yhcÜã7K+`rq´¡Òä×ë’WEEþb‰É2SŽJ÷MXnx´ÔŠâÕàHªµV¤QpY×ñô^ÒlNl©˜·j³‹â…cF
++Yãµ^o;rÆÏ5xòœ%Ñ<Ž1Ýv¿µ‹|?±$¯]Ö¢™Õ÷â÷ª­ñƒ¨ŸR¤]èŒÓÑ͇¦}Ñ¥‰Ö9$«,wÊ[jAóò[Üž”„=©ýÎëƒÁ3Û«>.~!ƧX™æ­ûãåYº& [T7S­öI‡&Š	ü7`M1lOÄTa$Í®Žé
++²aeÊïÊ…¾‡Á~¦Æ}ûi¾}‹„[)N÷Ëæ+%s75'=‡_ïҍ‹»È½yMD1`»t÷òî·ØÆÈ
++p~,`:?©aÏVÖ?ñ˜*èžè›P×ÃIYbßËÏ°<§S$Vÿ6P¾¼á7Ü{9–¡6Ñ1¹=áDæC 1}•X~P”¬þÛö»IŽvÍÇ3ŸðßoGK­
+xØ1*x–Í	Ø
+\ No newline at end of file
+-- 
+2.8.2
+

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2016-05-06 07:46:14 UTC (rev 267010)
+++ PKGBUILD	2016-05-06 08:34:45 UTC (rev 267011)
@@ -2,7 +2,7 @@
 
 pkgname=gd
 pkgver=2.1.1
-pkgrel=3
+pkgrel=4
 pkgdesc="Library for the dynamic creation of images by programmers"
 arch=('i686' 'x86_64')
 url="http://www.libgd.org/"
@@ -11,14 +11,16 @@
 makedepends=('git')
 optdepends=('perl: bdftogd script')
 source=("${pkgname}::git+https://github.com/libgd/libgd.git#tag=${pkgname}-${pkgver}"
-        gd-2.1.1-libvpx-1.4.0.patch)
+        'gd-2.1.1-libvpx-1.4.0.patch' 'CVE-2016-3074.patch')
 md5sums=('SKIP'
-         '9114dd8259aaa88b0a09188fe7b19afc')
+         '9114dd8259aaa88b0a09188fe7b19afc'
+         '60d9ef94a60d9a77232b79da4b80626e')
 
 prepare() {
   cd ${pkgname}
   ./bootstrap.sh
   patch -p1 -i "${srcdir}/gd-2.1.1-libvpx-1.4.0.patch"
+  patch -p1 -i "${srcdir}/CVE-2016-3074.patch"
 }
 
 build() {



More information about the arch-commits mailing list