67 lines
2.4 KiB
Diff
67 lines
2.4 KiB
Diff
|
Fix CVE-2016-6214 (read out-of-bounds when parsing TGA files).
|
||
|
|
||
|
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6214
|
||
|
|
||
|
Adapted from upstream commit:
|
||
|
https://github.com/libgd/libgd/commit/341aa68843ceceae9ba6e083431f14a07bd92308
|
||
|
|
||
|
Since `patch` cannot apply Git binary diffs, we omit the addition of
|
||
|
'tests/tga/bug00247a.c' and its associated binary data.
|
||
|
|
||
|
From 341aa68843ceceae9ba6e083431f14a07bd92308 Mon Sep 17 00:00:00 2001
|
||
|
From: "Christoph M. Becker" <cmbecker69@gmx.de>
|
||
|
Date: Tue, 12 Jul 2016 19:23:13 +0200
|
||
|
Subject: [PATCH] Unsupported TGA bpp/alphabit combinations should error
|
||
|
gracefully
|
||
|
|
||
|
Currently, only 24bpp without alphabits and 32bpp with 8 alphabits are
|
||
|
really supported. All other combinations will be rejected with a warning.
|
||
|
|
||
|
(cherry picked from commit cb1a0b7e54e9aa118270c23a4a6fe560e4590dc9)
|
||
|
---
|
||
|
src/gd_tga.c | 16 ++++++----------
|
||
|
tests/tga/.gitignore | 1 +
|
||
|
tests/tga/CMakeLists.txt | 1 +
|
||
|
tests/tga/Makemodule.am | 4 +++-
|
||
|
tests/tga/bug00247a.c | 19 +++++++++++++++++++
|
||
|
tests/tga/bug00247a.tga | Bin 0 -> 36 bytes
|
||
|
6 files changed, 30 insertions(+), 11 deletions(-)
|
||
|
create mode 100644 tests/tga/bug00247a.c
|
||
|
create mode 100644 tests/tga/bug00247a.tga
|
||
|
|
||
|
diff --git a/src/gd_tga.c b/src/gd_tga.c
|
||
|
index 20fe2d2..b4f8fa6 100644
|
||
|
--- a/src/gd_tga.c
|
||
|
+++ b/src/gd_tga.c
|
||
|
@@ -99,7 +99,7 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromTgaCtx(gdIOCtx* ctx)
|
||
|
if (tga->bits == TGA_BPP_24) {
|
||
|
*tpix = gdTrueColor(tga->bitmap[bitmap_caret + 2], tga->bitmap[bitmap_caret + 1], tga->bitmap[bitmap_caret]);
|
||
|
bitmap_caret += 3;
|
||
|
- } else if (tga->bits == TGA_BPP_32 || tga->alphabits) {
|
||
|
+ } else if (tga->bits == TGA_BPP_32 && tga->alphabits) {
|
||
|
register int a = tga->bitmap[bitmap_caret + 3];
|
||
|
|
||
|
*tpix = gdTrueColorAlpha(tga->bitmap[bitmap_caret + 2], tga->bitmap[bitmap_caret + 1], tga->bitmap[bitmap_caret], gdAlphaMax - (a >> 1));
|
||
|
@@ -159,16 +159,12 @@ int read_header_tga(gdIOCtx *ctx, oTga *tga)
|
||
|
printf("wxh: %i %i\n", tga->width, tga->height);
|
||
|
#endif
|
||
|
|
||
|
- switch(tga->bits) {
|
||
|
- case 8:
|
||
|
- case 16:
|
||
|
- case 24:
|
||
|
- case 32:
|
||
|
- break;
|
||
|
- default:
|
||
|
- gd_error("bps %i not supported", tga->bits);
|
||
|
+ if (!((tga->bits == TGA_BPP_24 && tga->alphabits == 0)
|
||
|
+ || (tga->bits == TGA_BPP_32 && tga->alphabits == 8)))
|
||
|
+ {
|
||
|
+ gd_error_ex(GD_WARNING, "gd-tga: %u bits per pixel with %u alpha bits not supported\n",
|
||
|
+ tga->bits, tga->alphabits);
|
||
|
return -1;
|
||
|
- break;
|
||
|
}
|
||
|
|
||
|
tga->ident = NULL;
|