unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
blob 400cb0ab480ada2b413f52c42bfb844e1a0101a8 2590 bytes (raw)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
 
Fix CVE-2016-5766 (Integer Overflow in _gd2GetHeader() resulting in heap
overflow).

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5766

Adapted from upstream commits:
https://github.com/libgd/libgd/commit/aba3db8ba159465ecec1089027a24835a6da9cc0
https://github.com/libgd/libgd/commit/a6a0e7feabb2a9738086a5dc96348f233c87fa79

Since `patch` cannot apply Git binary diffs, we omit the addition of
'tests/gd2/php_bug_72339.c' and its associated binary data.

From aba3db8ba159465ecec1089027a24835a6da9cc0 Mon Sep 17 00:00:00 2001
From: Pierre Joye <pierre.php@gmail.com>
Date: Tue, 28 Jun 2016 16:23:42 +0700
Subject: [PATCH] fix php bug 72339 (CVE-2016-5766), Integer Overflow in
 _gd2GetHeader() resulting in heap overflow

---
 src/gd_gd2.c                    |   5 ++++-
 tests/gd2/CMakeLists.txt        |   1 +
 tests/gd2/Makemodule.am         |   6 ++++--
 tests/gd2/php_bug_72339.c       |  21 +++++++++++++++++++++
 tests/gd2/php_bug_72339_exp.gd2 | Bin 0 -> 67108882 bytes
 5 files changed, 30 insertions(+), 3 deletions(-)
 create mode 100644 tests/gd2/php_bug_72339.c
 create mode 100644 tests/gd2/php_bug_72339_exp.gd2

diff --git a/src/gd_gd2.c b/src/gd_gd2.c
index fd1e0c9..bdbbecf 100644
--- a/src/gd_gd2.c
+++ b/src/gd_gd2.c
@@ -154,8 +154,11 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy,
 		nc = (*ncx) * (*ncy);
 		GD2_DBG (printf ("Reading %d chunk index entries\n", nc));
 		sidx = sizeof (t_chunk_info) * nc;
+		if (overflow2(sidx, nc)) {
+			goto fail1;
+		}
 		cidx = gdCalloc (sidx, 1);
-		if (!cidx) {
+		if (cidx == NULL) {
 			goto fail1;
 		}
 		for (i = 0; i < nc; i++) {
From a6a0e7feabb2a9738086a5dc96348f233c87fa79 Mon Sep 17 00:00:00 2001
From: Pierre Joye <pierre.php@gmail.com>
Date: Wed, 29 Jun 2016 09:36:26 +0700
Subject: [PATCH] fix php bug 72339 (CVE-2016-5766), Integer Overflow in
 _gd2GetHeader() resulting in heap overflow. Sync with php's sync

---
 src/gd_gd2.c              | 7 ++++++-
 tests/gd2/php_bug_72339.c | 2 +-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/gd_gd2.c b/src/gd_gd2.c
index bdbbecf..2837456 100644
--- a/src/gd_gd2.c
+++ b/src/gd_gd2.c
@@ -152,11 +152,16 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy,
 
 	if (gd2_compressed (*fmt)) {
 		nc = (*ncx) * (*ncy);
+
 		GD2_DBG (printf ("Reading %d chunk index entries\n", nc));
+		if (overflow2(sizeof(t_chunk_info), nc)) {
+			goto fail1;
+		}
 		sidx = sizeof (t_chunk_info) * nc;
-		if (overflow2(sidx, nc)) {
+		if (sidx <= 0) {
 			goto fail1;
 		}
+
 		cidx = gdCalloc (sidx, 1);
 		if (cidx == NULL) {
 			goto fail1;
-- 
2.9.1


debug log:

solving 400cb0a ...
found 400cb0a in https://git.savannah.gnu.org/cgit/guix.git

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).