From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: libgd security update Date: Fri, 15 Jul 2016 16:32:12 -0400 Message-ID: <20160715203212.GA10916@jasmine> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="dc+cDN39EJAMEtIO" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:54247) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bO9mt-0008Tj-IY for guix-devel@gnu.org; Fri, 15 Jul 2016 16:32:46 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bO9mp-0007lQ-D5 for guix-devel@gnu.org; Fri, 15 Jul 2016 16:32:43 -0400 Received: from out5-smtp.messagingengine.com ([66.111.4.29]:51540) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bO9mo-0007kc-03 for guix-devel@gnu.org; Fri, 15 Jul 2016 16:32:39 -0400 Received: from localhost (c-68-81-58-201.hsd1.pa.comcast.net [68.81.58.201]) by mail.messagingengine.com (Postfix) with ESMTPA id E9595CCDA6 for ; Fri, 15 Jul 2016 16:32:25 -0400 (EDT) Content-Disposition: inline List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: guix-devel@gnu.org --dc+cDN39EJAMEtIO Content-Type: multipart/mixed; boundary="n8g4imXOkfNTN/H1" Content-Disposition: inline --n8g4imXOkfNTN/H1 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Several security vulnerabilities in libgd have been discovered recently, and today Debian issued a security update: https://lists.debian.org/debian-security-announce/2016/msg00197.html The first patch updates libgd to the latest release, 2.2.2, fixing some of the bugs. For the remaining bugs, I've taken patches from the master branch of the libgd Git repo. Two of the patches included binary files to be used in tests, which `patch` cannot handle, so I've removed those parts of the patches. This patch series was not trivial to create; removing the binary diffs required some care, some of the patches depended on changes associated with the removed binary diffs, and some upstream fixes were reverted and re-committed with changes. Will someone double-check this patch series for mistakes? --n8g4imXOkfNTN/H1 Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="0001-gnu-gd-Update-to-2.2.2-fixes-CVE-2016-5767-6161.patch" Content-Transfer-Encoding: quoted-printable =46rom a27a22635f0615495d18b2d78eb90745d5989a0e Mon Sep 17 00:00:00 2001 =46rom: Leo Famulari Date: Fri, 15 Jul 2016 14:47:47 -0400 Subject: [PATCH 1/2] gnu: gd: Update to 2.2.2 [fixes CVE-2016-{5767,6161}]. * gnu/packages/gd.scm (gd): Update to 2.2.2. --- gnu/packages/gd.scm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/gnu/packages/gd.scm b/gnu/packages/gd.scm index 4d6b1a3..b4e6349 100644 --- a/gnu/packages/gd.scm +++ b/gnu/packages/gd.scm @@ -40,7 +40,7 @@ ;; Note: With libgd.org now pointing to github.com, genuine old ;; tarballs are no longer available. Notably, versions 2.0.x are ;; missing. - (version "2.2.1") + (version "2.2.2") =20 (source (origin (method url-fetch) @@ -49,7 +49,7 @@ version "/libgd-" version ".tar.xz")) (sha256 (base32 - "0xmrqka1ggqgml84xbmkw1y0r0lg7qn657v5b1my8pry92p651vh")))) + "1311g5mva2xlzqv3rjqjc4jjkn5lzls4skvr395h633zw1n7b7s8")))) (build-system gnu-build-system) (native-inputs `(("pkg-config" ,pkg-config))) --=20 2.9.1 --n8g4imXOkfNTN/H1 Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="0002-gnu-gd-Fix-CVE-2016-5766-6128-6132-6214.patch" Content-Transfer-Encoding: quoted-printable =46rom 2840ecffd86395bd63734406f924905bac727104 Mon Sep 17 00:00:00 2001 =46rom: Leo Famulari Date: Fri, 15 Jul 2016 14:48:09 -0400 Subject: [PATCH 2/2] gnu: gd: Fix CVE-2016-{5766,6128,6132,6214}. * gnu/packages/patches/gd-CVE-2016-5766.patch, gnu/packages/patches/gd-CVE-2016-6128.patch, gnu/packages/patches/gd-CVE-2016-6132.patch, gnu/packages/patches/gd-CVE-2016-6214.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/gd.scm (gd): Use patches. --- gnu/local.mk | 4 + gnu/packages/gd.scm | 4 + gnu/packages/patches/gd-CVE-2016-5766.patch | 81 +++++++++ gnu/packages/patches/gd-CVE-2016-6128.patch | 253 ++++++++++++++++++++++++= ++++ gnu/packages/patches/gd-CVE-2016-6132.patch | 55 ++++++ gnu/packages/patches/gd-CVE-2016-6214.patch | 66 ++++++++ 6 files changed, 463 insertions(+) create mode 100644 gnu/packages/patches/gd-CVE-2016-5766.patch create mode 100644 gnu/packages/patches/gd-CVE-2016-6128.patch create mode 100644 gnu/packages/patches/gd-CVE-2016-6132.patch create mode 100644 gnu/packages/patches/gd-CVE-2016-6214.patch diff --git a/gnu/local.mk b/gnu/local.mk index 71409b9..536ecef 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -510,6 +510,10 @@ dist_patch_DATA =3D \ %D%/packages/patches/gcc-cross-environment-variables.patch \ %D%/packages/patches/gcc-libvtv-runpath.patch \ %D%/packages/patches/gcc-5.0-libvtv-runpath.patch \ + %D%/packages/patches/gd-CVE-2016-5766.patch \ + %D%/packages/patches/gd-CVE-2016-6128.patch \ + %D%/packages/patches/gd-CVE-2016-6132.patch \ + %D%/packages/patches/gd-CVE-2016-6214.patch \ %D%/packages/patches/gegl-CVE-2012-4433.patch \ %D%/packages/patches/geoclue-config.patch \ %D%/packages/patches/ghostscript-CVE-2015-3228.patch \ diff --git a/gnu/packages/gd.scm b/gnu/packages/gd.scm index b4e6349..700de33 100644 --- a/gnu/packages/gd.scm +++ b/gnu/packages/gd.scm @@ -47,6 +47,10 @@ (uri (string-append "https://github.com/libgd/libgd/releases/download/gd-" version "/libgd-" version ".tar.xz")) + (patches (search-patches "gd-CVE-2016-5766.patch" + "gd-CVE-2016-6128.patch" + "gd-CVE-2016-6132.patch" + "gd-CVE-2016-6214.patch")) (sha256 (base32 "1311g5mva2xlzqv3rjqjc4jjkn5lzls4skvr395h633zw1n7b7s8")))) diff --git a/gnu/packages/patches/gd-CVE-2016-5766.patch b/gnu/packages/pat= ches/gd-CVE-2016-5766.patch new file mode 100644 index 0000000..400cb0a --- /dev/null +++ b/gnu/packages/patches/gd-CVE-2016-5766.patch @@ -0,0 +1,81 @@ +Fix CVE-2016-5766 (Integer Overflow in _gd2GetHeader() resulting in heap +overflow). + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2016-5766 + +Adapted from upstream commits: +https://github.com/libgd/libgd/commit/aba3db8ba159465ecec1089027a24835a6da= 9cc0 +https://github.com/libgd/libgd/commit/a6a0e7feabb2a9738086a5dc96348f233c87= fa79 + +Since `patch` cannot apply Git binary diffs, we omit the addition of +'tests/gd2/php_bug_72339.c' and its associated binary data. + +From aba3db8ba159465ecec1089027a24835a6da9cc0 Mon Sep 17 00:00:00 2001 +From: Pierre Joye +Date: Tue, 28 Jun 2016 16:23:42 +0700 +Subject: [PATCH] fix php bug 72339 (CVE-2016-5766), Integer Overflow in + _gd2GetHeader() resulting in heap overflow + +--- + src/gd_gd2.c | 5 ++++- + tests/gd2/CMakeLists.txt | 1 + + tests/gd2/Makemodule.am | 6 ++++-- + tests/gd2/php_bug_72339.c | 21 +++++++++++++++++++++ + tests/gd2/php_bug_72339_exp.gd2 | Bin 0 -> 67108882 bytes + 5 files changed, 30 insertions(+), 3 deletions(-) + create mode 100644 tests/gd2/php_bug_72339.c + create mode 100644 tests/gd2/php_bug_72339_exp.gd2 + +diff --git a/src/gd_gd2.c b/src/gd_gd2.c +index fd1e0c9..bdbbecf 100644 +--- a/src/gd_gd2.c ++++ b/src/gd_gd2.c +@@ -154,8 +154,11 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy, + nc =3D (*ncx) * (*ncy); + GD2_DBG (printf ("Reading %d chunk index entries\n", nc)); + sidx =3D sizeof (t_chunk_info) * nc; ++ if (overflow2(sidx, nc)) { ++ goto fail1; ++ } + cidx =3D gdCalloc (sidx, 1); +- if (!cidx) { ++ if (cidx =3D=3D NULL) { + goto fail1; + } + for (i =3D 0; i < nc; i++) { +From a6a0e7feabb2a9738086a5dc96348f233c87fa79 Mon Sep 17 00:00:00 2001 +From: Pierre Joye +Date: Wed, 29 Jun 2016 09:36:26 +0700 +Subject: [PATCH] fix php bug 72339 (CVE-2016-5766), Integer Overflow in + _gd2GetHeader() resulting in heap overflow. Sync with php's sync + +--- + src/gd_gd2.c | 7 ++++++- + tests/gd2/php_bug_72339.c | 2 +- + 2 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/src/gd_gd2.c b/src/gd_gd2.c +index bdbbecf..2837456 100644 +--- a/src/gd_gd2.c ++++ b/src/gd_gd2.c +@@ -152,11 +152,16 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy, +=20 + if (gd2_compressed (*fmt)) { + nc =3D (*ncx) * (*ncy); ++ + GD2_DBG (printf ("Reading %d chunk index entries\n", nc)); ++ if (overflow2(sizeof(t_chunk_info), nc)) { ++ goto fail1; ++ } + sidx =3D sizeof (t_chunk_info) * nc; +- if (overflow2(sidx, nc)) { ++ if (sidx <=3D 0) { + goto fail1; + } ++ + cidx =3D gdCalloc (sidx, 1); + if (cidx =3D=3D NULL) { + goto fail1; +--=20 +2.9.1 + diff --git a/gnu/packages/patches/gd-CVE-2016-6128.patch b/gnu/packages/pat= ches/gd-CVE-2016-6128.patch new file mode 100644 index 0000000..45ee6b0 --- /dev/null +++ b/gnu/packages/patches/gd-CVE-2016-6128.patch @@ -0,0 +1,253 @@ +Fix CVE-2016-6128 (invalid color index is not properly handled leading +to denial of service). + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=3D2016-6128 + +Copied from upstream commits: +https://github.com/libgd/libgd/compare/3fe0a7128bac5000fdcfab888bd2a75ec0c= 9447d...fd623025505e87bba7ec8555eeb72dae4fb0afd + +From 1ccfe21e14c4d18336f9da8515cd17db88c3de61 Mon Sep 17 00:00:00 2001 +From: Pierre Joye +Date: Mon, 27 Jun 2016 11:17:39 +0700 +Subject: [PATCH 1/8] fix php 72494, invalid color index not handled, can l= ead + to crash + +--- + src/gd_crop.c | 4 ++++ + tests/CMakeLists.txt | 1 + + tests/Makefile.am | 1 + + 3 files changed, 6 insertions(+) + +diff --git a/src/gd_crop.c b/src/gd_crop.c +index 0296633..532b49b 100644 +--- a/src/gd_crop.c ++++ b/src/gd_crop.c +@@ -136,6 +136,10 @@ BGD_DECLARE(gdImagePtr) gdImageCropThreshold(gdImageP= tr im, const unsigned int c + return NULL; + } +=20 ++ if (color < 0 || (!gdImageTrueColor(im) && color >=3D gdImageColorsTotal= (im))) { ++ return NULL; ++ } ++ + /* TODO: Add gdImageGetRowPtr and works with ptr at the row level + * for the true color and palette images + * new formats will simply work with ptr +diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt +index 6f5c786..5093d52 100644 +--- a/tests/CMakeLists.txt ++++ b/tests/CMakeLists.txt +@@ -31,6 +31,7 @@ if (BUILD_TEST) + gdimagecolortransparent + gdimagecopy + gdimagecopyrotated ++ gdimagecrop + gdimagefile + gdimagefill + gdimagefilledellipse +diff --git a/tests/Makefile.am b/tests/Makefile.am +index 4f6e756..5a0ebe8 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -25,6 +25,7 @@ include gdimagecolorresolve/Makemodule.am + include gdimagecolortransparent/Makemodule.am + include gdimagecopy/Makemodule.am + include gdimagecopyrotated/Makemodule.am ++include gdimagecrop/Makemodule.am + include gdimagefile/Makemodule.am + include gdimagefill/Makemodule.am + include gdimagefilledellipse/Makemodule.am +--=20 +2.9.1 + +From 8c9f39c7cb1f62ea00bc7a48aff64d3811c2d6d0 Mon Sep 17 00:00:00 2001 +From: Pierre Joye +Date: Mon, 27 Jun 2016 11:20:07 +0700 +Subject: [PATCH 2/8] fix php 72494, invalid color index not handled, can l= ead + to crash + +--- + tests/gdimagecrop/.gitignore | 1 + + 1 file changed, 1 insertion(+) + create mode 100644 tests/gdimagecrop/.gitignore + +diff --git a/tests/gdimagecrop/.gitignore b/tests/gdimagecrop/.gitignore +new file mode 100644 +index 0000000..8e8c9c3 +--- /dev/null ++++ b/tests/gdimagecrop/.gitignore +@@ -0,0 +1 @@ ++/php_bug_72494 +--=20 +2.9.1 + +From 8de370b7b6263a02268037a7cd13ddd991b43ea9 Mon Sep 17 00:00:00 2001 +From: Pierre Joye +Date: Mon, 27 Jun 2016 11:24:50 +0700 +Subject: [PATCH 3/8] fix php 72494, invalid color index not handled, can l= ead + to crash + +--- + tests/gdimagecrop/CMakeLists.txt | 5 +++++ + 1 file changed, 5 insertions(+) + create mode 100644 tests/gdimagecrop/CMakeLists.txt + +diff --git a/tests/gdimagecrop/CMakeLists.txt b/tests/gdimagecrop/CMakeLis= ts.txt +new file mode 100644 +index 0000000..f7e4c7e +--- /dev/null ++++ b/tests/gdimagecrop/CMakeLists.txt +@@ -0,0 +1,5 @@ ++SET(TESTS_FILES ++ php_bug_72494 ++) ++ ++ADD_GD_TESTS() +--=20 +2.9.1 + +From bca12e4e11ecda8a0ea719472700ad5c2b36a0d6 Mon Sep 17 00:00:00 2001 +From: Pierre Joye +Date: Mon, 27 Jun 2016 11:25:12 +0700 +Subject: [PATCH 4/8] fix php 72494, invalid color index not handled, can l= ead + to crash + +--- + tests/gdimagecrop/Makemodule.am | 5 +++++ + 1 file changed, 5 insertions(+) + create mode 100644 tests/gdimagecrop/Makemodule.am + +diff --git a/tests/gdimagecrop/Makemodule.am b/tests/gdimagecrop/Makemodul= e.am +new file mode 100644 +index 0000000..210888b +--- /dev/null ++++ b/tests/gdimagecrop/Makemodule.am +@@ -0,0 +1,5 @@ ++libgd_test_programs +=3D \ ++ gdimagecrop/php_bug_72494 ++ ++EXTRA_DIST +=3D \ ++ gdimagecrop/CMakeLists.txt +--=20 +2.9.1 + +From 6ff72ae40c7c20ece939afb362d98cc37f4a1c96 Mon Sep 17 00:00:00 2001 +From: Pierre Joye +Date: Mon, 27 Jun 2016 11:25:40 +0700 +Subject: [PATCH 5/8] fix php 72494, invalid color index not handled, can l= ead + to crash + +--- + tests/gdimagecrop/php_bug_72494.c | 23 +++++++++++++++++++++++ + 1 file changed, 23 insertions(+) + create mode 100644 tests/gdimagecrop/php_bug_72494.c + +diff --git a/tests/gdimagecrop/php_bug_72494.c b/tests/gdimagecrop/php_bug= _72494.c +new file mode 100644 +index 0000000..adaa379 +--- /dev/null ++++ b/tests/gdimagecrop/php_bug_72494.c +@@ -0,0 +1,23 @@ ++#include ++#include ++#include "gd.h" ++ ++#include "gdtest.h" ++ ++int main() ++{ ++ gdImagePtr im, exp; ++ int error =3D 0; ++ ++ im =3D gdImageCreate(50, 50); ++ ++ if (!im) { ++ gdTestErrorMsg("gdImageCreate failed.\n"); ++ return 1; ++ } ++ ++ gdImageCropThreshold(im, 1337, 0); ++ gdImageDestroy(im); ++ /* this bug tests a crash, it never reaches this point if the bug exists= */ ++ return 0; ++} +--=20 +2.9.1 + +From a0f9f8f7bd0d3a6c6afd6d180b8e75d93aadddfa Mon Sep 17 00:00:00 2001 +From: Pierre Joye +Date: Mon, 27 Jun 2016 11:38:07 +0700 +Subject: [PATCH 6/8] fix php 72494, CID 149753, color is unsigned int, rem= ove + useless <0 comparison + +--- + src/gd_crop.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/gd_crop.c b/src/gd_crop.c +index 532b49b..d51ad67 100644 +--- a/src/gd_crop.c ++++ b/src/gd_crop.c +@@ -136,7 +136,7 @@ BGD_DECLARE(gdImagePtr) gdImageCropThreshold(gdImagePt= r im, const unsigned int c + return NULL; + } +=20 +- if (color < 0 || (!gdImageTrueColor(im) && color >=3D gdImageColorsTotal= (im))) { ++ if (!gdImageTrueColor(im) && color >=3D gdImageColorsTotal(im)) { + return NULL; + } +=20 +--=20 +2.9.1 + +From 907115fbb980862934d0de91af4977a216745039 Mon Sep 17 00:00:00 2001 +From: Pierre Joye +Date: Mon, 27 Jun 2016 11:51:40 +0700 +Subject: [PATCH 7/8] fix php 72494, CID 149753, color is unsigned int, rem= ove + useless <0 comparison + +--- + tests/gdimagecrop/php_bug_72494.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/gdimagecrop/php_bug_72494.c b/tests/gdimagecrop/php_bug= _72494.c +index adaa379..5cb589b 100644 +--- a/tests/gdimagecrop/php_bug_72494.c ++++ b/tests/gdimagecrop/php_bug_72494.c +@@ -6,7 +6,7 @@ +=20 + int main() + { +- gdImagePtr im, exp; ++ gdImagePtr im; + int error =3D 0; +=20 + im =3D gdImageCreate(50, 50); +--=20 +2.9.1 + +From fd623025505e87bba7ec8555eeb72dae4fb0afdc Mon Sep 17 00:00:00 2001 +From: Pierre Joye +Date: Mon, 27 Jun 2016 12:04:25 +0700 +Subject: [PATCH 8/8] fix php 72494, CID 149753, color is unsigned int, rem= ove + useless <0 comparison + +--- + tests/gdimagecrop/php_bug_72494.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/tests/gdimagecrop/php_bug_72494.c b/tests/gdimagecrop/php_bug= _72494.c +index 5cb589b..3bd19be 100644 +--- a/tests/gdimagecrop/php_bug_72494.c ++++ b/tests/gdimagecrop/php_bug_72494.c +@@ -7,7 +7,6 @@ + int main() + { + gdImagePtr im; +- int error =3D 0; +=20 + im =3D gdImageCreate(50, 50); +=20 +--=20 +2.9.1 + diff --git a/gnu/packages/patches/gd-CVE-2016-6132.patch b/gnu/packages/pat= ches/gd-CVE-2016-6132.patch new file mode 100644 index 0000000..4c475b7 --- /dev/null +++ b/gnu/packages/patches/gd-CVE-2016-6132.patch @@ -0,0 +1,55 @@ +Fix CVE-2016-6132 (read out-of-bounds when parsing TGA files). + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=3D2016-6132 + +Copied from upstream commit: +https://github.com/libgd/libgd/commit/ead349e99868303b37f5e6e9d9d680c9dc71= ff8d + +From ead349e99868303b37f5e6e9d9d680c9dc71ff8d Mon Sep 17 00:00:00 2001 +From: =3D?UTF-8?q?Ond=3DC5=3D99ej=3D20Sur=3DC3=3DBD?=3D +Date: Tue, 12 Jul 2016 11:24:09 +0200 +Subject: [PATCH] Fix #247, A read out-of-bands was found in the parsing of= TGA + files (CVE-2016-6132) + +--- + src/gd_tga.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/src/gd_tga.c b/src/gd_tga.c +index ef20f86..20fe2d2 100644 +--- a/src/gd_tga.c ++++ b/src/gd_tga.c +@@ -237,7 +237,11 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga ) + return -1; + } +=20 +- gdGetBuf(conversion_buffer, image_block_size, ctx); ++ if (gdGetBuf(conversion_buffer, image_block_size, ctx) !=3D image_block= _size) { ++ gd_error("gd-tga: premature end of image data\n"); ++ gdFree(conversion_buffer); ++ return -1; ++ } +=20 + while (buffer_caret < image_block_size) { + tga->bitmap[buffer_caret] =3D (int) conversion_buffer[buffer_caret]; +@@ -257,11 +261,16 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga ) + } + conversion_buffer =3D (unsigned char *) gdMalloc(image_block_size * siz= eof(unsigned char)); + if (conversion_buffer =3D=3D NULL) { ++ gd_error("gd-tga: premature end of image data\n"); + gdFree( decompression_buffer ); + return -1; + } +=20 +- gdGetBuf( conversion_buffer, image_block_size, ctx ); ++ if (gdGetBuf(conversion_buffer, image_block_size, ctx) !=3D image_block= _size) { ++ gdFree(conversion_buffer); ++ gdFree(decompression_buffer); ++ return -1; ++ } +=20 + buffer_caret =3D 0; +=20 +--=20 +2.9.1 + diff --git a/gnu/packages/patches/gd-CVE-2016-6214.patch b/gnu/packages/pat= ches/gd-CVE-2016-6214.patch new file mode 100644 index 0000000..7894a32 --- /dev/null +++ b/gnu/packages/patches/gd-CVE-2016-6214.patch @@ -0,0 +1,66 @@ +Fix CVE-2016-6214 (read out-of-bounds when parsing TGA files). + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2016-6214 + +Adapted from upstream commit: +https://github.com/libgd/libgd/commit/341aa68843ceceae9ba6e083431f14a07bd9= 2308 + +Since `patch` cannot apply Git binary diffs, we omit the addition of +'tests/tga/bug00247a.c' and its associated binary data. + +From 341aa68843ceceae9ba6e083431f14a07bd92308 Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" +Date: Tue, 12 Jul 2016 19:23:13 +0200 +Subject: [PATCH] Unsupported TGA bpp/alphabit combinations should error + gracefully + +Currently, only 24bpp without alphabits and 32bpp with 8 alphabits are +really supported. All other combinations will be rejected with a warning. + +(cherry picked from commit cb1a0b7e54e9aa118270c23a4a6fe560e4590dc9) +--- + src/gd_tga.c | 16 ++++++---------- + tests/tga/.gitignore | 1 + + tests/tga/CMakeLists.txt | 1 + + tests/tga/Makemodule.am | 4 +++- + tests/tga/bug00247a.c | 19 +++++++++++++++++++ + tests/tga/bug00247a.tga | Bin 0 -> 36 bytes + 6 files changed, 30 insertions(+), 11 deletions(-) + create mode 100644 tests/tga/bug00247a.c + create mode 100644 tests/tga/bug00247a.tga + +diff --git a/src/gd_tga.c b/src/gd_tga.c +index 20fe2d2..b4f8fa6 100644 +--- a/src/gd_tga.c ++++ b/src/gd_tga.c +@@ -99,7 +99,7 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromTgaCtx(gdIOCtx*= ctx) + if (tga->bits =3D=3D TGA_BPP_24) { + *tpix =3D gdTrueColor(tga->bitmap[bitmap_caret + 2], tga->bitmap[bitm= ap_caret + 1], tga->bitmap[bitmap_caret]); + bitmap_caret +=3D 3; +- } else if (tga->bits =3D=3D TGA_BPP_32 || tga->alphabits) { ++ } else if (tga->bits =3D=3D TGA_BPP_32 && tga->alphabits) { + register int a =3D tga->bitmap[bitmap_caret + 3]; +=20 + *tpix =3D gdTrueColorAlpha(tga->bitmap[bitmap_caret + 2], tga->bitmap= [bitmap_caret + 1], tga->bitmap[bitmap_caret], gdAlphaMax - (a >> 1)); +@@ -159,16 +159,12 @@ int read_header_tga(gdIOCtx *ctx, oTga *tga) + printf("wxh: %i %i\n", tga->width, tga->height); + #endif +=20 +- switch(tga->bits) { +- case 8: +- case 16: +- case 24: +- case 32: +- break; +- default: +- gd_error("bps %i not supported", tga->bits); ++ if (!((tga->bits =3D=3D TGA_BPP_24 && tga->alphabits =3D=3D 0) ++ || (tga->bits =3D=3D TGA_BPP_32 && tga->alphabits =3D=3D 8))) ++ { ++ gd_error_ex(GD_WARNING, "gd-tga: %u bits per pixel with %u alpha bits n= ot supported\n", ++ tga->bits, tga->alphabits); + return -1; +- break; + } +=20 + tga->ident =3D NULL; --=20 2.9.1 --n8g4imXOkfNTN/H1-- --dc+cDN39EJAMEtIO Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJXiUhLAAoJECZG+jC6yn8IvjgQAKlyo3Av13jPcrXurWG4E60a hzBnudc2q5tFJnt9q8drVHA0vI9hdQAH/vBzOGvaARLkg9WuX7HwVPJ633E0RYTG 4iPgBHW8gYoiXlZ4Dc09fnu2KqYntTqhgBnPIsQ3iZVexGzj4L6W4Y1qe4pWH8vU 75NfIuR+EicKPEaEpW8qHulhoCL3IXAg1rRvW1UX/6r9jMK7fEa1yZkOPPZ7MGf4 iKE8vkZBKws/OkuFMpbhFPhcFK97RiSVedRQHW7CxBF8R2DOtD7YnFy88M7wDkf6 Gp8ejc/1z2RX50p2wIfP5Z1GzdC80iesGUS4BWEVj1m/nEvZvbHRkwVliSbX/JFO b/Cu7QbTNgHGVQ02kn6cy92g5BGh98z8dVEq8mtJk9MGibyJHOcOU6k6ySpVpzQj 8nHvd26NL8Y6BkoamZpg/lfjReJ1ojVj+MUeWHnD98EKA9N/MxAQglpwbu9GqZTu WkLvy/O0vyZbWoQD4JoipNsEscTFaKFaQC4gcm6q9+aPUYJBJjQz4ea6s90nckS6 zxb/jAUEfoYqgVhFex0flVqSAyu+zPZK0Rh+XqLrWTvqOZP2GBKA0NIeQPbNqvz2 hK22GcLdJ1r9x16PWwyYRH3XNoIckY5UQjc+HvhT3uQbZ3Rqa4nWkmTtRQLLKQTG ZmLNApRYGCdK1i5krCqc =cfT4 -----END PGP SIGNATURE----- --dc+cDN39EJAMEtIO--