pool/gd
SHA256
3
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

* CVE-2016-6132 [bsc#987577]

Browse Source 
+ gd-CVE-2016-6132.patch
  * CVE-2016-6214 [bsc#991436]
    + gd-CVE-2016-6214.patch

OBS-URL: https://build.opensuse.org/package/show/graphics/gd?expand=0&rev=29
This commit is contained in:
Petr Gajdos 2016-08-23 12:48:55 +00:00 committed by Git OBS Bridge
parent e66bc8525e
commit 545684f568
4 changed files with 103 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
gd-CVE-2016-6132.patch Normal file
View File

@ -0,0 +1,40 @@
From 921e590565deb033acafcfa9063b4563200b14b5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
Date: Tue, 12 Jul 2016 11:24:09 +0200
Subject: [PATCH] Fix #247, A read out-of-bands was found in the parsing of TGA
files
---
src/gd_tga.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/src/gd_tga.c b/src/gd_tga.c
index ef20f86..07f3c86 100644
--- a/src/gd_tga.c
+++ b/src/gd_tga.c
@@ -237,7 +237,10 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga )
return -1;
}
- gdGetBuf(conversion_buffer, image_block_size, ctx);
+ if (gdGetBuf(conversion_buffer, image_block_size, ctx) != image_block_size) {
+ gdFree(conversion_buffer);
+ return -1;
+ }
while (buffer_caret < image_block_size) {
tga->bitmap[buffer_caret] = (int) conversion_buffer[buffer_caret];
@@ -261,7 +264,11 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga )
return -1;
}
- gdGetBuf( conversion_buffer, image_block_size, ctx );
+ if (gdGetBuf(conversion_buffer, image_block_size, ctx) != image_block_size) {
+ gdFree(conversion_buffer);
+ gdFree(decompression_buffer);
+ return -1;
+ }
buffer_caret = 0;

54
gd-CVE-2016-6214.patch Normal file
View File

@ -0,0 +1,54 @@
From 10ef1dca63d62433fda13309b4a228782db823f7 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Tue, 12 Jul 2016 19:23:13 +0200
Subject: [PATCH] Unsupported TGA bpp/alphabit combinations should error
gracefully
Currently, only 24bpp without alphabits and 32bpp with 8 alphabits are
really supported. All other combinations will be rejected with a warning.
---
src/gd_tga.c | 16 ++++++----------
tests/tga/.gitignore | 1 +
tests/tga/CMakeLists.txt | 1 +
tests/tga/Makemodule.am | 4 +++-
tests/tga/bug00247a.c | 19 +++++++++++++++++++
tests/tga/bug00247a.tga | Bin 0 -> 36 bytes
6 files changed, 30 insertions(+), 11 deletions(-)
create mode 100644 tests/tga/bug00247a.c
create mode 100644 tests/tga/bug00247a.tga
diff --git a/src/gd_tga.c b/src/gd_tga.c
index 20fe2d2..b4f8fa6 100644
--- a/src/gd_tga.c
+++ b/src/gd_tga.c
@@ -99,7 +99,7 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromTgaCtx(gdIOCtx* ctx)
if (tga->bits == TGA_BPP_24) {
*tpix = gdTrueColor(tga->bitmap[bitmap_caret + 2], tga->bitmap[bitmap_caret + 1], tga->bitmap[bitmap_caret]);
bitmap_caret += 3;
- } else if (tga->bits == TGA_BPP_32 || tga->alphabits) {
+ } else if (tga->bits == TGA_BPP_32 && tga->alphabits) {
register int a = tga->bitmap[bitmap_caret + 3];
*tpix = gdTrueColorAlpha(tga->bitmap[bitmap_caret + 2], tga->bitmap[bitmap_caret + 1], tga->bitmap[bitmap_caret], gdAlphaMax - (a >> 1));
@@ -159,16 +159,12 @@ int read_header_tga(gdIOCtx *ctx, oTga *tga)
printf("wxh: %i %i\n", tga->width, tga->height);
#endif
- switch(tga->bits) {
- case 8:
- case 16:
- case 24:
- case 32:
- break;
- default:
- gd_error("bps %i not supported", tga->bits);
+ if (!((tga->bits == TGA_BPP_24 && tga->alphabits == 0)
+ || (tga->bits == TGA_BPP_32 && tga->alphabits == 8)))
+ {
+ gd_error_ex(GD_WARNING, "gd-tga: %u bits per pixel with %u alpha bits not supported\n",
+ tga->bits, tga->alphabits);
return -1;
- break;
}
tga->ident = NULL;

4
gd.changes
View File

@ -2,6 +2,10 @@
Tue Aug 23 11:16:25 UTC 2016 - pgajdos@suse.com
- security update:
* CVE-2016-6132 [bsc#987577]
+ gd-CVE-2016-6132.patch
* CVE-2016-6214 [bsc#991436]
+ gd-CVE-2016-6214.patch
* CVE-2016-6905 [bsc#995034]
+ gd-CVE-2016-6905.patch

6
gd.spec
View File

@ -41,7 +41,9 @@ Patch3: gd-aliasing.patch
# could be upstreamed
Patch4: gd-libvpx.patch
Patch5: gd-CVE-2016-5116.patch
Patch6: gd-CVE-2016-6905.patch
Patch6: gd-CVE-2016-6132.patch
Patch7: gd-CVE-2016-6214.patch
Patch8: gd-CVE-2016-6905.patch
BuildRequires: fontconfig-devel
BuildRequires: freetype2-devel
BuildRequires: libjpeg-devel
@ -100,6 +102,8 @@ the formats accepted for inline images by most browsers.
%patch4
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%build
# this file is errorneously forgotten from the tarball