upstream/oracle/userland-gate: components/gd2/patches/005-CVE-2014-9709.patch@03635257972b

summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help


# External patch:
# https://bitbucket.org/libgd/gd-libgd/commits/47eb44b2e90ca88a08dca9f9a1aa9041e9587f43
# Backported to GD2 Version 2.0.35
--- gd_gif_in.c	2007-06-14 12:51:41.000000000 -0700
+++ gd_gif_in.c	2015-04-06 11:11:40.591453962 -0700
@@ -70,8 +70,10 @@
 
 #define STACK_SIZE ((1<<(MAX_LWZ_BITS))*2)
 
+#define CSD_BUF_SIZE 280
+
 typedef struct {
-	unsigned char    buf[280];
+	unsigned char    buf[CSD_BUF_SIZE];
 	int              curbit, lastbit, done, last_byte;
 } CODE_STATIC_DATA;
 
@@ -380,8 +382,14 @@
        }
 
        ret = 0;
-       for (i = scd->curbit, j = 0; j < code_size; ++i, ++j)
+       for (i = scd->curbit, j = 0; j < code_size; ++i, ++j) {
+         if (i < CSD_BUF_SIZE * 8) {
                ret |= ((scd->buf[ i / 8 ] & (1 << (i % 8))) != 0) << j;
+         } else {
+           ret = -1;
+           break;
+         }
+       }
 
        scd->curbit += code_size;
        return ret;

author	Stefan Teleman <stefan.teleman@oracle.com>
	Thu, 07 May 2015 10:31:56 -0700
branch	s11-update
changeset 4259	03635257972b
permissions	-rw-r--r--