25475702 problem in LIBRARY/GD2 s11u3-sru
authorRich Burridge <rich.burridge@oracle.com>
Wed, 01 Feb 2017 12:42:00 -0800
branchs11u3-sru
changeset 7634 29a59ab45538
parent 7633 aba3229536ba
child 7636 08f998adf908
25475702 problem in LIBRARY/GD2
components/gd2/patches/007-CVE-2016-10167.patch
components/gd2/patches/008-CVE-2016-10168.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/gd2/patches/007-CVE-2016-10167.patch	Wed Feb 01 12:42:00 2017 -0800
@@ -0,0 +1,37 @@
+Fix for CVE CVE-2016-10167
+DOS vulnerability in gdImageCreateFromGd2Ctx()
+
+Change based on commit at:
+
+https://github.com/libgd/libgd/commit/fe9ed49dafa993e3af96b6a5a589efeea9bfb36f
+
+--- gd_gd2.c.orig	2017-01-31 07:09:38.043472825 +0000
++++ gd_gd2.c	2017-01-31 07:40:06.395740258 +0000
[email protected]@ -414,10 +414,9 @@
+ 			{
+ 			  if (!gdGetInt (&im->tpixels[y][x], in))
+ 			    {
+-			      /*printf("EOF while reading\n"); */
+-			      /*gdImageDestroy(im); */
+-			      /*return 0; */
+-			      im->tpixels[y][x] = 0;
++			      fprintf (stderr, "gd2: EOF while reading\n");
++			      gdImageDestroy(im);
++			      return NULL;
+ 			    }
+ 			}
+ 		      else
[email protected]@ -425,10 +424,9 @@
+ 			  int ch;
+ 			  if (!gdGetByte (&ch, in))
+ 			    {
+-			      /*printf("EOF while reading\n"); */
+-			      /*gdImageDestroy(im); */
+-			      /*return 0; */
+-			      ch = 0;
++			      fprintf (stderr, "gd2: EOF while reading\n");
++			      gdImageDestroy(im);
++			      return NULL;
+ 			    }
+ 			  im->pixels[y][x] = ch;
+ 			}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/gd2/patches/008-CVE-2016-10168.patch	Wed Feb 01 12:42:00 2017 -0800
@@ -0,0 +1,21 @@
+Fix for CVE-2016-10168
+Signed Integer Overflow gd_io.c
+
+Change based on commit at:
+
+https://github.com/libgd/libgd/commit/69d2fd2c597ffc0c217de1238b9bf4d4bceba8e6
+
+--- gd_gd2.c.orig	2017-01-31 07:21:54.267718272 +0000
++++ gd_gd2.c	2017-01-31 07:24:36.616401175 +0000
[email protected]@ -167,6 +167,11 @@
+ 
+   if (gd2_compressed (*fmt))
+     {
++      if (*ncx <= 0 || *ncy <= 0 || *ncx > INT_MAX / *ncy)
++        {
++          GD2_DBG(printf ("Illegal chunk counts: %d * %d\n", *ncx, *ncy));
++          goto fail1;
++        }
+       nc = (*ncx) * (*ncy);
+       GD2_DBG (printf ("Reading %d chunk index entries\n", nc));
+       sidx = sizeof (t_chunk_info) * nc;