Sophie: libgd-2.2.2-1.1.mga5 src

libgd-2.2.2-1.1.mga5.src.rpm

From aba3db8ba159465ecec1089027a24835a6da9cc0 Mon Sep 17 00:00:00 2001
From: Pierre Joye <pierre.php@gmail.com>
Date: Tue, 28 Jun 2016 16:23:42 +0700
Subject: [PATCH] fix php bug 72339 (CVE-2016-5766), Integer Overflow in
 _gd2GetHeader() resulting in heap overflow

---
 src/gd_gd2.c                    |   10 +++++++++-
 tests/gd2/CMakeLists.txt        |   1 +
 tests/gd2/Makemodule.am         |   6 ++++--
 tests/gd2/php_bug_72339.c       |  21 +++++++++++++++++++++
 4 files changed, 35 insertions(+), 3 deletions(-)
 create mode 100644 tests/gd2/php_bug_72339.c

diff -uNrp libgd-2.2.2.orig/src/gd_gd2.c libgd-2.2.2/src/gd_gd2.c
--- libgd-2.2.2.orig/src/gd_gd2.c	2016-06-03 04:34:39.000000000 -0400
+++ libgd-2.2.2/src/gd_gd2.c	2016-06-30 10:36:19.097602113 -0400
@@ -152,10 +152,18 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, i
 
 	if (gd2_compressed (*fmt)) {
 		nc = (*ncx) * (*ncy);
+
 		GD2_DBG (printf ("Reading %d chunk index entries\n", nc));
+		if (overflow2(sizeof(t_chunk_info), nc)) {
+			goto fail1;
+		}
 		sidx = sizeof (t_chunk_info) * nc;
+		if (sidx <= 0) {
+			goto fail1;
+		}
+
 		cidx = gdCalloc (sidx, 1);
-		if (!cidx) {
+		if (cidx == NULL) {
 			goto fail1;
 		}
 		for (i = 0; i < nc; i++) {
diff -uNrp libgd-2.2.2.orig/tests/gd2/CMakeLists.txt libgd-2.2.2/tests/gd2/CMakeLists.txt
--- libgd-2.2.2.orig/tests/gd2/CMakeLists.txt	2016-06-23 22:50:48.000000000 -0400
+++ libgd-2.2.2/tests/gd2/CMakeLists.txt	2016-06-30 10:36:13.457519403 -0400
@@ -2,6 +2,7 @@ SET(TESTS_FILES
 	gd2_empty_file
 	gd2_im2im
 	gd2_null
+	php_bug_72339
 )
 
 ADD_GD_TESTS()
diff -uNrp libgd-2.2.2.orig/tests/gd2/Makemodule.am libgd-2.2.2/tests/gd2/Makemodule.am
--- libgd-2.2.2.orig/tests/gd2/Makemodule.am	2016-06-03 04:34:39.000000000 -0400
+++ libgd-2.2.2/tests/gd2/Makemodule.am	2016-06-30 10:36:13.457519403 -0400
@@ -3,7 +3,8 @@ libgd_helper_programs += \
 	gd2/gd2_read_corrupt
 
 libgd_test_programs += \
-	gd2/gd2_empty_file
+	gd2/gd2_empty_file \
+	gd2/php_bug_72339
 TESTS += \
 	gd2/invalid_header.sh
 
@@ -32,4 +33,5 @@ EXTRA_DIST += \
 	gd2/invalid_header.gd2 \
 	gd2/invalid_header.sh \
 	gd2/invalid_neg_size.gd2 \
-	gd2/invalid_neg_size.sh
+	gd2/invalid_neg_size.sh \
+	gd2/php_bug_72339_exp.gd2
diff -uNrp libgd-2.2.2.orig/tests/gd2/php_bug_72339.c libgd-2.2.2/tests/gd2/php_bug_72339.c
--- libgd-2.2.2.orig/tests/gd2/php_bug_72339.c	1969-12-31 19:00:00.000000000 -0500
+++ libgd-2.2.2/tests/gd2/php_bug_72339.c	2016-06-30 10:36:19.097602113 -0400
@@ -0,0 +1,21 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include "gd.h"
+
+#include "gdtest.h"
+
+int main()
+{
+	gdImagePtr im;
+	FILE *fp;
+
+	fp = gdTestFileOpen("gdimagerotate/php_bug_64898.png");
+	im = gdImageCreateFromGd2(fp);
+	if (im == NULL) {
+		return 0;
+	} else {
+		gdTestErrorMsg("Image should have failed to be loaded");
+		return 1;
+	}
+
+}