aboutsummaryrefslogtreecommitdiff
path: root/gnu/packages/patches/gd-CVE-2016-6214.patch
diff options
context:
space:
mode:
authorLeo Famulari <leo@famulari.name>2016-07-28 16:46:16 -0400
committerLeo Famulari <leo@famulari.name>2016-07-28 16:46:27 -0400
commit49d725a108dc33f4eb72faff7cf138c5dd8c64f4 (patch)
tree615c8bc2c83ca19f33b20678854af783f0292863 /gnu/packages/patches/gd-CVE-2016-6214.patch
parent622c22ccb494de789588491ad94111f7a0311ddb (diff)
parenta1dfa0223329734d2cb4f9aa034183fb2573bb9c (diff)
downloadgnu-guix-49d725a108dc33f4eb72faff7cf138c5dd8c64f4.tar
gnu-guix-49d725a108dc33f4eb72faff7cf138c5dd8c64f4.tar.gz
Merge branch 'master' into core-updates
Diffstat (limited to 'gnu/packages/patches/gd-CVE-2016-6214.patch')
-rw-r--r--gnu/packages/patches/gd-CVE-2016-6214.patch66
1 files changed, 66 insertions, 0 deletions
diff --git a/gnu/packages/patches/gd-CVE-2016-6214.patch b/gnu/packages/patches/gd-CVE-2016-6214.patch
new file mode 100644
index 0000000000..7894a32bb1
--- /dev/null
+++ b/gnu/packages/patches/gd-CVE-2016-6214.patch
@@ -0,0 +1,66 @@
+Fix CVE-2016-6214 (read out-of-bounds when parsing TGA files).
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6214
+
+Adapted from upstream commit:
+https://github.com/libgd/libgd/commit/341aa68843ceceae9ba6e083431f14a07bd92308
+
+Since `patch` cannot apply Git binary diffs, we omit the addition of
+'tests/tga/bug00247a.c' and its associated binary data.
+
+From 341aa68843ceceae9ba6e083431f14a07bd92308 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Tue, 12 Jul 2016 19:23:13 +0200
+Subject: [PATCH] Unsupported TGA bpp/alphabit combinations should error
+ gracefully
+
+Currently, only 24bpp without alphabits and 32bpp with 8 alphabits are
+really supported. All other combinations will be rejected with a warning.
+
+(cherry picked from commit cb1a0b7e54e9aa118270c23a4a6fe560e4590dc9)
+---
+ src/gd_tga.c | 16 ++++++----------
+ tests/tga/.gitignore | 1 +
+ tests/tga/CMakeLists.txt | 1 +
+ tests/tga/Makemodule.am | 4 +++-
+ tests/tga/bug00247a.c | 19 +++++++++++++++++++
+ tests/tga/bug00247a.tga | Bin 0 -> 36 bytes
+ 6 files changed, 30 insertions(+), 11 deletions(-)
+ create mode 100644 tests/tga/bug00247a.c
+ create mode 100644 tests/tga/bug00247a.tga
+
+diff --git a/src/gd_tga.c b/src/gd_tga.c
+index 20fe2d2..b4f8fa6 100644
+--- a/src/gd_tga.c
++++ b/src/gd_tga.c
+@@ -99,7 +99,7 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromTgaCtx(gdIOCtx* ctx)
+ if (tga->bits == TGA_BPP_24) {
+ *tpix = gdTrueColor(tga->bitmap[bitmap_caret + 2], tga->bitmap[bitmap_caret + 1], tga->bitmap[bitmap_caret]);
+ bitmap_caret += 3;
+- } else if (tga->bits == TGA_BPP_32 || tga->alphabits) {
++ } else if (tga->bits == TGA_BPP_32 && tga->alphabits) {
+ register int a = tga->bitmap[bitmap_caret + 3];
+
+ *tpix = gdTrueColorAlpha(tga->bitmap[bitmap_caret + 2], tga->bitmap[bitmap_caret + 1], tga->bitmap[bitmap_caret], gdAlphaMax - (a >> 1));
+@@ -159,16 +159,12 @@ int read_header_tga(gdIOCtx *ctx, oTga *tga)
+ printf("wxh: %i %i\n", tga->width, tga->height);
+ #endif
+
+- switch(tga->bits) {
+- case 8:
+- case 16:
+- case 24:
+- case 32:
+- break;
+- default:
+- gd_error("bps %i not supported", tga->bits);
++ if (!((tga->bits == TGA_BPP_24 && tga->alphabits == 0)
++ || (tga->bits == TGA_BPP_32 && tga->alphabits == 8)))
++ {
++ gd_error_ex(GD_WARNING, "gd-tga: %u bits per pixel with %u alpha bits not supported\n",
++ tga->bits, tga->alphabits);
+ return -1;
+- break;
+ }
+
+ tga->ident = NULL;