Accepting request 421269 from graphics

- security update: * CVE-2016-6132 [bsc#987577] + gd-CVE-2016-6132.patch * CVE-2016-6214 [bsc#991436] + gd-CVE-2016-6214.patch * CVE-2016-6905 [bsc#995034] + gd-CVE-2016-6905.patch OBS-URL: https://build.opensuse.org/request/show/421269 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gd?expand=0&rev=41
2016-08-26 21:14:31 +00:00
parent 8eee5fa963 545684f568
commit c3ec9322de
5 changed files with 176 additions and 0 deletions
--- a/gd-CVE-2016-6132.patch
+++ b/gd-CVE-2016-6132.patch
@@ -0,0 +1,40 @@
+From 921e590565deb033acafcfa9063b4563200b14b5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
+Date: Tue, 12 Jul 2016 11:24:09 +0200
+Subject: [PATCH] Fix #247, A read out-of-bands was found in the parsing of TGA
+ files
+
+---
+ src/gd_tga.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/src/gd_tga.c b/src/gd_tga.c
+index ef20f86..07f3c86 100644
+--- a/src/gd_tga.c
+++ b/src/gd_tga.c
+@@ -237,7 +237,10 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga )
+ 			return -1;
+ 		}
+ 
+-		gdGetBuf(conversion_buffer, image_block_size, ctx);
+		if (gdGetBuf(conversion_buffer, image_block_size, ctx) != image_block_size) {
+			gdFree(conversion_buffer);
+			return -1;
+		}
+ 
+ 		while (buffer_caret < image_block_size) {
+ 			tga->bitmap[buffer_caret] = (int) conversion_buffer[buffer_caret];
+@@ -261,7 +264,11 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga )
+ 			return -1;
+ 		}
+ 
+-		gdGetBuf( conversion_buffer, image_block_size, ctx );
+		if (gdGetBuf(conversion_buffer, image_block_size, ctx) != image_block_size) {
+			gdFree(conversion_buffer);
+			gdFree(decompression_buffer);
+			return -1;
+		}
+ 
+ 		buffer_caret = 0;
+ 
+
--- a/gd-CVE-2016-6214.patch
+++ b/gd-CVE-2016-6214.patch
@@ -0,0 +1,54 @@
+From 10ef1dca63d62433fda13309b4a228782db823f7 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Tue, 12 Jul 2016 19:23:13 +0200
+Subject: [PATCH] Unsupported TGA bpp/alphabit combinations should error
+ gracefully
+
+Currently, only 24bpp without alphabits and 32bpp with 8 alphabits are
+really supported. All other combinations will be rejected with a warning.
+---
+ src/gd_tga.c             |  16 ++++++----------
+ tests/tga/.gitignore     |   1 +
+ tests/tga/CMakeLists.txt |   1 +
+ tests/tga/Makemodule.am  |   4 +++-
+ tests/tga/bug00247a.c    |  19 +++++++++++++++++++
+ tests/tga/bug00247a.tga  | Bin 0 -> 36 bytes
+ 6 files changed, 30 insertions(+), 11 deletions(-)
+ create mode 100644 tests/tga/bug00247a.c
+ create mode 100644 tests/tga/bug00247a.tga
+
+diff --git a/src/gd_tga.c b/src/gd_tga.c
+index 20fe2d2..b4f8fa6 100644
+--- a/src/gd_tga.c
+++ b/src/gd_tga.c
+@@ -99,7 +99,7 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromTgaCtx(gdIOCtx* ctx)
+ 			if (tga->bits == TGA_BPP_24) {
+ 				*tpix = gdTrueColor(tga->bitmap[bitmap_caret + 2], tga->bitmap[bitmap_caret + 1], tga->bitmap[bitmap_caret]);
+ 				bitmap_caret += 3;
+-			} else if (tga->bits == TGA_BPP_32 || tga->alphabits) {
+			} else if (tga->bits == TGA_BPP_32 && tga->alphabits) {
+ 				register int a = tga->bitmap[bitmap_caret + 3];
+ 
+ 				*tpix = gdTrueColorAlpha(tga->bitmap[bitmap_caret + 2], tga->bitmap[bitmap_caret + 1], tga->bitmap[bitmap_caret], gdAlphaMax - (a >> 1));
+@@ -159,16 +159,12 @@ int read_header_tga(gdIOCtx *ctx, oTga *tga)
+ 	printf("wxh: %i %i\n", tga->width, tga->height);
+ #endif
+ 
+-	switch(tga->bits) {
+-	case 8:
+-	case 16:
+-	case 24:
+-	case 32:
+-		break;
+-	default:
+-		gd_error("bps %i not supported", tga->bits);
+	if (!((tga->bits == TGA_BPP_24 && tga->alphabits == 0)
+		|| (tga->bits == TGA_BPP_32 && tga->alphabits == 8)))
+	{
+		gd_error_ex(GD_WARNING, "gd-tga: %u bits per pixel with %u alpha bits not supported\n",
+			tga->bits, tga->alphabits);
+ 		return -1;
+-		break;
+ 	}
+ 
+ 	tga->ident = NULL;
--- a/gd-CVE-2016-6905.patch
+++ b/gd-CVE-2016-6905.patch
@@ -0,0 +1,65 @@
+From 3c2b605d72e8b080dace1d98a6e50b46c1d12186 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
+Date: Tue, 12 Jul 2016 14:20:16 +0200
+Subject: [PATCH] bug #248, fix Out-Of-Bounds Read in read_image_tga
+
+---
+ src/gd_tga.c | 34 ++++++++++++++++++++++++++--------
+ 1 file changed, 26 insertions(+), 8 deletions(-)
+
+Index: libgd-2.1.1/src/gd_tga.c
+===================================================================
+--- libgd-2.1.1.orig/src/gd_tga.c	2015-01-06 10:16:03.000000000 +0100
+++ libgd-2.1.1/src/gd_tga.c	2016-08-23 13:15:45.975724158 +0200
+@@ -200,7 +200,6 @@ int read_image_tga( gdIOCtx *ctx, oTga *
+ 	int buffer_caret = 0;
+ 	int bitmap_caret = 0;
+ 	int i = 0;
+-	int j = 0;
+ 	uint8_t encoded_pixels;
+ 
+ 	if(overflow2(tga->width, tga->height)) {
+@@ -287,25 +286,34 @@ int read_image_tga( gdIOCtx *ctx, oTga *
+ 		while( bitmap_caret < image_block_size ) {
+ 
+ 			if ((decompression_buffer[buffer_caret] & TGA_RLE_FLAG) == TGA_RLE_FLAG) {
+-				encoded_pixels = ( ( decompression_buffer[ buffer_caret ] & 127 ) + 1 );
+				encoded_pixels = ( ( decompression_buffer[ buffer_caret ] & !TGA_RLE_FLAG ) + 1 );
+ 				buffer_caret++;
+ 
+				if ((bitmap_caret + (encoded_pixels * pixel_block_size)) >= image_block_size) {
+					gdFree( decompression_buffer );
+					gdFree( conversion_buffer );
+					return -1;
+				}
+
+ 				for (i = 0; i < encoded_pixels; i++) {
+-					for (j = 0; j < pixel_block_size; j++, bitmap_caret++) {
+-						tga->bitmap[ bitmap_caret ] = decompression_buffer[ buffer_caret + j ];
+-					}
+					memcpy(tga->bitmap + bitmap_caret, decompression_buffer + buffer_caret, pixel_block_size);
+					bitmap_caret += pixel_block_size;
+ 				}
+ 				buffer_caret += pixel_block_size;
+
+ 			} else {
+ 				encoded_pixels = decompression_buffer[ buffer_caret ] + 1;
+ 				buffer_caret++;
+ 
+-				for (i = 0; i < encoded_pixels; i++) {
+-					for( j = 0; j < pixel_block_size; j++, bitmap_caret++ ) {
+-						tga->bitmap[ bitmap_caret ] = decompression_buffer[ buffer_caret + j ];
+-					}
+-					buffer_caret += pixel_block_size;
+				if ((bitmap_caret + (encoded_pixels * pixel_block_size)) >= image_block_size) {
+					gdFree( decompression_buffer );
+					gdFree( conversion_buffer );
+					return -1;
+ 				}
+
+				memcpy(tga->bitmap + bitmap_caret, decompression_buffer + buffer_caret, encoded_pixels * pixel_block_size);
+				bitmap_caret += (encoded_pixels * pixel_block_size);
+				buffer_caret += (encoded_pixels * pixel_block_size);
+ 			}
+ 		}
+ 
--- a/gd.changes
+++ b/gd.changes
@@ -1,3 +1,14 @@
+-------------------------------------------------------------------
+Tue Aug 23 11:16:25 UTC 2016 - pgajdos@suse.com
+
+- security update:
+  * CVE-2016-6132 [bsc#987577]
+    + gd-CVE-2016-6132.patch
+  * CVE-2016-6214 [bsc#991436]
+    + gd-CVE-2016-6214.patch
+  * CVE-2016-6905 [bsc#995034]
+    + gd-CVE-2016-6905.patch
+
 -------------------------------------------------------------------
 Mon May 30 13:17:18 UTC 2016 - pgajdos@suse.com

--- a/gd.spec
+++ b/gd.spec
@@ -41,6 +41,9 @@ Patch3:         gd-aliasing.patch
 # could be upstreamed
 Patch4:         gd-libvpx.patch
 Patch5:         gd-CVE-2016-5116.patch
+Patch6:         gd-CVE-2016-6132.patch
+Patch7:         gd-CVE-2016-6214.patch
+Patch8:         gd-CVE-2016-6905.patch
 BuildRequires:  fontconfig-devel
 BuildRequires:  freetype2-devel
 BuildRequires:  libjpeg-devel
@@ -98,6 +101,9 @@ the formats accepted for inline images by most browsers.
 %patch3
 %patch4
 %patch5 -p1
+%patch6 -p1
+%patch7 -p1
+%patch8 -p1

 %build
 # this file is errorneously forgotten from the tarball