56 lines
1.7 KiB
Diff
56 lines
1.7 KiB
Diff
Fix CVE-2016-6132 (read out-of-bounds when parsing TGA files).
|
|
|
|
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-6132
|
|
|
|
Copied from upstream commit:
|
|
https://github.com/libgd/libgd/commit/ead349e99868303b37f5e6e9d9d680c9dc71ff8d
|
|
|
|
From ead349e99868303b37f5e6e9d9d680c9dc71ff8d Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
|
|
Date: Tue, 12 Jul 2016 11:24:09 +0200
|
|
Subject: [PATCH] Fix #247, A read out-of-bands was found in the parsing of TGA
|
|
files (CVE-2016-6132)
|
|
|
|
---
|
|
src/gd_tga.c | 13 +++++++++++--
|
|
1 file changed, 11 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/src/gd_tga.c b/src/gd_tga.c
|
|
index ef20f86..20fe2d2 100644
|
|
--- a/src/gd_tga.c
|
|
+++ b/src/gd_tga.c
|
|
@@ -237,7 +237,11 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga )
|
|
return -1;
|
|
}
|
|
|
|
- gdGetBuf(conversion_buffer, image_block_size, ctx);
|
|
+ if (gdGetBuf(conversion_buffer, image_block_size, ctx) != image_block_size) {
|
|
+ gd_error("gd-tga: premature end of image data\n");
|
|
+ gdFree(conversion_buffer);
|
|
+ return -1;
|
|
+ }
|
|
|
|
while (buffer_caret < image_block_size) {
|
|
tga->bitmap[buffer_caret] = (int) conversion_buffer[buffer_caret];
|
|
@@ -257,11 +261,16 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga )
|
|
}
|
|
conversion_buffer = (unsigned char *) gdMalloc(image_block_size * sizeof(unsigned char));
|
|
if (conversion_buffer == NULL) {
|
|
+ gd_error("gd-tga: premature end of image data\n");
|
|
gdFree( decompression_buffer );
|
|
return -1;
|
|
}
|
|
|
|
- gdGetBuf( conversion_buffer, image_block_size, ctx );
|
|
+ if (gdGetBuf(conversion_buffer, image_block_size, ctx) != image_block_size) {
|
|
+ gdFree(conversion_buffer);
|
|
+ gdFree(decompression_buffer);
|
|
+ return -1;
|
|
+ }
|
|
|
|
buffer_caret = 0;
|
|
|
|
--
|
|
2.9.1
|
|
|