unofficial mirror of guix-devel@gnu.org

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
 Fix CVE-2016-{9317,10167,10168} in bundled libgd:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9317
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10167
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10168

Patches copied from Fedora:

CVE-2016-9317:
https://src.fedoraproject.org/cgit/rpms/libwmf.git/commit/?id=d851798416d005977d9409babf710c050124cfda
CVE-2016-10167:
https://src.fedoraproject.org/cgit/rpms/libwmf.git/commit/?id=b439c6f363d3f9c7b22e7f3b2211d423abd7d612
CVE-2016-10168:
https://src.fedoraproject.org/cgit/rpms/libwmf.git/commit/?id=d8c724ed484d01f3535bd1f317d6c5aa6d33aa80

--- libwmf-0.2.8.4/src/extra/gd/gd.c
+++ libwmf-0.2.8.4/src/extra/gd/gd.c
@@ -65,6 +65,18 @@
 {
   int i;
   gdImagePtr im;
+
+  if (overflow2(sx, sy)) {
+    return NULL;
+  }
+
+  if (overflow2(sizeof (unsigned char *), sy)) {
+    return NULL;
+  }
+  if (overflow2(sizeof (unsigned char), sx)) {
+    return NULL;
+  }
+
   im = (gdImage *) gdMalloc (sizeof (gdImage));
   memset (im, 0, sizeof (gdImage));
   /* Row-major ever since gd 1.3 */
--- libwmf-0.2.8.4/src/extra/gd/gd_gd2.c
+++ libwmf-0.2.8.4/src/extra/gd/gd_gd2.c
@@ -362,10 +362,9 @@
 			{
 			  if (!gdGetInt (&im->tpixels[y][x], in))
 			    {
-			      /*printf("EOF while reading\n"); */
-			      /*gdImageDestroy(im); */
-			      /*return 0; */
-			      im->tpixels[y][x] = 0;
+                               fprintf(stderr, "gd2: EOF while reading\n");
+                               gdImageDestroy(im);
+                               return NULL;
 			    }
 			}
 		      else
@@ -373,10 +372,9 @@
 			  int ch;
 			  if (!gdGetByte (&ch, in))
 			    {
-			      /*printf("EOF while reading\n"); */
-			      /*gdImageDestroy(im); */
-			      /*return 0; */
-			      ch = 0;
+                              fprintf(stderr, "gd2: EOF while reading\n");
+                              gdImageDestroy(im);
+                              return NULL;
 			    }
 			  im->pixels[y][x] = ch;
 			}
--- libwmf-0.2.8.4/src/extra/gd/gd_gd2.c
+++ libwmf-0.2.8.4/src/extra/gd/gd_gd2.c
@@ -145,6 +145,11 @@
 
   if ((*fmt) == GD2_FMT_COMPRESSED)
     {
+      if (*ncx <= 0 || *ncy <= 0 || *ncx > INT_MAX / *ncy) {
+              GD2_DBG(printf ("Illegal chunk counts: %d * %d\n", *ncx, *ncy));
+              goto fail1;
+      }
+
       nc = (*ncx) * (*ncy);
       GD2_DBG (printf ("Reading %d chunk index entries\n", nc));
       sidx = sizeof (t_chunk_info) * nc;