diff --git a/gd-CVE-2016-5116.patch b/gd-CVE-2016-5116.patch new file mode 100644 index 0000000..591a060 --- /dev/null +++ b/gd-CVE-2016-5116.patch @@ -0,0 +1,90 @@ +From 4dc1a2d7931017d3625f2d7cff70a17ce58b53b4 Mon Sep 17 00:00:00 2001 +From: Mike Frysinger +Date: Sat, 14 May 2016 01:38:18 -0400 +Subject: [PATCH] xbm: avoid stack overflow (read) with large names #211 + +We use the name passed in to printf into a local stack buffer which is +limited to 4000 bytes. So given a large enough value, lots of stack +data is leaked. Rewrite the code to do simple memory copies with most +of the strings to avoid that issue, and only use stack buffer for small +numbers of constant size. + +This closes #211. +--- + src/gd_xbm.c | 34 +++++++++++++++++++++++++++------- + 1 file changed, 27 insertions(+), 7 deletions(-) + +diff --git a/src/gd_xbm.c b/src/gd_xbm.c +index 74d839b..d28fdfc 100644 +--- a/src/gd_xbm.c ++++ b/src/gd_xbm.c +@@ -180,7 +180,7 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromXbm(FILE * fd) + /* {{{ gdCtxPrintf */ + static void gdCtxPrintf(gdIOCtx * out, const char *format, ...) + { +- char buf[4096]; ++ char buf[1024]; + int len; + va_list args; + +@@ -191,6 +191,9 @@ static void gdCtxPrintf(gdIOCtx * out, const char *format, ...) + } + /* }}} */ + ++/* The compiler will optimize strlen(constant) to a constant number. */ ++#define gdCtxPuts(out, s) out->putBuf(out, s, strlen(s)) ++ + /* {{{ gdImageXbmCtx */ + BGD_DECLARE(void) gdImageXbmCtx(gdImagePtr image, char* file_name, int fg, gdIOCtx * out) + { +@@ -215,9 +218,26 @@ BGD_DECLARE(void) gdImageXbmCtx(gdImagePtr image, char* file_name, int fg, gdIOC + } + } + +- gdCtxPrintf(out, "#define %s_width %d\n", name, gdImageSX(image)); +- gdCtxPrintf(out, "#define %s_height %d\n", name, gdImageSY(image)); +- gdCtxPrintf(out, "static unsigned char %s_bits[] = {\n ", name); ++ /* Since "name" comes from the user, run it through a direct puts. ++ * Trying to printf it into a local buffer means we'd need a large ++ * or dynamic buffer to hold it all. */ ++ ++ /* #define _width 1234 */ ++ gdCtxPuts(out, "#define "); ++ gdCtxPuts(out, name); ++ gdCtxPuts(out, "_width "); ++ gdCtxPrintf(out, "%d\n", gdImageSX(image)); ++ ++ /* #define _height 1234 */ ++ gdCtxPuts(out, "#define "); ++ gdCtxPuts(out, name); ++ gdCtxPuts(out, "_height "); ++ gdCtxPrintf(out, "%d\n", gdImageSY(image)); ++ ++ /* static unsigned char _bits[] = {\n */ ++ gdCtxPuts(out, "static unsigned char "); ++ gdCtxPuts(out, name); ++ gdCtxPuts(out, "_bits[] = {\n "); + + free(name); + +@@ -234,9 +254,9 @@ BGD_DECLARE(void) gdImageXbmCtx(gdImagePtr image, char* file_name, int fg, gdIOC + if ((b == 128) || (x == sx && y == sy)) { + b = 1; + if (p) { +- gdCtxPrintf(out, ", "); ++ gdCtxPuts(out, ", "); + if (!(p%12)) { +- gdCtxPrintf(out, "\n "); ++ gdCtxPuts(out, "\n "); + p = 12; + } + } +@@ -248,6 +268,6 @@ BGD_DECLARE(void) gdImageXbmCtx(gdImagePtr image, char* file_name, int fg, gdIOC + } + } + } +- gdCtxPrintf(out, "};\n"); ++ gdCtxPuts(out, "};\n"); + } + /* }}} */ + diff --git a/gd.changes b/gd.changes index be8aa43..1c308b7 100644 --- a/gd.changes +++ b/gd.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Mon May 30 13:17:18 UTC 2016 - pgajdos@suse.com + +- security update: + * CVE-2016-5116 [bsc#982176] + + gd-CVE-2016-5116.patch + ------------------------------------------------------------------- Tue Mar 1 15:32:40 UTC 2016 - pgajdos@suse.com diff --git a/gd.spec b/gd.spec index 803326c..8991f12 100644 --- a/gd.spec +++ b/gd.spec @@ -40,6 +40,7 @@ Patch2: gd-format.patch Patch3: gd-aliasing.patch # could be upstreamed Patch4: gd-libvpx.patch +Patch5: gd-CVE-2016-5116.patch BuildRequires: fontconfig-devel BuildRequires: freetype2-devel BuildRequires: libjpeg-devel @@ -96,6 +97,7 @@ the formats accepted for inline images by most browsers. %patch2 %patch3 %patch4 +%patch5 -p1 %build # this file is errorneously forgotten from the tarball