gd : CVE-2016-10166

Integer underflow in the _gdContributionsAlloc function in gd_interpolation.c in the GD Graphics Library (aka libgd) before 2.2.4 allows remote attackers to have unspecified impact via vectors related to decrementing the u variable. Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10166 Upstream patch: https://github.com/libgd/libgd/commit/60bfb401ad5a4a8ae995dcd36372fe15c71e1a35 Signed-off-by: Catalin Enache <catalin.enache@windriver.com> Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
author: Catalin Enache <catalin.enache@windriver.com> 2017-04-06 14:08:36 +0300
committer: Martin Jansa <Martin.Jansa@gmail.com> 2017-04-18 14:21:38 +0200
commit: f882211c14507894248bb4ff064153b242d1d9d7 (patch)
tree: 0b8edd0d3881228e68b0643a1e2fc5540e9e8228
parent: eb97a736f339c70a102cc07871be7da3b711b68c (diff)
download: meta-openembedded-f882211c14507894248bb4ff064153b242d1d9d7.tar.gz
2 files changed, 62 insertions, 1 deletions
diff --git a/meta-oe/recipes-support/gd/gd/CVE-2016-10166.patch b/meta-oe/recipes-support/gd/gd/CVE-2016-10166.patch
new file mode 100644
index 000000000..7ccfbeabc
--- /dev/null
+++ b/meta-oe/recipes-support/gd/gd/CVE-2016-10166.patch
@@ -0,0 +1,60 @@
+From c92240c1670c20c2f854761d3a89ab61dd158c91 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Sat, 6 Aug 2016 10:08:53 +0200
+Subject: [PATCH] Fix potential unsigned underflow
+No need to decrease `u`, so we don't do it. While we're at it, we also factor
+out the overflow check of the loop, what improves performance and readability.
+This issue has been reported by Stefan Esser to security@libgd.org.
+Upstream-Status: Backport
+CVE: CVE-2016-10166
+Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
+---
+ src/gd_interpolation.c | 19 ++++++++++---------
+ 1 file changed, 10 insertions(+), 9 deletions(-)
+diff --git a/src/gd_interpolation.c b/src/gd_interpolation.c
+index 7e7943d..9944349 100644
+--- a/src/gd_interpolation.c
+++ b/src/gd_interpolation.c
+@@ -829,8 +829,13 @@ static inline LineContribType * _gdContributionsAlloc(unsigned int line_length,
+ {
+        unsigned int u = 0;
+        LineContribType *res;
+-       int overflow_error = 0;
+       size_t weights_size;
+ 
+       if (overflow2(windows_size, sizeof(double))) {
+               return NULL;
+       } else {
+               weights_size = windows_size * sizeof(double);
+       }
+        res = (LineContribType *) gdMalloc(sizeof(LineContribType));
+        if (!res) {
+                return NULL;
+@@ -847,15 +852,11 @@ static inline LineContribType * _gdContributionsAlloc(unsigned int line_length,
+                return NULL;
+        }
+        for (u = 0 ; u < line_length ; u++) {
+-               if (overflow2(windows_size, sizeof(double))) {
+-                       overflow_error = 1;
+-               } else {
+-                       res->ContribRow[u].Weights = (double *) gdMalloc(windows_size * sizeof(double));
+-               }
+-               if (overflow_error == 1 || res->ContribRow[u].Weights == NULL) {
+               res->ContribRow[u].Weights = (double *) gdMalloc(weights_size);
+               if (res->ContribRow[u].Weights == NULL) {
+                        unsigned int i;
+-                       u--;
+-                       for (i=0;i<=u;i++) {
+
+                       for (i=0;i<u;i++) {
+                                gdFree(res->ContribRow[i].Weights);
+                        }
+                        gdFree(res->ContribRow);
+-- 
+2.10.2
diff --git a/meta-oe/recipes-support/gd/gd_2.2.3.bb b/meta-oe/recipes-support/gd/gd_2.2.3.bb
index c5aff6616..4ff6b756a 100644
--- a/meta-oe/recipes-support/gd/gd_2.2.3.bb
+++ b/meta-oe/recipes-support/gd/gd_2.2.3.bb
@@ -13,7 +13,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=c97638cafd3581eb87abd37332137669"
 DEPENDS = "freetype libpng jpeg zlib tiff"
 SRC_URI = "git://github.com/libgd/libgd.git;branch=GD-2.2 \
-           file://fix-gcc-unused-functions.patch"
+           file://fix-gcc-unused-functions.patch \
+           file://CVE-2016-10166.patch"
 SRCREV = "46ceef5970bf3a847ff61d1bdde7501d66c11d0c"
author	Catalin Enache <catalin.enache@windriver.com>	2017-04-06 14:08:36 +0300
committer	Martin Jansa <Martin.Jansa@gmail.com>	2017-04-18 14:21:38 +0200
commit	f882211c14507894248bb4ff064153b242d1d9d7 (patch)
tree	0b8edd0d3881228e68b0643a1e2fc5540e9e8228
parent	eb97a736f339c70a102cc07871be7da3b711b68c (diff)
download	meta-openembedded-f882211c14507894248bb4ff064153b242d1d9d7.tar.gz

diff --git a/meta-oe/recipes-support/gd/gd/CVE-2016-10166.patch b/meta-oe/recipes-support/gd/gd/CVE-2016-10166.patch new file mode 100644 index 000000000..7ccfbeabc --- /dev/null +++ b/meta-oe/recipes-support/gd/gd/CVE-2016-10166.patch
@@ -0,0 +1,60 @@
		1	From c92240c1670c20c2f854761d3a89ab61dd158c91 Mon Sep 17 00:00:00 2001
		2	From: "Christoph M. Becker" <cmbecker69@gmx.de>
		3	Date: Sat, 6 Aug 2016 10:08:53 +0200
		4	Subject: [PATCH] Fix potential unsigned underflow
		5
		6	No need to decrease `u`, so we don't do it. While we're at it, we also factor
		7	out the overflow check of the loop, what improves performance and readability.
		8
		9	This issue has been reported by Stefan Esser to security@libgd.org.
		10
		11	Upstream-Status: Backport
		12	CVE: CVE-2016-10166
		13
		14	Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
		15	---
		16	src/gd_interpolation.c \| 19 ++++++++++---------
		17	1 file changed, 10 insertions(+), 9 deletions(-)
		18
		19	diff --git a/src/gd_interpolation.c b/src/gd_interpolation.c
		20	index 7e7943d..9944349 100644
		21	--- a/src/gd_interpolation.c
		22	+++ b/src/gd_interpolation.c
		23	@@ -829,8 +829,13 @@ static inline LineContribType * _gdContributionsAlloc(unsigned int line_length,
		24	{
		25	unsigned int u = 0;
		26	LineContribType *res;
		27	- int overflow_error = 0;
		28	+ size_t weights_size;
		29
		30	+ if (overflow2(windows_size, sizeof(double))) {
		31	+ return NULL;
		32	+ } else {
		33	+ weights_size = windows_size * sizeof(double);
		34	+ }
		35	res = (LineContribType *) gdMalloc(sizeof(LineContribType));
		36	if (!res) {
		37	return NULL;
		38	@@ -847,15 +852,11 @@ static inline LineContribType * _gdContributionsAlloc(unsigned int line_length,
		39	return NULL;
		40	}
		41	for (u = 0 ; u < line_length ; u++) {
		42	- if (overflow2(windows_size, sizeof(double))) {
		43	- overflow_error = 1;
		44	- } else {
		45	- res->ContribRow[u].Weights = (double ) gdMalloc(windows_size sizeof(double));
		46	- }
		47	- if (overflow_error == 1 \|\| res->ContribRow[u].Weights == NULL) {
		48	+ res->ContribRow[u].Weights = (double *) gdMalloc(weights_size);
		49	+ if (res->ContribRow[u].Weights == NULL) {
		50	unsigned int i;
		51	- u--;
		52	- for (i=0;i<=u;i++) {
		53	+
		54	+ for (i=0;i<u;i++) {
		55	gdFree(res->ContribRow[i].Weights);
		56	}
		57	gdFree(res->ContribRow);
		58	--
		59	2.10.2
		60


diff --git a/meta-oe/recipes-support/gd/gd_2.2.3.bb b/meta-oe/recipes-support/gd/gd_2.2.3.bb index c5aff6616..4ff6b756a 100644 --- a/meta-oe/recipes-support/gd/gd_2.2.3.bb +++ b/meta-oe/recipes-support/gd/gd_2.2.3.bb
@@ -13,7 +13,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=c97638cafd3581eb87abd37332137669"
13	DEPENDS = "freetype libpng jpeg zlib tiff"	13	DEPENDS = "freetype libpng jpeg zlib tiff"
14		14
15	SRC_URI = "git://github.com/libgd/libgd.git;branch=GD-2.2 \	15	SRC_URI = "git://github.com/libgd/libgd.git;branch=GD-2.2 \
16	file://fix-gcc-unused-functions.patch"	16	file://fix-gcc-unused-functions.patch \
		17	file://CVE-2016-10166.patch"
17		18
18	SRCREV = "46ceef5970bf3a847ff61d1bdde7501d66c11d0c"	19	SRCREV = "46ceef5970bf3a847ff61d1bdde7501d66c11d0c"
19		20