NetCube-Systems-Austria/kumquat-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
a17d8fb7f8
kumquat-buildroot/package/gd/0002-Fix-420-Potential-infinite-loop-in-gdImageCreateFrom.patch
Peter Korsgaard 505a70edbe package/gd: add post-2.2.5 security fixes from upstream 
Fixes the following security vulnerablities:

- CVE-2018-1000222: Libgd version 2.2.5 contains a Double Free Vulnerability
  vulnerability in gdImageBmpPtr Function that can result in Remote Code
  Execution .  This attack appear to be exploitable via Specially Crafted
  Jpeg Image can trigger double free

- CVE-2018-5711: gd_gif_in.c in the GD Graphics Library (aka libgd), as used
  in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x
  before 7.2.1, has an integer signedness error that leads to an infinite
  loop via a crafted GIF file, as demonstrated by a call to the
  imagecreatefromgif or imagecreatefromstring PHP function

- CVE-2019-11038: When using the gdImageCreateFromXbm() function in the GD
  Graphics Library (aka LibGD) 2.2.5, as used in the PHP GD extension in PHP
  versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6, it
  is possible to supply data that will cause the function to use the value
  of uninitialized variable.  This may lead to disclosing contents of the
  stack that has been left there by previous code

- CVE-2019-6978: The GD Graphics Library (aka LibGD) 2.2.5 has a double free
  in the gdImage*Ptr() functions in gd_gif_out.c, gd_jpeg.c, and gd_wbmp.c

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-10-21 21:45:31 +02:00

62 lines
1.4 KiB
Diff
Raw Blame History

From a11f47475e6443b7f32d21f2271f28f417e2ac04 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Wed, 29 Nov 2017 19:37:38 +0100
Subject: [PATCH] Fix #420: Potential infinite loop in gdImageCreateFromGifCtx
Due to a signedness confusion in `GetCode_` a corrupt GIF file can
trigger an infinite loop. Furthermore we make sure that a GIF without
any palette entries is treated as invalid *after* open palette entries
have been removed.
CVE-2018-5711
See also https://bugs.php.net/bug.php?id=75571.
[Peter: drop tests]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
src/gd_gif_in.c | 12 ++++++------
1 files changed, 38 insertions(+), 6 deletions(-)
diff --git a/src/gd_gif_in.c b/src/gd_gif_in.c
index daf26e7..0a8bd71 100644
--- a/src/gd_gif_in.c
+++ b/src/gd_gif_in.c
@@ -335,11 +335,6 @@ terminated:
return 0;
}
- if(!im->colorsTotal) {
- gdImageDestroy(im);
- return 0;
- }
-
/* Check for open colors at the end, so
* we can reduce colorsTotal and ultimately
* BitsPerPixel */
@@ -351,6 +346,11 @@ terminated:
}
}
+ if(!im->colorsTotal) {
+ gdImageDestroy(im);
+ return 0;
+ }
+
return im;
}
@@ -447,7 +447,7 @@ static int
GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_size, int flag, int *ZeroDataBlockP)
{
int i, j, ret;
- unsigned char count;
+ int count;
if(flag) {
scd->curbit = 0;
--
2.20.1
Reference in New Issue View Git Blame Copy Permalink