Adapted from upstream commit 2bb97f407c1145c850416a3bfbcc8cf124e68a19 (gd2: handle corrupt images better (CVE-2016-3074)). This patch omits the upstream changes to '.gitignore', and the test added in files 'tests/Makefile.am', 'tests/gd2/gd2_read_corrupt.c', and 'tests/gd2/invalid_neg_size.gd2'. We omit the test because its input data, 'tests/gd2/invalid_neg_size.gd2', is provided as a binary Git diff, which is not supported by `patch`. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3074 https://github.com/libgd/libgd/commit/2bb97f407c1145c850416a3bfbcc8cf124e68a19 --- .gitignore | 1 + src/gd_gd2.c | 2 ++ tests/Makefile.am | 3 ++- tests/gd2/gd2_read_corrupt.c | 25 +++++++++++++++++++++++++ tests/gd2/invalid_neg_size.gd2 | Bin 0 -> 1676 bytes 5 files changed, 30 insertions(+), 1 deletion(-) create mode 100644 tests/gd2/gd2_read_corrupt.c create mode 100644 tests/gd2/invalid_neg_size.gd2 diff --git a/src/gd_gd2.c b/src/gd_gd2.c index 6f28461..a50b33d 100644 --- a/src/gd_gd2.c +++ b/src/gd_gd2.c @@ -165,6 +165,8 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy, if (gdGetInt (&cidx[i].size, in) != 1) { goto fail2; }; + if (cidx[i].offset < 0 || cidx[i].size < 0) + goto fail2; }; *chunkIdx = cidx; };