diff options
Diffstat (limited to 'import-layers/meta-openembedded/meta-oe/recipes-support/gd/gd/CVE-2016-10168.patch')
-rw-r--r-- | import-layers/meta-openembedded/meta-oe/recipes-support/gd/gd/CVE-2016-10168.patch | 38 |
1 files changed, 38 insertions, 0 deletions
diff --git a/import-layers/meta-openembedded/meta-oe/recipes-support/gd/gd/CVE-2016-10168.patch b/import-layers/meta-openembedded/meta-oe/recipes-support/gd/gd/CVE-2016-10168.patch new file mode 100644 index 000000000..aef1060c4 --- /dev/null +++ b/import-layers/meta-openembedded/meta-oe/recipes-support/gd/gd/CVE-2016-10168.patch @@ -0,0 +1,38 @@ +From 2d37bdc03a6e2b820fe380016f22592a7733e0be Mon Sep 17 00:00:00 2001 +From: Catalin Enache <catalin.enache@windriver.com> +Date: Fri, 7 Apr 2017 12:32:49 +0300 +Subject: [PATCH] Fix #354: Signed Integer Overflow gd_io.c + +GD2 stores the number of horizontal and vertical chunks as words (i.e. 2 +byte unsigned). These values are multiplied and assigned to an int when +reading the image, what can cause integer overflows. We have to avoid +that, and also make sure that either chunk count is actually greater +than zero. If illegal chunk counts are detected, we bail out from +reading the image. + +Upstream-Status: Backport +CVE: CVE-2016-10168 + +Signed-off-by: Catalin Enache <catalin.enache@windriver.com> +--- + src/gd_gd2.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/gd_gd2.c b/src/gd_gd2.c +index bae65ea..9006bd2 100644 +--- a/src/gd_gd2.c ++++ b/src/gd_gd2.c +@@ -151,6 +151,10 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy, + GD2_DBG (printf ("%d Chunks vertically\n", *ncy)); + + if (gd2_compressed (*fmt)) { ++ if (*ncx <= 0 || *ncy <= 0 || *ncx > INT_MAX / *ncy) { ++ GD2_DBG(printf ("Illegal chunk counts: %d * %d\n", *ncx, *ncy)); ++ goto fail1; ++ } + nc = (*ncx) * (*ncy); + + GD2_DBG (printf ("Reading %d chunk index entries\n", nc)); +-- +2.10.2 + |