unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
blob 7894a32bb112524cdfca3dad4690c50a4320e01c 2449 bytes (raw)
name: gnu/packages/patches/gd-CVE-2016-6214.patch 	 # note: path name is non-authoritative(*)
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66

 
Fix CVE-2016-6214 (read out-of-bounds when parsing TGA files).

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6214

Adapted from upstream commit:
https://github.com/libgd/libgd/commit/341aa68843ceceae9ba6e083431f14a07bd92308

Since `patch` cannot apply Git binary diffs, we omit the addition of
'tests/tga/bug00247a.c' and its associated binary data.

From 341aa68843ceceae9ba6e083431f14a07bd92308 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Tue, 12 Jul 2016 19:23:13 +0200
Subject: [PATCH] Unsupported TGA bpp/alphabit combinations should error
 gracefully

Currently, only 24bpp without alphabits and 32bpp with 8 alphabits are
really supported. All other combinations will be rejected with a warning.

(cherry picked from commit cb1a0b7e54e9aa118270c23a4a6fe560e4590dc9)
---
 src/gd_tga.c             |  16 ++++++----------
 tests/tga/.gitignore     |   1 +
 tests/tga/CMakeLists.txt |   1 +
 tests/tga/Makemodule.am  |   4 +++-
 tests/tga/bug00247a.c    |  19 +++++++++++++++++++
 tests/tga/bug00247a.tga  | Bin 0 -> 36 bytes
 6 files changed, 30 insertions(+), 11 deletions(-)
 create mode 100644 tests/tga/bug00247a.c
 create mode 100644 tests/tga/bug00247a.tga

diff --git a/src/gd_tga.c b/src/gd_tga.c
index 20fe2d2..b4f8fa6 100644
--- a/src/gd_tga.c
+++ b/src/gd_tga.c
@@ -99,7 +99,7 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromTgaCtx(gdIOCtx* ctx)
 			if (tga->bits == TGA_BPP_24) {
 				*tpix = gdTrueColor(tga->bitmap[bitmap_caret + 2], tga->bitmap[bitmap_caret + 1], tga->bitmap[bitmap_caret]);
 				bitmap_caret += 3;
-			} else if (tga->bits == TGA_BPP_32 || tga->alphabits) {
+			} else if (tga->bits == TGA_BPP_32 && tga->alphabits) {
 				register int a = tga->bitmap[bitmap_caret + 3];
 
 				*tpix = gdTrueColorAlpha(tga->bitmap[bitmap_caret + 2], tga->bitmap[bitmap_caret + 1], tga->bitmap[bitmap_caret], gdAlphaMax - (a >> 1));
@@ -159,16 +159,12 @@ int read_header_tga(gdIOCtx *ctx, oTga *tga)
 	printf("wxh: %i %i\n", tga->width, tga->height);
 #endif
 
-	switch(tga->bits) {
-	case 8:
-	case 16:
-	case 24:
-	case 32:
-		break;
-	default:
-		gd_error("bps %i not supported", tga->bits);
+	if (!((tga->bits == TGA_BPP_24 && tga->alphabits == 0)
+		|| (tga->bits == TGA_BPP_32 && tga->alphabits == 8)))
+	{
+		gd_error_ex(GD_WARNING, "gd-tga: %u bits per pixel with %u alpha bits not supported\n",
+			tga->bits, tga->alphabits);
 		return -1;
-		break;
 	}
 
 	tga->ident = NULL;

debug log:

solving 7894a32 ...
found 7894a32 in https://git.savannah.gnu.org/cgit/guix.git

(*) Git path names are given by the tree(s) the blob belongs to.
    Blobs themselves have no identifier aside from the hash of its contents.^
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).