37 lines
1.3 KiB
Diff
37 lines
1.3 KiB
Diff
Adapted from upstream commit 2bb97f407c1145c850416a3bfbcc8cf124e68a19
|
|
(gd2: handle corrupt images better (CVE-2016-3074)).
|
|
|
|
This patch omits the upstream changes to '.gitignore', and the test
|
|
added in files 'tests/Makefile.am', 'tests/gd2/gd2_read_corrupt.c', and
|
|
'tests/gd2/invalid_neg_size.gd2'.
|
|
|
|
We omit the test because its input data,
|
|
'tests/gd2/invalid_neg_size.gd2', is provided as a binary Git diff,
|
|
which is not supported by `patch`.
|
|
|
|
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3074
|
|
https://github.com/libgd/libgd/commit/2bb97f407c1145c850416a3bfbcc8cf124e68a19
|
|
---
|
|
.gitignore | 1 +
|
|
src/gd_gd2.c | 2 ++
|
|
tests/Makefile.am | 3 ++-
|
|
tests/gd2/gd2_read_corrupt.c | 25 +++++++++++++++++++++++++
|
|
tests/gd2/invalid_neg_size.gd2 | Bin 0 -> 1676 bytes
|
|
5 files changed, 30 insertions(+), 1 deletion(-)
|
|
create mode 100644 tests/gd2/gd2_read_corrupt.c
|
|
create mode 100644 tests/gd2/invalid_neg_size.gd2
|
|
|
|
diff --git a/src/gd_gd2.c b/src/gd_gd2.c
|
|
index 6f28461..a50b33d 100644
|
|
--- a/src/gd_gd2.c
|
|
+++ b/src/gd_gd2.c
|
|
@@ -165,6 +165,8 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy,
|
|
if (gdGetInt (&cidx[i].size, in) != 1) {
|
|
goto fail2;
|
|
};
|
|
+ if (cidx[i].offset < 0 || cidx[i].size < 0)
|
|
+ goto fail2;
|
|
};
|
|
*chunkIdx = cidx;
|
|
};
|