gd: fix CVE-2017-6363

Backport the CVE patch from the upstream to fix the heap-based buffer over-read in tiffWriter. Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
author: Haiqing Bai <Haiqing.Bai@windriver.com> 2020-03-04 14:24:13 +0800
committer: Khem Raj <raj.khem@gmail.com> 2020-03-04 18:54:52 -0800
commit: d16876d77723fa5670c412e76ca8f2ddf1f89a96 (patch)
tree: 8a8e2d5cb81ce86aa205def8541c66a24ac8ae09
parent: 1559cf58103030156c88cd23652ce390c791d7a8 (diff)
download: meta-openembedded-d16876d77723fa5670c412e76ca8f2ddf1f89a96.tar.gz
2 files changed, 36 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/gd/gd/CVE-2017-6363.patch b/meta-oe/recipes-support/gd/gd/CVE-2017-6363.patch
new file mode 100644
index 0000000000..25b5880ff9
--- /dev/null
+++ b/meta-oe/recipes-support/gd/gd/CVE-2017-6363.patch
@@ -0,0 +1,35 @@
+From 8f7b60ea7db87de5df76169e3f3918e401ef8bf7 Mon Sep 17 00:00:00 2001
+From: Mike Frysinger <vapier@gentoo.org>
+Date: Wed, 31 Jan 2018 14:50:16 -0500
+Subject: [PATCH] gd/gd2: make sure transparent palette index is within bounds
+ #383
+The gd image formats allow for a palette of 256 colors,
+so if the transparent index is out of range, disable it.
+Upstream-Status: Backport
+[https://github.com/libgd/libgd.git commit:0be86e1926939a98afbd2f3a23c673dfc4df2a7c]
+CVE-2017-6363
+Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com>
+---
+ src/gd_gd.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+diff --git a/src/gd_gd.c b/src/gd_gd.c
+index f8d39cb..5a86fc3 100644
+--- a/src/gd_gd.c
+++ b/src/gd_gd.c
+@@ -54,7 +54,8 @@ _gdGetColors (gdIOCtx * in, gdImagePtr im, int gd2xFlag)
+                if (!gdGetWord (&im->transparent, in)) {
+                        goto fail1;
+                }
+-               if (im->transparent == 257) {
+               /* Make sure transparent index is within bounds of the palette. */
+               if (im->transparent >= 256 || im->transparent < 0) {
+                        im->transparent = (-1);
+                }
+        }
+-- 
+1.9.1
diff --git a/meta-oe/recipes-support/gd/gd_2.2.5.bb b/meta-oe/recipes-support/gd/gd_2.2.5.bb
index 35f9bb2516..dda2e67d6d 100644
--- a/meta-oe/recipes-support/gd/gd_2.2.5.bb
+++ b/meta-oe/recipes-support/gd/gd_2.2.5.bb
@@ -17,6 +17,7 @@ SRC_URI = "git://github.com/libgd/libgd.git;branch=GD-2.2 \
           file://0001-annotate.c-gdft.c-Replace-strncpy-with-memccpy-to-fi.patch \
           file://CVE-2018-1000222.patch \
           file://CVE-2019-6978.patch \
+           file://CVE-2017-6363.patch \
          "
 SRCREV = "8255231b68889597d04d451a72438ab92a405aba"
author	Haiqing Bai <Haiqing.Bai@windriver.com>	2020-03-04 14:24:13 +0800
committer	Khem Raj <raj.khem@gmail.com>	2020-03-04 18:54:52 -0800
commit	d16876d77723fa5670c412e76ca8f2ddf1f89a96 (patch)
tree	8a8e2d5cb81ce86aa205def8541c66a24ac8ae09
parent	1559cf58103030156c88cd23652ce390c791d7a8 (diff)
download	meta-openembedded-d16876d77723fa5670c412e76ca8f2ddf1f89a96.tar.gz

diff --git a/meta-oe/recipes-support/gd/gd/CVE-2017-6363.patch b/meta-oe/recipes-support/gd/gd/CVE-2017-6363.patch new file mode 100644 index 0000000000..25b5880ff9 --- /dev/null +++ b/meta-oe/recipes-support/gd/gd/CVE-2017-6363.patch
@@ -0,0 +1,35 @@
		1	From 8f7b60ea7db87de5df76169e3f3918e401ef8bf7 Mon Sep 17 00:00:00 2001
		2	From: Mike Frysinger <vapier@gentoo.org>
		3	Date: Wed, 31 Jan 2018 14:50:16 -0500
		4	Subject: [PATCH] gd/gd2: make sure transparent palette index is within bounds
		5	#383
		6
		7	The gd image formats allow for a palette of 256 colors,
		8	so if the transparent index is out of range, disable it.
		9
		10	Upstream-Status: Backport
		11	[https://github.com/libgd/libgd.git commit:0be86e1926939a98afbd2f3a23c673dfc4df2a7c]
		12	CVE-2017-6363
		13
		14	Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com>
		15	---
		16	src/gd_gd.c \| 3 ++-
		17	1 file changed, 2 insertions(+), 1 deletion(-)
		18
		19	diff --git a/src/gd_gd.c b/src/gd_gd.c
		20	index f8d39cb..5a86fc3 100644
		21	--- a/src/gd_gd.c
		22	+++ b/src/gd_gd.c
		23	@@ -54,7 +54,8 @@ _gdGetColors (gdIOCtx * in, gdImagePtr im, int gd2xFlag)
		24	if (!gdGetWord (&im->transparent, in)) {
		25	goto fail1;
		26	}
		27	- if (im->transparent == 257) {
		28	+ /* Make sure transparent index is within bounds of the palette. */
		29	+ if (im->transparent >= 256 \|\| im->transparent < 0) {
		30	im->transparent = (-1);
		31	}
		32	}
		33	--
		34	1.9.1
		35


diff --git a/meta-oe/recipes-support/gd/gd_2.2.5.bb b/meta-oe/recipes-support/gd/gd_2.2.5.bb index 35f9bb2516..dda2e67d6d 100644 --- a/meta-oe/recipes-support/gd/gd_2.2.5.bb +++ b/meta-oe/recipes-support/gd/gd_2.2.5.bb
@@ -17,6 +17,7 @@ SRC_URI = "git://github.com/libgd/libgd.git;branch=GD-2.2 \
17	file://0001-annotate.c-gdft.c-Replace-strncpy-with-memccpy-to-fi.patch \	17	file://0001-annotate.c-gdft.c-Replace-strncpy-with-memccpy-to-fi.patch \
18	file://CVE-2018-1000222.patch \	18	file://CVE-2018-1000222.patch \
19	file://CVE-2019-6978.patch \	19	file://CVE-2019-6978.patch \
		20	file://CVE-2017-6363.patch \
20	"	21	"
21		22
22	SRCREV = "8255231b68889597d04d451a72438ab92a405aba"	23	SRCREV = "8255231b68889597d04d451a72438ab92a405aba"