Petr Gajdos
e66bc8525e
* CVE-2016-6905 [bsc#995034]
+ gd-CVE-2016-6905.patch
OBS-URL: https://build.opensuse.org/package/show/graphics/gd?expand=0&rev=28
66 lines
2.4 KiB
Diff
66 lines
2.4 KiB
Diff
From 3c2b605d72e8b080dace1d98a6e50b46c1d12186 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
|
|
Date: Tue, 12 Jul 2016 14:20:16 +0200
|
|
Subject: [PATCH] bug #248, fix Out-Of-Bounds Read in read_image_tga
|
|
|
|
---
|
|
src/gd_tga.c | 34 ++++++++++++++++++++++++++--------
|
|
1 file changed, 26 insertions(+), 8 deletions(-)
|
|
|
|
Index: libgd-2.1.1/src/gd_tga.c
|
|
===================================================================
|
|
--- libgd-2.1.1.orig/src/gd_tga.c 2015-01-06 10:16:03.000000000 +0100
|
|
+++ libgd-2.1.1/src/gd_tga.c 2016-08-23 13:15:45.975724158 +0200
|
|
@@ -200,7 +200,6 @@ int read_image_tga( gdIOCtx *ctx, oTga *
|
|
int buffer_caret = 0;
|
|
int bitmap_caret = 0;
|
|
int i = 0;
|
|
- int j = 0;
|
|
uint8_t encoded_pixels;
|
|
|
|
if(overflow2(tga->width, tga->height)) {
|
|
@@ -287,25 +286,34 @@ int read_image_tga( gdIOCtx *ctx, oTga *
|
|
while( bitmap_caret < image_block_size ) {
|
|
|
|
if ((decompression_buffer[buffer_caret] & TGA_RLE_FLAG) == TGA_RLE_FLAG) {
|
|
- encoded_pixels = ( ( decompression_buffer[ buffer_caret ] & 127 ) + 1 );
|
|
+ encoded_pixels = ( ( decompression_buffer[ buffer_caret ] & !TGA_RLE_FLAG ) + 1 );
|
|
buffer_caret++;
|
|
|
|
+ if ((bitmap_caret + (encoded_pixels * pixel_block_size)) >= image_block_size) {
|
|
+ gdFree( decompression_buffer );
|
|
+ gdFree( conversion_buffer );
|
|
+ return -1;
|
|
+ }
|
|
+
|
|
for (i = 0; i < encoded_pixels; i++) {
|
|
- for (j = 0; j < pixel_block_size; j++, bitmap_caret++) {
|
|
- tga->bitmap[ bitmap_caret ] = decompression_buffer[ buffer_caret + j ];
|
|
- }
|
|
+ memcpy(tga->bitmap + bitmap_caret, decompression_buffer + buffer_caret, pixel_block_size);
|
|
+ bitmap_caret += pixel_block_size;
|
|
}
|
|
buffer_caret += pixel_block_size;
|
|
+
|
|
} else {
|
|
encoded_pixels = decompression_buffer[ buffer_caret ] + 1;
|
|
buffer_caret++;
|
|
|
|
- for (i = 0; i < encoded_pixels; i++) {
|
|
- for( j = 0; j < pixel_block_size; j++, bitmap_caret++ ) {
|
|
- tga->bitmap[ bitmap_caret ] = decompression_buffer[ buffer_caret + j ];
|
|
- }
|
|
- buffer_caret += pixel_block_size;
|
|
+ if ((bitmap_caret + (encoded_pixels * pixel_block_size)) >= image_block_size) {
|
|
+ gdFree( decompression_buffer );
|
|
+ gdFree( conversion_buffer );
|
|
+ return -1;
|
|
}
|
|
+
|
|
+ memcpy(tga->bitmap + bitmap_caret, decompression_buffer + buffer_caret, encoded_pixels * pixel_block_size);
|
|
+ bitmap_caret += (encoded_pixels * pixel_block_size);
|
|
+ buffer_caret += (encoded_pixels * pixel_block_size);
|
|
}
|
|
}
|
|
|