Fix CVE-2016-6132 (read out-of-bounds when parsing TGA files). https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-6132 Copied from upstream commit: https://github.com/libgd/libgd/commit/ead349e99868303b37f5e6e9d9d680c9dc71ff8d From ead349e99868303b37f5e6e9d9d680c9dc71ff8d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Tue, 12 Jul 2016 11:24:09 +0200 Subject: [PATCH] Fix #247, A read out-of-bands was found in the parsing of TGA files (CVE-2016-6132) --- src/gd_tga.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/src/gd_tga.c b/src/gd_tga.c index ef20f86..20fe2d2 100644 --- a/src/gd_tga.c +++ b/src/gd_tga.c @@ -237,7 +237,11 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga ) return -1; } - gdGetBuf(conversion_buffer, image_block_size, ctx); + if (gdGetBuf(conversion_buffer, image_block_size, ctx) != image_block_size) { + gd_error("gd-tga: premature end of image data\n"); + gdFree(conversion_buffer); + return -1; + } while (buffer_caret < image_block_size) { tga->bitmap[buffer_caret] = (int) conversion_buffer[buffer_caret]; @@ -257,11 +261,16 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga ) } conversion_buffer = (unsigned char *) gdMalloc(image_block_size * sizeof(unsigned char)); if (conversion_buffer == NULL) { + gd_error("gd-tga: premature end of image data\n"); gdFree( decompression_buffer ); return -1; } - gdGetBuf( conversion_buffer, image_block_size, ctx ); + if (gdGetBuf(conversion_buffer, image_block_size, ctx) != image_block_size) { + gdFree(conversion_buffer); + gdFree(decompression_buffer); + return -1; + } buffer_caret = 0; -- 2.9.1