diff options
Diffstat (limited to 'media-libs/gd/files')
-rw-r--r-- | media-libs/gd/files/gd-2.2.5-CVE-2018-5711.patch | 124 | ||||
-rw-r--r-- | media-libs/gd/files/gd-2.2.5-CVE-2019-6977.patch | 28 | ||||
-rw-r--r-- | media-libs/gd/files/gd-2.2.5-CVE-2019-6978.patch | 278 | ||||
-rw-r--r-- | media-libs/gd/files/gd-2.2.5-ossfuzz5700.patch | 103 |
4 files changed, 533 insertions, 0 deletions
diff --git a/media-libs/gd/files/gd-2.2.5-CVE-2018-5711.patch b/media-libs/gd/files/gd-2.2.5-CVE-2018-5711.patch new file mode 100644 index 000000000000..6d9de06998a4 --- /dev/null +++ b/media-libs/gd/files/gd-2.2.5-CVE-2018-5711.patch @@ -0,0 +1,124 @@ +From a11f47475e6443b7f32d21f2271f28f417e2ac04 Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" <cmbecker69@gmx.de> +Date: Wed, 29 Nov 2017 19:37:38 +0100 +Subject: [PATCH] Fix #420: Potential infinite loop in gdImageCreateFromGifCtx + +Due to a signedness confusion in `GetCode_` a corrupt GIF file can +trigger an infinite loop. Furthermore we make sure that a GIF without +any palette entries is treated as invalid *after* open palette entries +have been removed. + +CVE-2018-5711 + +See also https://bugs.php.net/bug.php?id=75571. +--- + src/gd_gif_in.c | 12 ++++++------ + tests/gif/CMakeLists.txt | 1 + + tests/gif/Makemodule.am | 2 ++ + tests/gif/php_bug_75571.c | 28 ++++++++++++++++++++++++++++ + tests/gif/php_bug_75571.gif | Bin 0 -> 1731 bytes + 6 files changed, 38 insertions(+), 6 deletions(-) + create mode 100644 tests/gif/php_bug_75571.c + +diff --git a/src/gd_gif_in.c b/src/gd_gif_in.c +index daf26e79..0a8bd717 100644 +--- a/src/gd_gif_in.c ++++ b/src/gd_gif_in.c +@@ -335,11 +335,6 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromGifCtx(gdIOCtxPtr fd) + return 0; + } + +- if(!im->colorsTotal) { +- gdImageDestroy(im); +- return 0; +- } +- + /* Check for open colors at the end, so + * we can reduce colorsTotal and ultimately + * BitsPerPixel */ +@@ -351,6 +346,11 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromGifCtx(gdIOCtxPtr fd) + } + } + ++ if(!im->colorsTotal) { ++ gdImageDestroy(im); ++ return 0; ++ } ++ + return im; + } + +@@ -447,7 +447,7 @@ static int + GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_size, int flag, int *ZeroDataBlockP) + { + int i, j, ret; +- unsigned char count; ++ int count; + + if(flag) { + scd->curbit = 0; +diff --git a/tests/gif/CMakeLists.txt b/tests/gif/CMakeLists.txt +index 2b73749e..e58e6b09 100644 +--- a/tests/gif/CMakeLists.txt ++++ b/tests/gif/CMakeLists.txt +@@ -4,6 +4,7 @@ LIST(APPEND TESTS_FILES + bug00227 + gif_null + ossfuzz5700 ++ php_bug_75571 + uninitialized_memory_read + ) + +diff --git a/tests/gif/Makemodule.am b/tests/gif/Makemodule.am +index 3199438f..5dbeac53 100644 +--- a/tests/gif/Makemodule.am ++++ b/tests/gif/Makemodule.am +@@ -4,6 +4,7 @@ libgd_test_programs += \ + gif/bug00227 \ + gif/gif_null \ + gif/ossfuzz5700 \ ++ gif/php_bug_75571 \ + gif/uninitialized_memory_read + + if HAVE_LIBPNG +@@ -26,4 +27,5 @@ EXTRA_DIST += \ + gif/bug00066.gif \ + gif/bug00066_exp.png \ + gif/ossfuzz5700.gif \ ++ gif/php_bug_75571.gif \ + gif/unitialized_memory_read.gif +diff --git a/tests/gif/php_bug_75571.c b/tests/gif/php_bug_75571.c +new file mode 100644 +index 00000000..d4fae3ae +--- /dev/null ++++ b/tests/gif/php_bug_75571.c +@@ -0,0 +1,28 @@ ++/** ++ * Test that GIF reading does not loop infinitely ++ * ++ * We are reading a crafted GIF image which has been truncated. This would ++ * trigger an infinite loop formerly, but know bails out early, returning ++ * NULL from gdImageCreateFromGif(). ++ * ++ * See also https://bugs.php.net/bug.php?id=75571. ++ */ ++ ++ ++#include "gd.h" ++#include "gdtest.h" ++ ++ ++int main() ++{ ++ gdImagePtr im; ++ FILE *fp; ++ ++ fp = gdTestFileOpen2("gif", "php_bug_75571.gif"); ++ gdTestAssert(fp != NULL); ++ im = gdImageCreateFromGif(fp); ++ gdTestAssert(im == NULL); ++ fclose(fp); ++ ++ return gdNumFailures(); ++} + diff --git a/media-libs/gd/files/gd-2.2.5-CVE-2019-6977.patch b/media-libs/gd/files/gd-2.2.5-CVE-2019-6977.patch new file mode 100644 index 000000000000..0b67a596c6bc --- /dev/null +++ b/media-libs/gd/files/gd-2.2.5-CVE-2019-6977.patch @@ -0,0 +1,28 @@ +Description: Heap-based buffer overflow in gdImageColorMatch +Origin: other, https://gist.github.com/cmb69/1f36d285eb297ed326f5c821d7aafced +Bug-PHP: https://bugs.php.net/bug.php?id=77270 +Bug-Debian: https://bugs.debian.org/920645 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-6977 +Forwarded: no +Author: "Christoph M. Becker" <cmbecker69@gmx.de> +Last-Update: 2019-02-01 + +At least some of the image reading functions may return images which +use color indexes greater than or equal to im->colorsTotal. We cater +to this by always using a buffer size which is sufficient for +`gdMaxColors` in `gdImageColorMatch()`. +--- + +--- a/src/gd_color_match.c ++++ b/src/gd_color_match.c +@@ -31,8 +31,8 @@ BGD_DECLARE(int) gdImageColorMatch (gdIm + return -4; /* At least 1 color must be allocated */ + } + +- buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * im2->colorsTotal); +- memset (buf, 0, sizeof(unsigned long) * 5 * im2->colorsTotal ); ++ buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * gdMaxColors); ++ memset (buf, 0, sizeof(unsigned long) * 5 * gdMaxColors ); + + for (x=0; x < im1->sx; x++) { + for( y=0; y<im1->sy; y++ ) { diff --git a/media-libs/gd/files/gd-2.2.5-CVE-2019-6978.patch b/media-libs/gd/files/gd-2.2.5-CVE-2019-6978.patch new file mode 100644 index 000000000000..2eb9369a0bad --- /dev/null +++ b/media-libs/gd/files/gd-2.2.5-CVE-2019-6978.patch @@ -0,0 +1,278 @@ +From 553702980ae89c83f2d6e254d62cf82e204956d0 Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" <cmbecker69@gmx.de> +Date: Thu, 17 Jan 2019 11:54:55 +0100 +Subject: [PATCH] Fix #492: Potential double-free in gdImage*Ptr() + +Whenever `gdImage*Ptr()` calls `gdImage*Ctx()` and the latter fails, we +must not call `gdDPExtractData()`; otherwise a double-free would +happen. Since `gdImage*Ctx()` are void functions, and we can't change +that for BC reasons, we're introducing static helpers which are used +internally. + +We're adding a regression test for `gdImageJpegPtr()`, but not for +`gdImageGifPtr()` and `gdImageWbmpPtr()` since we don't know how to +trigger failure of the respective `gdImage*Ctx()` calls. + +This potential security issue has been reported by Solmaz Salimi (aka. +Rooney). +--- + src/gd_gif_out.c | 18 +++++++++++++++--- + src/gd_jpeg.c | 20 ++++++++++++++++---- + src/gd_wbmp.c | 21 ++++++++++++++++++--- + tests/jpeg/CMakeLists.txt | 1 + + tests/jpeg/Makemodule.am | 3 ++- + tests/jpeg/jpeg_ptr_double_free.c | 31 +++++++++++++++++++++++++++++++ + 7 files changed, 84 insertions(+), 11 deletions(-) + create mode 100644 tests/jpeg/jpeg_ptr_double_free.c + +diff --git a/src/gd_gif_out.c b/src/gd_gif_out.c +index 298a5812..d5a95346 100644 +--- a/src/gd_gif_out.c ++++ b/src/gd_gif_out.c +@@ -99,6 +99,7 @@ static void char_init(GifCtx *ctx); + static void char_out(int c, GifCtx *ctx); + static void flush_char(GifCtx *ctx); + ++static int _gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out); + + + +@@ -131,8 +132,11 @@ BGD_DECLARE(void *) gdImageGifPtr(gdImagePtr im, int *size) + void *rv; + gdIOCtx *out = gdNewDynamicCtx(2048, NULL); + if (out == NULL) return NULL; +- gdImageGifCtx(im, out); +- rv = gdDPExtractData(out, size); ++ if (!_gdImageGifCtx(im, out)) { ++ rv = gdDPExtractData(out, size); ++ } else { ++ rv = NULL; ++ } + out->gd_free(out); + return rv; + } +@@ -220,6 +224,12 @@ BGD_DECLARE(void) gdImageGif(gdImagePtr im, FILE *outFile) + + */ + BGD_DECLARE(void) gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out) ++{ ++ _gdImageGifCtx(im, out); ++} ++ ++/* returns 0 on success, 1 on failure */ ++static int _gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out) + { + gdImagePtr pim = 0, tim = im; + int interlace, BitsPerPixel; +@@ -231,7 +241,7 @@ BGD_DECLARE(void) gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out) + based temporary image. */ + pim = gdImageCreatePaletteFromTrueColor(im, 1, 256); + if(!pim) { +- return; ++ return 1; + } + tim = pim; + } +@@ -247,6 +257,8 @@ BGD_DECLARE(void) gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out) + /* Destroy palette based temporary image. */ + gdImageDestroy( pim); + } ++ ++ return 0; + } + + +diff --git a/src/gd_jpeg.c b/src/gd_jpeg.c +index fc058420..96ef4302 100644 +--- a/src/gd_jpeg.c ++++ b/src/gd_jpeg.c +@@ -117,6 +117,8 @@ static void fatal_jpeg_error(j_common_ptr cinfo) + exit(99); + } + ++static int _gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality); ++ + /* + * Write IM to OUTFILE as a JFIF-formatted JPEG image, using quality + * QUALITY. If QUALITY is in the range 0-100, increasing values +@@ -231,8 +233,11 @@ BGD_DECLARE(void *) gdImageJpegPtr(gdImagePtr im, int *size, int quality) + void *rv; + gdIOCtx *out = gdNewDynamicCtx(2048, NULL); + if (out == NULL) return NULL; +- gdImageJpegCtx(im, out, quality); +- rv = gdDPExtractData(out, size); ++ if (!_gdImageJpegCtx(im, out, quality)) { ++ rv = gdDPExtractData(out, size); ++ } else { ++ rv = NULL; ++ } + out->gd_free(out); + return rv; + } +@@ -253,6 +258,12 @@ void jpeg_gdIOCtx_dest(j_compress_ptr cinfo, gdIOCtx *outfile); + + */ + BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality) ++{ ++ _gdImageJpegCtx(im, outfile, quality); ++} ++ ++/* returns 0 on success, 1 on failure */ ++static int _gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality) + { + struct jpeg_compress_struct cinfo; + struct jpeg_error_mgr jerr; +@@ -287,7 +298,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality) + if(row) { + gdFree(row); + } +- return; ++ return 1; + } + + cinfo.err->emit_message = jpeg_emit_message; +@@ -328,7 +339,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality) + if(row == 0) { + gd_error("gd-jpeg: error: unable to allocate JPEG row structure: gdCalloc returns NULL\n"); + jpeg_destroy_compress(&cinfo); +- return; ++ return 1; + } + + rowptr[0] = row; +@@ -405,6 +416,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality) + jpeg_finish_compress(&cinfo); + jpeg_destroy_compress(&cinfo); + gdFree(row); ++ return 0; + } + + +diff --git a/src/gd_wbmp.c b/src/gd_wbmp.c +index f19a1c96..a49bdbec 100644 +--- a/src/gd_wbmp.c ++++ b/src/gd_wbmp.c +@@ -88,6 +88,8 @@ int gd_getin(void *in) + return (gdGetC((gdIOCtx *)in)); + } + ++static int _gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out); ++ + /* + Function: gdImageWBMPCtx + +@@ -100,6 +102,12 @@ int gd_getin(void *in) + out - the stream where to write + */ + BGD_DECLARE(void) gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out) ++{ ++ _gdImageWBMPCtx(image, fg, out); ++} ++ ++/* returns 0 on success, 1 on failure */ ++static int _gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out) + { + int x, y, pos; + Wbmp *wbmp; +@@ -107,7 +115,7 @@ BGD_DECLARE(void) gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out) + /* create the WBMP */ + if((wbmp = createwbmp(gdImageSX(image), gdImageSY(image), WBMP_WHITE)) == NULL) { + gd_error("Could not create WBMP\n"); +- return; ++ return 1; + } + + /* fill up the WBMP structure */ +@@ -123,11 +131,15 @@ BGD_DECLARE(void) gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out) + + /* write the WBMP to a gd file descriptor */ + if(writewbmp(wbmp, &gd_putout, out)) { ++ freewbmp(wbmp); + gd_error("Could not save WBMP\n"); ++ return 1; + } + + /* des submitted this bugfix: gdFree the memory. */ + freewbmp(wbmp); ++ ++ return 0; + } + + /* +@@ -271,8 +283,11 @@ BGD_DECLARE(void *) gdImageWBMPPtr(gdImagePtr im, int *size, int fg) + void *rv; + gdIOCtx *out = gdNewDynamicCtx(2048, NULL); + if (out == NULL) return NULL; +- gdImageWBMPCtx(im, fg, out); +- rv = gdDPExtractData(out, size); ++ if (!_gdImageWBMPCtx(im, fg, out)) { ++ rv = gdDPExtractData(out, size); ++ } else { ++ rv = NULL; ++ } + out->gd_free(out); + return rv; + } +diff --git a/tests/jpeg/CMakeLists.txt b/tests/jpeg/CMakeLists.txt +index 19964b0c..a8d8162f 100644 +--- a/tests/jpeg/CMakeLists.txt ++++ b/tests/jpeg/CMakeLists.txt +@@ -2,6 +2,7 @@ IF(JPEG_FOUND) + LIST(APPEND TESTS_FILES + jpeg_empty_file + jpeg_im2im ++ jpeg_ptr_double_free + jpeg_null + ) + +diff --git a/tests/jpeg/Makemodule.am b/tests/jpeg/Makemodule.am +index 7e5d317b..b89e1695 100644 +--- a/tests/jpeg/Makemodule.am ++++ b/tests/jpeg/Makemodule.am +@@ -2,7 +2,8 @@ if HAVE_LIBJPEG + libgd_test_programs += \ + jpeg/jpeg_empty_file \ + jpeg/jpeg_im2im \ +- jpeg/jpeg_null ++ jpeg/jpeg_null \ ++ jpeg/jpeg_ptr_double_free + + if HAVE_LIBPNG + libgd_test_programs += \ +diff --git a/tests/jpeg/jpeg_ptr_double_free.c b/tests/jpeg/jpeg_ptr_double_free.c +new file mode 100644 +index 00000000..df5a510b +--- /dev/null ++++ b/tests/jpeg/jpeg_ptr_double_free.c +@@ -0,0 +1,31 @@ ++/** ++ * Test that failure to convert to JPEG returns NULL ++ * ++ * We are creating an image, set its width to zero, and pass this image to ++ * `gdImageJpegPtr()` which is supposed to fail, and as such should return NULL. ++ * ++ * See also <https://github.com/libgd/libgd/issues/381> ++ */ ++ ++ ++#include "gd.h" ++#include "gdtest.h" ++ ++ ++int main() ++{ ++ gdImagePtr src, dst; ++ int size; ++ ++ src = gdImageCreateTrueColor(1, 10); ++ gdTestAssert(src != NULL); ++ ++ src->sx = 0; /* this hack forces gdImageJpegPtr() to fail */ ++ ++ dst = gdImageJpegPtr(src, &size, 0); ++ gdTestAssert(dst == NULL); ++ ++ gdImageDestroy(src); ++ ++ return gdNumFailures(); ++} diff --git a/media-libs/gd/files/gd-2.2.5-ossfuzz5700.patch b/media-libs/gd/files/gd-2.2.5-ossfuzz5700.patch new file mode 100644 index 000000000000..891c232115ec --- /dev/null +++ b/media-libs/gd/files/gd-2.2.5-ossfuzz5700.patch @@ -0,0 +1,103 @@ +From 9fa3abd2e61da18ed2b889704e4e252f0f5a95fe Mon Sep 17 00:00:00 2001 +From: Mike Frysinger <vapier@gentoo.org> +Date: Fri, 26 Jan 2018 01:57:52 -0500 +Subject: [PATCH] gif: fix out-of-bounds read w/corrupted lzw data + +oss-fuzz pointed out: +gd_gif_in.c:605:16: runtime error: index 5595 out of bounds for type 'int [4096]' + +Add some bounds checking on each code that we read from the file. +--- + src/gd_gif_in.c | 8 ++++++++ + tests/gif/CMakeLists.txt | 3 ++- + tests/gif/Makemodule.am | 2 ++ + tests/gif/ossfuzz5700.c | 13 +++++++++++++ + tests/gif/ossfuzz5700.gif | Bin 0 -> 30 bytes + 6 files changed, 26 insertions(+), 1 deletion(-) + create mode 100644 tests/gif/ossfuzz5700.c + +diff --git a/src/gd_gif_in.c b/src/gd_gif_in.c +index afc08bf7..daf26e79 100644 +--- a/src/gd_gif_in.c ++++ b/src/gd_gif_in.c +@@ -601,6 +601,10 @@ LWZReadByte_(gdIOCtx *fd, LZW_STATIC_DATA *sd, char flag, int input_code_size, i + /* Bad compressed data stream */ + return -1; + } ++ if(code >= (1 << MAX_LWZ_BITS)) { ++ /* Corrupted code */ ++ return -1; ++ } + + *sd->sp++ = sd->table[1][code]; + +@@ -610,6 +614,10 @@ LWZReadByte_(gdIOCtx *fd, LZW_STATIC_DATA *sd, char flag, int input_code_size, i + + code = sd->table[0][code]; + } ++ if(code >= (1 << MAX_LWZ_BITS)) { ++ /* Corrupted code */ ++ return -1; ++ } + + *sd->sp++ = sd->firstcode = sd->table[1][code]; + +diff --git a/tests/gif/CMakeLists.txt b/tests/gif/CMakeLists.txt +index 7d40cddc..2b73749e 100644 +--- a/tests/gif/CMakeLists.txt ++++ b/tests/gif/CMakeLists.txt +@@ -3,6 +3,8 @@ LIST(APPEND TESTS_FILES + bug00181 + bug00227 + gif_null ++ ossfuzz5700 ++ uninitialized_memory_read + ) + + IF(PNG_FOUND) +@@ -12,7 +14,6 @@ LIST(APPEND TESTS_FILES + bug00060 + bug00066 + gif_im2im +- uninitialized_memory_read + ) + ENDIF(PNG_FOUND) + +diff --git a/tests/gif/Makemodule.am b/tests/gif/Makemodule.am +index 0bdeab7e..3199438f 100644 +--- a/tests/gif/Makemodule.am ++++ b/tests/gif/Makemodule.am +@@ -3,6 +3,7 @@ libgd_test_programs += \ + gif/bug00181 \ + gif/bug00227 \ + gif/gif_null \ ++ gif/ossfuzz5700 \ + gif/uninitialized_memory_read + + if HAVE_LIBPNG +@@ -24,4 +25,5 @@ EXTRA_DIST += \ + gif/bug00060.gif \ + gif/bug00066.gif \ + gif/bug00066_exp.png \ ++ gif/ossfuzz5700.gif \ + gif/unitialized_memory_read.gif +diff --git a/tests/gif/ossfuzz5700.c b/tests/gif/ossfuzz5700.c +new file mode 100644 +index 00000000..8fc9f88c +--- /dev/null ++++ b/tests/gif/ossfuzz5700.c +@@ -0,0 +1,13 @@ ++#include <stdio.h> ++#include "gd.h" ++#include "gdtest.h" ++ ++int main() ++{ ++ gdImagePtr im; ++ FILE *fp = gdTestFileOpen("gif/ossfuzz5700.gif"); ++ im = gdImageCreateFromGif(fp); ++ fclose(fp); ++ gdImageDestroy(im); ++ return 0; ++} + |