guix-devel/gnu/packages/patches/gd-CVE-2019-6977.patch

Fix CVE-2019-6977:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6977

Patch copied from Debian:

https://salsa.debian.org/debian/libgd2/commit/2d7d3b68bb79843e5271a05543e996fd5a3a8cd1

Description: Heap-based buffer overflow in gdImageColorMatch
Origin: other, https://gist.github.com/cmb69/1f36d285eb297ed326f5c821d7aafced
Bug-PHP: https://bugs.php.net/bug.php?id=77270
Bug-Debian: https://bugs.debian.org/920645
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-6977
Forwarded: no
Author: "Christoph M. Becker" <cmbecker69@gmx.de>
Last-Update: 2019-02-01

At least some of the image reading functions may return images which
use color indexes greater than or equal to im->colorsTotal.  We cater
to this by always using a buffer size which is sufficient for
`gdMaxColors` in `gdImageColorMatch()`.
---

--- a/src/gd_color_match.c
+++ b/src/gd_color_match.c
@@ -31,8 +31,8 @@ BGD_DECLARE(int) gdImageColorMatch (gdIm
 		return -4; /* At least 1 color must be allocated */
 	}
 
-	buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * im2->colorsTotal);
-	memset (buf, 0, sizeof(unsigned long) * 5 * im2->colorsTotal );
+	buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * gdMaxColors);
+	memset (buf, 0, sizeof(unsigned long) * 5 * gdMaxColors );
 
 	for (x=0; x < im1->sx; x++) {
 		for( y=0; y<im1->sy; y++ ) {
gnu: libgd: Fix CVE-2019-{6977,6978}. * gnu/packages/gd.scm (gd)[replacement]: New field. (gd/fixed): New variable. * gnu/packages/patches/gd-CVE-2019-6977.patch, gnu/packages/patches/gd-CVE-2019-6978.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. 2019-02-15 18:22:10 +01:00			`Fix CVE-2019-6977:`

			`https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6977`

			`Patch copied from Debian:`

			`https://salsa.debian.org/debian/libgd2/commit/2d7d3b68bb79843e5271a05543e996fd5a3a8cd1`

			`Description: Heap-based buffer overflow in gdImageColorMatch`
			`Origin: other, https://gist.github.com/cmb69/1f36d285eb297ed326f5c821d7aafced`
			`Bug-PHP: https://bugs.php.net/bug.php?id=77270`
			`Bug-Debian: https://bugs.debian.org/920645`
			`Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-6977`
			`Forwarded: no`
			`Author: "Christoph M. Becker" <cmbecker69@gmx.de>`
			`Last-Update: 2019-02-01`

			`At least some of the image reading functions may return images which`
			`use color indexes greater than or equal to im->colorsTotal. We cater`
			`to this by always using a buffer size which is sufficient for`
			`gdMaxColors` in `gdImageColorMatch()`.
			`---`

			`--- a/src/gd_color_match.c`
			`+++ b/src/gd_color_match.c`
			`@@ -31,8 +31,8 @@ BGD_DECLARE(int) gdImageColorMatch (gdIm`
			`return -4; /* At least 1 color must be allocated */`
			`}`

			`- buf = (unsigned long )gdMalloc(sizeof(unsigned long) 5 * im2->colorsTotal);`
			`- memset (buf, 0, sizeof(unsigned long) * 5 * im2->colorsTotal );`
			`+ buf = (unsigned long )gdMalloc(sizeof(unsigned long) 5 * gdMaxColors);`
			`+ memset (buf, 0, sizeof(unsigned long) * 5 * gdMaxColors );`

			`for (x=0; x < im1->sx; x++) {`
			`for( y=0; y<im1->sy; y++ ) {`