diff options
Diffstat (limited to 'meta-oe/recipes-support/gd/gd/CVE-2016-6906-2.patch')
| -rw-r--r-- | meta-oe/recipes-support/gd/gd/CVE-2016-6906-2.patch | 135 |
1 files changed, 0 insertions, 135 deletions
diff --git a/meta-oe/recipes-support/gd/gd/CVE-2016-6906-2.patch b/meta-oe/recipes-support/gd/gd/CVE-2016-6906-2.patch deleted file mode 100644 index 8b6de9711..000000000 --- a/meta-oe/recipes-support/gd/gd/CVE-2016-6906-2.patch +++ /dev/null | |||
| @@ -1,135 +0,0 @@ | |||
| 1 | From 58b6dde319c301b0eae27d12e2a659e067d80558 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: "Christoph M. Becker" <cmbecker69@gmx.de> | ||
| 3 | Date: Tue, 16 Aug 2016 16:26:19 +0200 | ||
| 4 | Subject: [PATCH] Fix OOB reads of the TGA decompression buffer | ||
| 5 | |||
| 6 | It is possible to craft TGA files which will overflow the decompression | ||
| 7 | buffer, but not the image's bitmap. Therefore we also have to check for | ||
| 8 | potential decompression buffer overflows. | ||
| 9 | |||
| 10 | This issue had been reported by Ibrahim El-Sayed to security@libgd.org; | ||
| 11 | a modified case exposing an off-by-one error of the first patch had been | ||
| 12 | provided by Konrad Beckmann. | ||
| 13 | |||
| 14 | This commit is an amendment to commit fb0e0cce, so we use CVE-2016-6906 | ||
| 15 | as well. | ||
| 16 | |||
| 17 | Upstream-Status: Backport | ||
| 18 | CVE: CVE-2016-6906 | ||
| 19 | |||
| 20 | Signed-off-by: Catalin Enache <catalin.enache@windriver.com> | ||
| 21 | --- | ||
| 22 | src/gd_tga.c | 8 +++++++- | ||
| 23 | tests/tga/Makemodule.am | 3 ++- | ||
| 24 | tests/tga/heap_overflow.c | 16 ++++++++++++---- | ||
| 25 | tests/tga/heap_overflow_1.tga | Bin 0 -> 605 bytes | ||
| 26 | tests/tga/heap_overflow_2.tga | Bin 0 -> 8746 bytes | ||
| 27 | 5 files changed, 21 insertions(+), 6 deletions(-) | ||
| 28 | create mode 100644 tests/tga/heap_overflow_1.tga | ||
| 29 | create mode 100644 tests/tga/heap_overflow_2.tga | ||
| 30 | |||
| 31 | diff --git a/src/gd_tga.c b/src/gd_tga.c | ||
| 32 | index 68e4b17..f80f0b1 100644 | ||
| 33 | --- a/src/gd_tga.c | ||
| 34 | +++ b/src/gd_tga.c | ||
| 35 | @@ -295,7 +295,13 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga ) | ||
| 36 | buffer_caret = 0; | ||
| 37 | |||
| 38 | while( bitmap_caret < image_block_size ) { | ||
| 39 | - | ||
| 40 | + | ||
| 41 | + if (buffer_caret + pixel_block_size > rle_size) { | ||
| 42 | + gdFree( decompression_buffer ); | ||
| 43 | + gdFree( conversion_buffer ); | ||
| 44 | + return -1; | ||
| 45 | + } | ||
| 46 | + | ||
| 47 | if ((decompression_buffer[buffer_caret] & TGA_RLE_FLAG) == TGA_RLE_FLAG) { | ||
| 48 | encoded_pixels = ( ( decompression_buffer[ buffer_caret ] & ~TGA_RLE_FLAG ) + 1 ); | ||
| 49 | buffer_caret++; | ||
| 50 | diff --git a/tests/tga/Makemodule.am b/tests/tga/Makemodule.am | ||
| 51 | index 916d707..ab08dbf 100644 | ||
| 52 | --- a/tests/tga/Makemodule.am | ||
| 53 | +++ b/tests/tga/Makemodule.am | ||
| 54 | @@ -15,7 +15,8 @@ EXTRA_DIST += \ | ||
| 55 | tga/bug00247a.tga \ | ||
| 56 | tga/bug00248.tga \ | ||
| 57 | tga/bug00248a.tga \ | ||
| 58 | - tga/heap_overflow.tga \ | ||
| 59 | + tga/heap_overflow_1.tga \ | ||
| 60 | + tga/heap_overflow_2.tga \ | ||
| 61 | tga/tga_read_rgb.png \ | ||
| 62 | tga/tga_read_rgb.tga \ | ||
| 63 | tga/tga_read_rgb_rle.tga | ||
| 64 | diff --git a/tests/tga/heap_overflow.c b/tests/tga/heap_overflow.c | ||
| 65 | index 0e9a2d0..ddd4b63 100644 | ||
| 66 | --- a/tests/tga/heap_overflow.c | ||
| 67 | +++ b/tests/tga/heap_overflow.c | ||
| 68 | @@ -1,5 +1,5 @@ | ||
| 69 | /** | ||
| 70 | - * Test that the crafted TGA file doesn't trigger OOB reads. | ||
| 71 | + * Test that crafted TGA files don't trigger OOB reads. | ||
| 72 | */ | ||
| 73 | |||
| 74 | |||
| 75 | @@ -7,21 +7,29 @@ | ||
| 76 | #include "gdtest.h" | ||
| 77 | |||
| 78 | |||
| 79 | +static void check_file(char *basename); | ||
| 80 | static size_t read_test_file(char **buffer, char *basename); | ||
| 81 | |||
| 82 | |||
| 83 | int main() | ||
| 84 | { | ||
| 85 | + check_file("heap_overflow_1.tga"); | ||
| 86 | + check_file("heap_overflow_2.tga"); | ||
| 87 | + | ||
| 88 | + return gdNumFailures(); | ||
| 89 | +} | ||
| 90 | + | ||
| 91 | + | ||
| 92 | +static void check_file(char *basename) | ||
| 93 | +{ | ||
| 94 | gdImagePtr im; | ||
| 95 | char *buffer; | ||
| 96 | size_t size; | ||
| 97 | |||
| 98 | - size = read_test_file(&buffer, "heap_overflow.tga"); | ||
| 99 | + size = read_test_file(&buffer, basename); | ||
| 100 | im = gdImageCreateFromTgaPtr(size, (void *) buffer); | ||
| 101 | gdTestAssert(im == NULL); | ||
| 102 | free(buffer); | ||
| 103 | - | ||
| 104 | - return gdNumFailures(); | ||
| 105 | } | ||
| 106 | |||
| 107 | |||
| 108 | diff --git a/tests/tga/heap_overflow_1.tga b/tests/tga/heap_overflow_1.tga | ||
| 109 | new file mode 100644 | ||
| 110 | index 0000000000000000000000000000000000000000..e9bc0ecb2a847ac6edba92dd0ff61167b49002cd | ||
| 111 | GIT binary patch | ||
| 112 | literal 605 | ||
| 113 | zcmZQz;9`IQ9tIu;g&7<$F3o7Yg1qzyh6tefy9wZAs2d<Uh*yuz=?XwW4Qvuv#g2nS | ||
| 114 | zp93+mT0rVR>T&8(2TGy=f_l)@gSap~$FayUFu(!|SyJIFga^{8fGj~vwq8kkVgvv> | ||
| 115 | Cavop+ | ||
| 116 | |||
| 117 | literal 0 | ||
| 118 | HcmV?d00001 | ||
| 119 | |||
| 120 | diff --git a/tests/tga/heap_overflow_2.tga b/tests/tga/heap_overflow_2.tga | ||
| 121 | new file mode 100644 | ||
| 122 | index 0000000000000000000000000000000000000000..2b681f2df8941d6823aa761be0a7fa3c02c92cbf | ||
| 123 | GIT binary patch | ||
| 124 | literal 8746 | ||
| 125 | zcmeIxF$#b%6a>*<djij4?cuz+Vi5?!RIY)@*eDAQ@`zPSwQE1NTI<YQEqdQG#s5@h | ||
| 126 | zwDFtAoIjm)CIQa|$z*q(vz}DbnPjrN&RI{Y=}a=&UFWPP)joCZ<31}ey8!(}FZZ71 | ||
| 127 | zWop>#e)AY=opmMw&j!h4cb&7IRMVMcvb)Y%PpaumGTB|{tS8lUCYkK6bJmk;IzMDC | ||
| 128 | D4PYIN | ||
| 129 | |||
| 130 | literal 0 | ||
| 131 | HcmV?d00001 | ||
| 132 | |||
| 133 | -- | ||
| 134 | 2.10.2 | ||
| 135 | |||