main/gd: security fix (CVE-2016-3074). Fixes #5613

2 files changed, 120 insertions, 5 deletions

diff --git a/main/gd/APKBUILD b/main/gd/APKBUILD
index e7e7bb51c8..bd78bc9c74 100644
--- a/main/gd/APKBUILD
+++ b/main/gd/APKBUILD
@@ -3,7 +3,7 @@
 pkgname=gd
 pkgver=2.1.1
 _myver=${pkgver/_rc/RC}
-pkgrel=0
+pkgrel=1
 pkgdesc="Library for the dynamic creation of images by programmers"
 url="http://www.libgd.org/"
 arch="all"
@@ -11,7 +11,9 @@ license="custom"
 depends=
 makedepends="libpng-dev libjpeg-turbo-dev freetype-dev zlib-dev"
 subpackages="$pkgname-dev $pkgname-doc"
-source="http://bitbucket.org/libgd/gd-libgd/downloads/libgd-$pkgver.tar.xz"
+source="http://bitbucket.org/libgd/gd-libgd/downloads/libgd-$pkgver.tar.xz
+	CVE-2016-3074.patch
+	"
 
 _builddir="$srcdir"/lib$pkgname-$_myver
 prepare() {
@@ -44,6 +46,9 @@ package() {
 	rm -r "$pkgdir"/usr/lib/libgd.la
 }
 
-md5sums="9076f3abd1f9815d106da36467ea15bc  libgd-2.1.1.tar.xz"
-sha256sums="9ada1ed45594abc998ebc942cef12b032fbad672e73efc22bc9ff54f5df2b285  libgd-2.1.1.tar.xz"
-sha512sums="48f444402a4b89e412870f9091b92eb26136c5c0d795722262ad973c7d4103476204a2de36133a2634b8f410d6bccdcf60afb829a74ac2fddfb96aff2cd2567b  libgd-2.1.1.tar.xz"
+md5sums="9076f3abd1f9815d106da36467ea15bc  libgd-2.1.1.tar.xz
+9a90f7e93c8259953ef8f67aead1b2b6  CVE-2016-3074.patch"
+sha256sums="9ada1ed45594abc998ebc942cef12b032fbad672e73efc22bc9ff54f5df2b285  libgd-2.1.1.tar.xz
+827b4c3522bb865976cc56b92a60bc0df4e271a46044ac4994881b0106aaddf9  CVE-2016-3074.patch"
+sha512sums="48f444402a4b89e412870f9091b92eb26136c5c0d795722262ad973c7d4103476204a2de36133a2634b8f410d6bccdcf60afb829a74ac2fddfb96aff2cd2567b  libgd-2.1.1.tar.xz
+8887f305cda02594fa4296a343a9c5fdc579f0cab72f4a5fcdf9cbf3d813fa05c0a53ab4fa879de0102c41d10cb08831902a379d2fdb5142d7b8e6d1ea3ef81a  CVE-2016-3074.patch"
diff --git a/main/gd/CVE-2016-3074.patch b/main/gd/CVE-2016-3074.patch
new file mode 100644
index 0000000000..85000886c2
--- /dev/null
+++ b/main/gd/CVE-2016-3074.patch
@@ -0,0 +1,110 @@
+From 2bb97f407c1145c850416a3bfbcc8cf124e68a19 Mon Sep 17 00:00:00 2001
+From: Mike Frysinger <vapier@gentoo.org>
+Date: Sat, 16 Apr 2016 03:51:22 -0400
+Subject: [PATCH] gd2: handle corrupt images better (CVE-2016-3074)
+
+Make sure we do some range checking on corrupted chunks.
+
+Thanks to Hans Jerry Illikainen <hji@dyntopia.com> for indepth report
+and reproducer information.  Made for easy test case writing :).
+---
+ .gitignore                     |   1 +
+ src/gd_gd2.c                   |   2 ++
+ tests/Makefile.am              |   3 ++-
+ tests/gd2/gd2_read_corrupt.c   |  25 +++++++++++++++++++++++++
+ tests/gd2/invalid_neg_size.gd2 | Bin 0 -> 1676 bytes
+ 5 files changed, 30 insertions(+), 1 deletion(-)
+ create mode 100644 tests/gd2/gd2_read_corrupt.c
+ create mode 100644 tests/gd2/invalid_neg_size.gd2
+
+diff --git a/.gitignore b/.gitignore
+index a68f3b9..35acd71 100644
+--- a/.gitignore
++++ b/.gitignore
+@@ -150,6 +150,7 @@ Makefile.in
+ /tests/gd2/gd2_im2im
+ /tests/gd2/gd2_null
+ /tests/gd2/gd2_read
++/tests/gd2/gd2_read_corrupt
+ /tests/gdimagearc/bug00079
+ /tests/gdimageline/gdimageline_aa
+ /tests/gdimageline/bug00072
+diff --git a/src/gd_gd2.c b/src/gd_gd2.c
+index 6f28461..a50b33d 100644
+--- a/src/gd_gd2.c
++++ b/src/gd_gd2.c
+@@ -165,6 +165,8 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy,
+ 			if (gdGetInt (&cidx[i].size, in) != 1) {
+ 				goto fail2;
+ 			};
++			if (cidx[i].offset < 0 || cidx[i].size < 0)
++				goto fail2;
+ 		};
+ 		*chunkIdx = cidx;
+ 	};
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index ed2c35b..b582266 100644
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -129,7 +129,8 @@ endif
+ 
+ if HAVE_LIBZ
+ check_PROGRAMS += \
+-	gd2/gd2_null
++	gd2/gd2_null \
++	gd2/gd2_read_corrupt
+ endif
+ 
+ if HAVE_LIBPNG
+diff --git a/tests/gd2/gd2_read_corrupt.c b/tests/gd2/gd2_read_corrupt.c
+new file mode 100644
+index 0000000..11f6a67
+--- /dev/null
++++ b/tests/gd2/gd2_read_corrupt.c
+@@ -0,0 +1,25 @@
++/* Just try to read the invalid gd2 image & not crash. */
++#include "gd.h"
++#include <stdio.h>
++#include <stdlib.h>
++#include "gdtest.h"
++
++int main()
++{
++	gdImagePtr im;
++	FILE *fp;
++	char path[1024];
++
++	/* Read the corrupt image. */
++	sprintf(path, "%s/gd2/invalid_neg_size.gd2", GDTEST_TOP_DIR);
++	fp = fopen(path, "rb");
++	if (!fp) {
++		printf("failed, cannot open file\n");
++		return 1;
++	}
++	im = gdImageCreateFromGd2(fp);
++	fclose(fp);
++
++	/* Should have failed & rejected it. */
++	return im == NULL ? 0 : 1;
++}
+diff --git a/tests/gd2/invalid_neg_size.gd2 b/tests/gd2/invalid_neg_size.gd2
+new file mode 100644
+index 0000000000000000000000000000000000000000..3075f15a81a5ac0312f1548ef7733726c58c1f24
+GIT binary patch
+literal 1676
+zcmYdKF=Aj~VqgS92QbaVz`&x(z`&3Xq-XpG0w8-7jE2By2#o9ys9<DFVVM2jkq&_A
+zrDUq`{Y^Pj0@g4#f0QiA55HlZ@HF9tMV4@gn1|r?E8jjStJyO=Js<hwb(hMKkhS`+
+zIH#n4b81fOwK1Q}GC6xgli<E9^KAlt^6h-|{O7gG+mZ)9yjgNsGr@B1WVxObuQtrM
+z#=^yN#mUv!UZ(isn|)g<Gm@q5JT~X>)=nrYtl!eO@Y0j(uP24Oy8cV*JZTi%$LjUn
+zHzKcM%atz4N1|6Bc&yqQwj{71^7_XwahG!Za#qgRp0&AK_7P)ivKtpiqy+Qht#SF*
+zMaQJhn^t_9qk56qrqA%Mh<Mrlt=-}^_8Zw$*2~9UTQu|P_ebAXt^L@%Vt&w)*ca?Q
+zmoGA&ZC@r<dvR&!HA|J%GCJj_qO%-7e~P{{Z%T`}?Mk-4Qs-VbA2hzb+D@-d@!0Z+
+zna|e#ek}Mja+lhIXxR|+VBxjjJloZ}IRBU@_!{=-_#X*LR5`n@?<Lo!M7h*c?@zVv
+zYd=`G>{#vZ%zd@pEzz2O-%mf&R%I<VH&wT7kAHuuw|n=Ay_LQ$h6%e%zJGeR{l>8q
+zf?T2nbvg-FtoADt&xdhev;R0l>jm4q7qbJdANGtCPvX9R`uql)<-sap|IGrVrT6W5
+zXnv=f!*bd}GjY+2hGIKyAG$nqUSL?uGc}?vV9J_*x4-T7>?=Ea+<1Qdhx_^N-fMX)
+OZWwA+Ogk&gc>@5dGaWbp
+
+literal 0
+HcmV?d00001
+