diff options
Diffstat (limited to 'meta-oe/recipes-support/gd/gd/CVE-2016-6906-2.patch')
-rw-r--r-- | meta-oe/recipes-support/gd/gd/CVE-2016-6906-2.patch | 135 |
1 files changed, 0 insertions, 135 deletions
diff --git a/meta-oe/recipes-support/gd/gd/CVE-2016-6906-2.patch b/meta-oe/recipes-support/gd/gd/CVE-2016-6906-2.patch deleted file mode 100644 index 8b6de9711..000000000 --- a/meta-oe/recipes-support/gd/gd/CVE-2016-6906-2.patch +++ /dev/null | |||
@@ -1,135 +0,0 @@ | |||
1 | From 58b6dde319c301b0eae27d12e2a659e067d80558 Mon Sep 17 00:00:00 2001 | ||
2 | From: "Christoph M. Becker" <cmbecker69@gmx.de> | ||
3 | Date: Tue, 16 Aug 2016 16:26:19 +0200 | ||
4 | Subject: [PATCH] Fix OOB reads of the TGA decompression buffer | ||
5 | |||
6 | It is possible to craft TGA files which will overflow the decompression | ||
7 | buffer, but not the image's bitmap. Therefore we also have to check for | ||
8 | potential decompression buffer overflows. | ||
9 | |||
10 | This issue had been reported by Ibrahim El-Sayed to security@libgd.org; | ||
11 | a modified case exposing an off-by-one error of the first patch had been | ||
12 | provided by Konrad Beckmann. | ||
13 | |||
14 | This commit is an amendment to commit fb0e0cce, so we use CVE-2016-6906 | ||
15 | as well. | ||
16 | |||
17 | Upstream-Status: Backport | ||
18 | CVE: CVE-2016-6906 | ||
19 | |||
20 | Signed-off-by: Catalin Enache <catalin.enache@windriver.com> | ||
21 | --- | ||
22 | src/gd_tga.c | 8 +++++++- | ||
23 | tests/tga/Makemodule.am | 3 ++- | ||
24 | tests/tga/heap_overflow.c | 16 ++++++++++++---- | ||
25 | tests/tga/heap_overflow_1.tga | Bin 0 -> 605 bytes | ||
26 | tests/tga/heap_overflow_2.tga | Bin 0 -> 8746 bytes | ||
27 | 5 files changed, 21 insertions(+), 6 deletions(-) | ||
28 | create mode 100644 tests/tga/heap_overflow_1.tga | ||
29 | create mode 100644 tests/tga/heap_overflow_2.tga | ||
30 | |||
31 | diff --git a/src/gd_tga.c b/src/gd_tga.c | ||
32 | index 68e4b17..f80f0b1 100644 | ||
33 | --- a/src/gd_tga.c | ||
34 | +++ b/src/gd_tga.c | ||
35 | @@ -295,7 +295,13 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga ) | ||
36 | buffer_caret = 0; | ||
37 | |||
38 | while( bitmap_caret < image_block_size ) { | ||
39 | - | ||
40 | + | ||
41 | + if (buffer_caret + pixel_block_size > rle_size) { | ||
42 | + gdFree( decompression_buffer ); | ||
43 | + gdFree( conversion_buffer ); | ||
44 | + return -1; | ||
45 | + } | ||
46 | + | ||
47 | if ((decompression_buffer[buffer_caret] & TGA_RLE_FLAG) == TGA_RLE_FLAG) { | ||
48 | encoded_pixels = ( ( decompression_buffer[ buffer_caret ] & ~TGA_RLE_FLAG ) + 1 ); | ||
49 | buffer_caret++; | ||
50 | diff --git a/tests/tga/Makemodule.am b/tests/tga/Makemodule.am | ||
51 | index 916d707..ab08dbf 100644 | ||
52 | --- a/tests/tga/Makemodule.am | ||
53 | +++ b/tests/tga/Makemodule.am | ||
54 | @@ -15,7 +15,8 @@ EXTRA_DIST += \ | ||
55 | tga/bug00247a.tga \ | ||
56 | tga/bug00248.tga \ | ||
57 | tga/bug00248a.tga \ | ||
58 | - tga/heap_overflow.tga \ | ||
59 | + tga/heap_overflow_1.tga \ | ||
60 | + tga/heap_overflow_2.tga \ | ||
61 | tga/tga_read_rgb.png \ | ||
62 | tga/tga_read_rgb.tga \ | ||
63 | tga/tga_read_rgb_rle.tga | ||
64 | diff --git a/tests/tga/heap_overflow.c b/tests/tga/heap_overflow.c | ||
65 | index 0e9a2d0..ddd4b63 100644 | ||
66 | --- a/tests/tga/heap_overflow.c | ||
67 | +++ b/tests/tga/heap_overflow.c | ||
68 | @@ -1,5 +1,5 @@ | ||
69 | /** | ||
70 | - * Test that the crafted TGA file doesn't trigger OOB reads. | ||
71 | + * Test that crafted TGA files don't trigger OOB reads. | ||
72 | */ | ||
73 | |||
74 | |||
75 | @@ -7,21 +7,29 @@ | ||
76 | #include "gdtest.h" | ||
77 | |||
78 | |||
79 | +static void check_file(char *basename); | ||
80 | static size_t read_test_file(char **buffer, char *basename); | ||
81 | |||
82 | |||
83 | int main() | ||
84 | { | ||
85 | + check_file("heap_overflow_1.tga"); | ||
86 | + check_file("heap_overflow_2.tga"); | ||
87 | + | ||
88 | + return gdNumFailures(); | ||
89 | +} | ||
90 | + | ||
91 | + | ||
92 | +static void check_file(char *basename) | ||
93 | +{ | ||
94 | gdImagePtr im; | ||
95 | char *buffer; | ||
96 | size_t size; | ||
97 | |||
98 | - size = read_test_file(&buffer, "heap_overflow.tga"); | ||
99 | + size = read_test_file(&buffer, basename); | ||
100 | im = gdImageCreateFromTgaPtr(size, (void *) buffer); | ||
101 | gdTestAssert(im == NULL); | ||
102 | free(buffer); | ||
103 | - | ||
104 | - return gdNumFailures(); | ||
105 | } | ||
106 | |||
107 | |||
108 | diff --git a/tests/tga/heap_overflow_1.tga b/tests/tga/heap_overflow_1.tga | ||
109 | new file mode 100644 | ||
110 | index 0000000000000000000000000000000000000000..e9bc0ecb2a847ac6edba92dd0ff61167b49002cd | ||
111 | GIT binary patch | ||
112 | literal 605 | ||
113 | zcmZQz;9`IQ9tIu;g&7<$F3o7Yg1qzyh6tefy9wZAs2d<Uh*yuz=?XwW4Qvuv#g2nS | ||
114 | zp93+mT0rVR>T&8(2TGy=f_l)@gSap~$FayUFu(!|SyJIFga^{8fGj~vwq8kkVgvv> | ||
115 | Cavop+ | ||
116 | |||
117 | literal 0 | ||
118 | HcmV?d00001 | ||
119 | |||
120 | diff --git a/tests/tga/heap_overflow_2.tga b/tests/tga/heap_overflow_2.tga | ||
121 | new file mode 100644 | ||
122 | index 0000000000000000000000000000000000000000..2b681f2df8941d6823aa761be0a7fa3c02c92cbf | ||
123 | GIT binary patch | ||
124 | literal 8746 | ||
125 | zcmeIxF$#b%6a>*<djij4?cuz+Vi5?!RIY)@*eDAQ@`zPSwQE1NTI<YQEqdQG#s5@h | ||
126 | zwDFtAoIjm)CIQa|$z*q(vz}DbnPjrN&RI{Y=}a=&UFWPP)joCZ<31}ey8!(}FZZ71 | ||
127 | zWop>#e)AY=opmMw&j!h4cb&7IRMVMcvb)Y%PpaumGTB|{tS8lUCYkK6bJmk;IzMDC | ||
128 | D4PYIN | ||
129 | |||
130 | literal 0 | ||
131 | HcmV?d00001 | ||
132 | |||
133 | -- | ||
134 | 2.10.2 | ||
135 | |||