| author | Rich Burridge <rich.burridge@oracle.com> |
| Tue, 02 May 2017 17:33:26 -0700 | |
| changeset 7964 | d9801318ed3d |
| parent 7626 | a1bbaa35d1ba |
| permissions | -rw-r--r-- |
|
7626
a1bbaa35d1ba
25475702 problem in LIBRARY/GD2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
1 |
Fix for CVE-2016-10168 |
|
a1bbaa35d1ba
25475702 problem in LIBRARY/GD2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
2 |
Signed Integer Overflow gd_io.c |
|
a1bbaa35d1ba
25475702 problem in LIBRARY/GD2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
3 |
|
|
a1bbaa35d1ba
25475702 problem in LIBRARY/GD2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
4 |
Change based on commit at: |
|
a1bbaa35d1ba
25475702 problem in LIBRARY/GD2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
5 |
|
|
a1bbaa35d1ba
25475702 problem in LIBRARY/GD2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
6 |
https://github.com/libgd/libgd/commit/69d2fd2c597ffc0c217de1238b9bf4d4bceba8e6 |
|
a1bbaa35d1ba
25475702 problem in LIBRARY/GD2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
7 |
|
|
a1bbaa35d1ba
25475702 problem in LIBRARY/GD2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
8 |
--- gd_gd2.c.orig 2017-01-31 07:21:54.267718272 +0000 |
|
a1bbaa35d1ba
25475702 problem in LIBRARY/GD2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
9 |
+++ gd_gd2.c 2017-01-31 07:24:36.616401175 +0000 |
|
a1bbaa35d1ba
25475702 problem in LIBRARY/GD2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
10 |
@@ -167,6 +167,11 @@ |
|
a1bbaa35d1ba
25475702 problem in LIBRARY/GD2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
11 |
|
|
a1bbaa35d1ba
25475702 problem in LIBRARY/GD2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
12 |
if (gd2_compressed (*fmt)) |
|
a1bbaa35d1ba
25475702 problem in LIBRARY/GD2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
13 |
{
|
|
a1bbaa35d1ba
25475702 problem in LIBRARY/GD2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
14 |
+ if (*ncx <= 0 || *ncy <= 0 || *ncx > INT_MAX / *ncy) |
|
a1bbaa35d1ba
25475702 problem in LIBRARY/GD2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
15 |
+ {
|
|
a1bbaa35d1ba
25475702 problem in LIBRARY/GD2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
16 |
+ GD2_DBG(printf ("Illegal chunk counts: %d * %d\n", *ncx, *ncy));
|
|
a1bbaa35d1ba
25475702 problem in LIBRARY/GD2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
17 |
+ goto fail1; |
|
a1bbaa35d1ba
25475702 problem in LIBRARY/GD2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
18 |
+ } |
|
a1bbaa35d1ba
25475702 problem in LIBRARY/GD2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
19 |
nc = (*ncx) * (*ncy); |
|
a1bbaa35d1ba
25475702 problem in LIBRARY/GD2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
20 |
GD2_DBG (printf ("Reading %d chunk index entries\n", nc));
|
|
a1bbaa35d1ba
25475702 problem in LIBRARY/GD2
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
21 |
sidx = sizeof (t_chunk_info) * nc; |