diff options
| -rw-r--r-- | meta-oe/recipes-support/gd/gd/CVE-2016-10166.patch | 60 | ||||
| -rw-r--r-- | meta-oe/recipes-support/gd/gd_2.2.3.bb | 3 |
2 files changed, 62 insertions, 1 deletions
diff --git a/meta-oe/recipes-support/gd/gd/CVE-2016-10166.patch b/meta-oe/recipes-support/gd/gd/CVE-2016-10166.patch new file mode 100644 index 000000000..7ccfbeabc --- /dev/null +++ b/meta-oe/recipes-support/gd/gd/CVE-2016-10166.patch | |||
| @@ -0,0 +1,60 @@ | |||
| 1 | From c92240c1670c20c2f854761d3a89ab61dd158c91 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: "Christoph M. Becker" <cmbecker69@gmx.de> | ||
| 3 | Date: Sat, 6 Aug 2016 10:08:53 +0200 | ||
| 4 | Subject: [PATCH] Fix potential unsigned underflow | ||
| 5 | |||
| 6 | No need to decrease `u`, so we don't do it. While we're at it, we also factor | ||
| 7 | out the overflow check of the loop, what improves performance and readability. | ||
| 8 | |||
| 9 | This issue has been reported by Stefan Esser to security@libgd.org. | ||
| 10 | |||
| 11 | Upstream-Status: Backport | ||
| 12 | CVE: CVE-2016-10166 | ||
| 13 | |||
| 14 | Signed-off-by: Catalin Enache <catalin.enache@windriver.com> | ||
| 15 | --- | ||
| 16 | src/gd_interpolation.c | 19 ++++++++++--------- | ||
| 17 | 1 file changed, 10 insertions(+), 9 deletions(-) | ||
| 18 | |||
| 19 | diff --git a/src/gd_interpolation.c b/src/gd_interpolation.c | ||
| 20 | index 7e7943d..9944349 100644 | ||
| 21 | --- a/src/gd_interpolation.c | ||
| 22 | +++ b/src/gd_interpolation.c | ||
| 23 | @@ -829,8 +829,13 @@ static inline LineContribType * _gdContributionsAlloc(unsigned int line_length, | ||
| 24 | { | ||
| 25 | unsigned int u = 0; | ||
| 26 | LineContribType *res; | ||
| 27 | - int overflow_error = 0; | ||
| 28 | + size_t weights_size; | ||
| 29 | |||
| 30 | + if (overflow2(windows_size, sizeof(double))) { | ||
| 31 | + return NULL; | ||
| 32 | + } else { | ||
| 33 | + weights_size = windows_size * sizeof(double); | ||
| 34 | + } | ||
| 35 | res = (LineContribType *) gdMalloc(sizeof(LineContribType)); | ||
| 36 | if (!res) { | ||
| 37 | return NULL; | ||
| 38 | @@ -847,15 +852,11 @@ static inline LineContribType * _gdContributionsAlloc(unsigned int line_length, | ||
| 39 | return NULL; | ||
| 40 | } | ||
| 41 | for (u = 0 ; u < line_length ; u++) { | ||
| 42 | - if (overflow2(windows_size, sizeof(double))) { | ||
| 43 | - overflow_error = 1; | ||
| 44 | - } else { | ||
| 45 | - res->ContribRow[u].Weights = (double *) gdMalloc(windows_size * sizeof(double)); | ||
| 46 | - } | ||
| 47 | - if (overflow_error == 1 || res->ContribRow[u].Weights == NULL) { | ||
| 48 | + res->ContribRow[u].Weights = (double *) gdMalloc(weights_size); | ||
| 49 | + if (res->ContribRow[u].Weights == NULL) { | ||
| 50 | unsigned int i; | ||
| 51 | - u--; | ||
| 52 | - for (i=0;i<=u;i++) { | ||
| 53 | + | ||
| 54 | + for (i=0;i<u;i++) { | ||
| 55 | gdFree(res->ContribRow[i].Weights); | ||
| 56 | } | ||
| 57 | gdFree(res->ContribRow); | ||
| 58 | -- | ||
| 59 | 2.10.2 | ||
| 60 | |||
diff --git a/meta-oe/recipes-support/gd/gd_2.2.3.bb b/meta-oe/recipes-support/gd/gd_2.2.3.bb index c5aff6616..4ff6b756a 100644 --- a/meta-oe/recipes-support/gd/gd_2.2.3.bb +++ b/meta-oe/recipes-support/gd/gd_2.2.3.bb | |||
| @@ -13,7 +13,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=c97638cafd3581eb87abd37332137669" | |||
| 13 | DEPENDS = "freetype libpng jpeg zlib tiff" | 13 | DEPENDS = "freetype libpng jpeg zlib tiff" |
| 14 | 14 | ||
| 15 | SRC_URI = "git://github.com/libgd/libgd.git;branch=GD-2.2 \ | 15 | SRC_URI = "git://github.com/libgd/libgd.git;branch=GD-2.2 \ |
| 16 | file://fix-gcc-unused-functions.patch" | 16 | file://fix-gcc-unused-functions.patch \ |
| 17 | file://CVE-2016-10166.patch" | ||
| 17 | 18 | ||
| 18 | SRCREV = "46ceef5970bf3a847ff61d1bdde7501d66c11d0c" | 19 | SRCREV = "46ceef5970bf3a847ff61d1bdde7501d66c11d0c" |
| 19 | 20 | ||