From e66bc8525ede4f45530c12749ea525ab555a18ed47e5dad75935a48836cb7407 Mon Sep 17 00:00:00 2001 From: Petr Gajdos Date: Tue, 23 Aug 2016 11:25:39 +0000 Subject: [PATCH] - security update: * CVE-2016-6905 [bsc#995034] + gd-CVE-2016-6905.patch OBS-URL: https://build.opensuse.org/package/show/graphics/gd?expand=0&rev=28 --- gd-CVE-2016-6905.patch | 65 ++++++++++++++++++++++++++++++++++++++++++ gd.changes | 7 +++++ gd.spec | 2 ++ 3 files changed, 74 insertions(+) create mode 100644 gd-CVE-2016-6905.patch diff --git a/gd-CVE-2016-6905.patch b/gd-CVE-2016-6905.patch new file mode 100644 index 0000000..156178c --- /dev/null +++ b/gd-CVE-2016-6905.patch @@ -0,0 +1,65 @@ +From 3c2b605d72e8b080dace1d98a6e50b46c1d12186 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= +Date: Tue, 12 Jul 2016 14:20:16 +0200 +Subject: [PATCH] bug #248, fix Out-Of-Bounds Read in read_image_tga + +--- + src/gd_tga.c | 34 ++++++++++++++++++++++++++-------- + 1 file changed, 26 insertions(+), 8 deletions(-) + +Index: libgd-2.1.1/src/gd_tga.c +=================================================================== +--- libgd-2.1.1.orig/src/gd_tga.c 2015-01-06 10:16:03.000000000 +0100 ++++ libgd-2.1.1/src/gd_tga.c 2016-08-23 13:15:45.975724158 +0200 +@@ -200,7 +200,6 @@ int read_image_tga( gdIOCtx *ctx, oTga * + int buffer_caret = 0; + int bitmap_caret = 0; + int i = 0; +- int j = 0; + uint8_t encoded_pixels; + + if(overflow2(tga->width, tga->height)) { +@@ -287,25 +286,34 @@ int read_image_tga( gdIOCtx *ctx, oTga * + while( bitmap_caret < image_block_size ) { + + if ((decompression_buffer[buffer_caret] & TGA_RLE_FLAG) == TGA_RLE_FLAG) { +- encoded_pixels = ( ( decompression_buffer[ buffer_caret ] & 127 ) + 1 ); ++ encoded_pixels = ( ( decompression_buffer[ buffer_caret ] & !TGA_RLE_FLAG ) + 1 ); + buffer_caret++; + ++ if ((bitmap_caret + (encoded_pixels * pixel_block_size)) >= image_block_size) { ++ gdFree( decompression_buffer ); ++ gdFree( conversion_buffer ); ++ return -1; ++ } ++ + for (i = 0; i < encoded_pixels; i++) { +- for (j = 0; j < pixel_block_size; j++, bitmap_caret++) { +- tga->bitmap[ bitmap_caret ] = decompression_buffer[ buffer_caret + j ]; +- } ++ memcpy(tga->bitmap + bitmap_caret, decompression_buffer + buffer_caret, pixel_block_size); ++ bitmap_caret += pixel_block_size; + } + buffer_caret += pixel_block_size; ++ + } else { + encoded_pixels = decompression_buffer[ buffer_caret ] + 1; + buffer_caret++; + +- for (i = 0; i < encoded_pixels; i++) { +- for( j = 0; j < pixel_block_size; j++, bitmap_caret++ ) { +- tga->bitmap[ bitmap_caret ] = decompression_buffer[ buffer_caret + j ]; +- } +- buffer_caret += pixel_block_size; ++ if ((bitmap_caret + (encoded_pixels * pixel_block_size)) >= image_block_size) { ++ gdFree( decompression_buffer ); ++ gdFree( conversion_buffer ); ++ return -1; + } ++ ++ memcpy(tga->bitmap + bitmap_caret, decompression_buffer + buffer_caret, encoded_pixels * pixel_block_size); ++ bitmap_caret += (encoded_pixels * pixel_block_size); ++ buffer_caret += (encoded_pixels * pixel_block_size); + } + } + diff --git a/gd.changes b/gd.changes index 1c308b7..a1d1fff 100644 --- a/gd.changes +++ b/gd.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Tue Aug 23 11:16:25 UTC 2016 - pgajdos@suse.com + +- security update: + * CVE-2016-6905 [bsc#995034] + + gd-CVE-2016-6905.patch + ------------------------------------------------------------------- Mon May 30 13:17:18 UTC 2016 - pgajdos@suse.com diff --git a/gd.spec b/gd.spec index 8991f12..0d37480 100644 --- a/gd.spec +++ b/gd.spec @@ -41,6 +41,7 @@ Patch3: gd-aliasing.patch # could be upstreamed Patch4: gd-libvpx.patch Patch5: gd-CVE-2016-5116.patch +Patch6: gd-CVE-2016-6905.patch BuildRequires: fontconfig-devel BuildRequires: freetype2-devel BuildRequires: libjpeg-devel @@ -98,6 +99,7 @@ the formats accepted for inline images by most browsers. %patch3 %patch4 %patch5 -p1 +%patch6 -p1 %build # this file is errorneously forgotten from the tarball