gd: Fix CVE-2018-14553

Backport fix from upstream to fix NULL pointer dereference. Upstream-Status: Backport CVE: CVE-2018-14553 Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
author: Sakib Sajal <sakib.sajal@windriver.com> 2020-03-18 12:54:36 -0700
committer: Khem Raj <raj.khem@gmail.com> 2020-03-18 15:35:33 -0700
commit: e6b805c3b2ab8ceb153d87caa7d8187252c94cdd (patch)
tree: c7b4f016b632edfd442d8414c15edc1b4ba5bb70 /meta-oe
parent: 568684f14d6b1e8658293dddfc4491883becd96d (diff)
download: meta-openembedded-e6b805c3b2ab8ceb153d87caa7d8187252c94cdd.tar.gz
2 files changed, 111 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/gd/gd/CVE-2018-14553.patch b/meta-oe/recipes-support/gd/gd/CVE-2018-14553.patch
new file mode 100644
index 000000000..344f34feb
--- /dev/null
+++ b/meta-oe/recipes-support/gd/gd/CVE-2018-14553.patch
@@ -0,0 +1,110 @@
+From a93eac0e843148dc2d631c3ba80af17e9c8c860f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?F=C3=A1bio=20Cabral=20Pacheco?= <fcabralpacheco@gmail.com>
+Date: Fri, 20 Dec 2019 12:03:33 -0300
+Subject: [PATCH] Fix potential NULL pointer dereference in gdImageClone()
+---
+ src/gd.c                          |  9 +--------
+ tests/gdimageclone/.gitignore     |  1 +
+ tests/gdimageclone/CMakeLists.txt |  1 +
+ tests/gdimageclone/Makemodule.am  |  3 ++-
+ tests/gdimageclone/style.c        | 30 ++++++++++++++++++++++++++++++
+ 5 files changed, 35 insertions(+), 9 deletions(-)
+ create mode 100644 tests/gdimageclone/style.c
+diff --git a/src/gd.c b/src/gd.c
+index 592a028..d564d1f 100644
+--- a/src/gd.c
+++ b/src/gd.c
+@@ -2865,14 +2865,6 @@ BGD_DECLARE(gdImagePtr) gdImageClone (gdImagePtr src) {
+                }
+        }
+ 
+-       if (src->styleLength > 0) {
+-               dst->styleLength = src->styleLength;
+-               dst->stylePos    = src->stylePos;
+-               for (i = 0; i < src->styleLength; i++) {
+-                       dst->style[i] = src->style[i];
+-               }
+-       }
+-
+        dst->interlace   = src->interlace;
+ 
+        dst->alphaBlendingFlag = src->alphaBlendingFlag;
+@@ -2907,6 +2899,7 @@ BGD_DECLARE(gdImagePtr) gdImageClone (gdImagePtr src) {
+ 
+        if (src->style) {
+                gdImageSetStyle(dst, src->style, src->styleLength);
+               dst->stylePos = src->stylePos;
+        }
+ 
+        for (i = 0; i < gdMaxColors; i++) {
+diff --git a/tests/gdimageclone/.gitignore b/tests/gdimageclone/.gitignore
+index a70782d..f4129cc 100644
+--- a/tests/gdimageclone/.gitignore
+++ b/tests/gdimageclone/.gitignore
+@@ -1 +1,2 @@
+ /bug00300
+/style
+diff --git a/tests/gdimageclone/CMakeLists.txt b/tests/gdimageclone/CMakeLists.txt
+index e6ccc31..662f4e9 100644
+--- a/tests/gdimageclone/CMakeLists.txt
+++ b/tests/gdimageclone/CMakeLists.txt
+@@ -1,5 +1,6 @@
+ LIST(APPEND TESTS_FILES
+        bug00300
+       style
+ )
+ 
+ ADD_GD_TESTS()
+diff --git a/tests/gdimageclone/Makemodule.am b/tests/gdimageclone/Makemodule.am
+index 4b1b54c..51abf5c 100644
+--- a/tests/gdimageclone/Makemodule.am
+++ b/tests/gdimageclone/Makemodule.am
+@@ -1,5 +1,6 @@
+ libgd_test_programs += \
+-       gdimageclone/bug00300
+       gdimageclone/bug00300 \
+       gdimageclone/style
+ 
+ EXTRA_DIST += \
+        gdimageclone/CMakeLists.txt
+diff --git a/tests/gdimageclone/style.c b/tests/gdimageclone/style.c
+new file mode 100644
+index 0000000..c2b246e
+--- /dev/null
+++ b/tests/gdimageclone/style.c
+@@ -0,0 +1,30 @@
+/**
+ * Cloning an image should exactly reproduce all style related data
+ */
+
+
+#include <string.h>
+#include "gd.h"
+#include "gdtest.h"
+
+
+int main()
+{
+    gdImagePtr im, clone;
+    int style[] = {0, 0, 0};
+
+    im = gdImageCreate(8, 8);
+    gdImageSetStyle(im, style, sizeof(style)/sizeof(style[0]));
+
+    clone = gdImageClone(im);
+    gdTestAssert(clone != NULL);
+
+    gdTestAssert(clone->styleLength == im->styleLength);
+    gdTestAssert(clone->stylePos == im->stylePos);
+    gdTestAssert(!memcmp(clone->style, im->style, sizeof(style)/sizeof(style[0])));
+
+    gdImageDestroy(clone);
+    gdImageDestroy(im);
+
+    return gdNumFailures();
+}
+-- 
+2.20.1
diff --git a/meta-oe/recipes-support/gd/gd_2.2.5.bb b/meta-oe/recipes-support/gd/gd_2.2.5.bb
index dda2e67d6..a665de4bf 100644
--- a/meta-oe/recipes-support/gd/gd_2.2.5.bb
+++ b/meta-oe/recipes-support/gd/gd_2.2.5.bb
@@ -18,6 +18,7 @@ SRC_URI = "git://github.com/libgd/libgd.git;branch=GD-2.2 \
           file://CVE-2018-1000222.patch \
           file://CVE-2019-6978.patch \
           file://CVE-2017-6363.patch \
+           file://CVE-2018-14553.patch \
          "
 SRCREV = "8255231b68889597d04d451a72438ab92a405aba"
author	Sakib Sajal <sakib.sajal@windriver.com>	2020-03-18 12:54:36 -0700
committer	Khem Raj <raj.khem@gmail.com>	2020-03-18 15:35:33 -0700
commit	e6b805c3b2ab8ceb153d87caa7d8187252c94cdd (patch)
tree	c7b4f016b632edfd442d8414c15edc1b4ba5bb70 /meta-oe
parent	568684f14d6b1e8658293dddfc4491883becd96d (diff)
download	meta-openembedded-e6b805c3b2ab8ceb153d87caa7d8187252c94cdd.tar.gz

diff --git a/meta-oe/recipes-support/gd/gd/CVE-2018-14553.patch b/meta-oe/recipes-support/gd/gd/CVE-2018-14553.patch new file mode 100644 index 000000000..344f34feb --- /dev/null +++ b/meta-oe/recipes-support/gd/gd/CVE-2018-14553.patch
@@ -0,0 +1,110 @@
		1	From a93eac0e843148dc2d631c3ba80af17e9c8c860f Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?F=C3=A1bio=20Cabral=20Pacheco?= <fcabralpacheco@gmail.com>
		3	Date: Fri, 20 Dec 2019 12:03:33 -0300
		4	Subject: [PATCH] Fix potential NULL pointer dereference in gdImageClone()
		5
		6	---
		7	src/gd.c \| 9 +--------
		8	tests/gdimageclone/.gitignore \| 1 +
		9	tests/gdimageclone/CMakeLists.txt \| 1 +
		10	tests/gdimageclone/Makemodule.am \| 3 ++-
		11	tests/gdimageclone/style.c \| 30 ++++++++++++++++++++++++++++++
		12	5 files changed, 35 insertions(+), 9 deletions(-)
		13	create mode 100644 tests/gdimageclone/style.c
		14
		15	diff --git a/src/gd.c b/src/gd.c
		16	index 592a028..d564d1f 100644
		17	--- a/src/gd.c
		18	+++ b/src/gd.c
		19	@@ -2865,14 +2865,6 @@ BGD_DECLARE(gdImagePtr) gdImageClone (gdImagePtr src) {
		20	}
		21	}
		22
		23	- if (src->styleLength > 0) {
		24	- dst->styleLength = src->styleLength;
		25	- dst->stylePos = src->stylePos;
		26	- for (i = 0; i < src->styleLength; i++) {
		27	- dst->style[i] = src->style[i];
		28	- }
		29	- }
		30	-
		31	dst->interlace = src->interlace;
		32
		33	dst->alphaBlendingFlag = src->alphaBlendingFlag;
		34	@@ -2907,6 +2899,7 @@ BGD_DECLARE(gdImagePtr) gdImageClone (gdImagePtr src) {
		35
		36	if (src->style) {
		37	gdImageSetStyle(dst, src->style, src->styleLength);
		38	+ dst->stylePos = src->stylePos;
		39	}
		40
		41	for (i = 0; i < gdMaxColors; i++) {
		42	diff --git a/tests/gdimageclone/.gitignore b/tests/gdimageclone/.gitignore
		43	index a70782d..f4129cc 100644
		44	--- a/tests/gdimageclone/.gitignore
		45	+++ b/tests/gdimageclone/.gitignore
		46	@@ -1 +1,2 @@
		47	/bug00300
		48	+/style
		49	diff --git a/tests/gdimageclone/CMakeLists.txt b/tests/gdimageclone/CMakeLists.txt
		50	index e6ccc31..662f4e9 100644
		51	--- a/tests/gdimageclone/CMakeLists.txt
		52	+++ b/tests/gdimageclone/CMakeLists.txt
		53	@@ -1,5 +1,6 @@
		54	LIST(APPEND TESTS_FILES
		55	bug00300
		56	+ style
		57	)
		58
		59	ADD_GD_TESTS()
		60	diff --git a/tests/gdimageclone/Makemodule.am b/tests/gdimageclone/Makemodule.am
		61	index 4b1b54c..51abf5c 100644
		62	--- a/tests/gdimageclone/Makemodule.am
		63	+++ b/tests/gdimageclone/Makemodule.am
		64	@@ -1,5 +1,6 @@
		65	libgd_test_programs += \
		66	- gdimageclone/bug00300
		67	+ gdimageclone/bug00300 \
		68	+ gdimageclone/style
		69
		70	EXTRA_DIST += \
		71	gdimageclone/CMakeLists.txt
		72	diff --git a/tests/gdimageclone/style.c b/tests/gdimageclone/style.c
		73	new file mode 100644
		74	index 0000000..c2b246e
		75	--- /dev/null
		76	+++ b/tests/gdimageclone/style.c
		77	@@ -0,0 +1,30 @@
		78	+/**
		79	+ * Cloning an image should exactly reproduce all style related data
		80	+ */
		81	+
		82	+
		83	+#include <string.h>
		84	+#include "gd.h"
		85	+#include "gdtest.h"
		86	+
		87	+
		88	+int main()
		89	+{
		90	+ gdImagePtr im, clone;
		91	+ int style[] = {0, 0, 0};
		92	+
		93	+ im = gdImageCreate(8, 8);
		94	+ gdImageSetStyle(im, style, sizeof(style)/sizeof(style[0]));
		95	+
		96	+ clone = gdImageClone(im);
		97	+ gdTestAssert(clone != NULL);
		98	+
		99	+ gdTestAssert(clone->styleLength == im->styleLength);
		100	+ gdTestAssert(clone->stylePos == im->stylePos);
		101	+ gdTestAssert(!memcmp(clone->style, im->style, sizeof(style)/sizeof(style[0])));
		102	+
		103	+ gdImageDestroy(clone);
		104	+ gdImageDestroy(im);
		105	+
		106	+ return gdNumFailures();
		107	+}
		108	--
		109	2.20.1
		110


diff --git a/meta-oe/recipes-support/gd/gd_2.2.5.bb b/meta-oe/recipes-support/gd/gd_2.2.5.bb index dda2e67d6..a665de4bf 100644 --- a/meta-oe/recipes-support/gd/gd_2.2.5.bb +++ b/meta-oe/recipes-support/gd/gd_2.2.5.bb
@@ -18,6 +18,7 @@ SRC_URI = "git://github.com/libgd/libgd.git;branch=GD-2.2 \
18	file://CVE-2018-1000222.patch \	18	file://CVE-2018-1000222.patch \
19	file://CVE-2019-6978.patch \	19	file://CVE-2019-6978.patch \
20	file://CVE-2017-6363.patch \	20	file://CVE-2017-6363.patch \
		21	file://CVE-2018-14553.patch \
21	"	22	"
22		23
23	SRCREV = "8255231b68889597d04d451a72438ab92a405aba"	24	SRCREV = "8255231b68889597d04d451a72438ab92a405aba"