1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
|
From 2bb97f407c1145c850416a3bfbcc8cf124e68a19 Mon Sep 17 00:00:00 2001
From: Mike Frysinger <vapier@gentoo.org>
Date: Sat, 16 Apr 2016 03:51:22 -0400
Subject: [PATCH] gd2: handle corrupt images better (CVE-2016-3074)
Make sure we do some range checking on corrupted chunks.
Thanks to Hans Jerry Illikainen <hji@dyntopia.com> for indepth report
and reproducer information. Made for easy test case writing :).
---
.gitignore | 1 +
src/gd_gd2.c | 2 ++
tests/Makefile.am | 3 ++-
tests/gd2/gd2_read_corrupt.c | 25 +++++++++++++++++++++++++
tests/gd2/invalid_neg_size.gd2 | Bin 0 -> 1676 bytes
5 files changed, 30 insertions(+), 1 deletion(-)
create mode 100644 tests/gd2/gd2_read_corrupt.c
create mode 100644 tests/gd2/invalid_neg_size.gd2
diff --git a/.gitignore b/.gitignore
index a68f3b9..35acd71 100644
--- a/.gitignore
+++ b/.gitignore
@@ -150,6 +150,7 @@ Makefile.in
/tests/gd2/gd2_im2im
/tests/gd2/gd2_null
/tests/gd2/gd2_read
+/tests/gd2/gd2_read_corrupt
/tests/gdimagearc/bug00079
/tests/gdimageline/gdimageline_aa
/tests/gdimageline/bug00072
diff --git a/src/gd_gd2.c b/src/gd_gd2.c
index 6f28461..a50b33d 100644
--- a/src/gd_gd2.c
+++ b/src/gd_gd2.c
@@ -165,6 +165,8 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy,
if (gdGetInt (&cidx[i].size, in) != 1) {
goto fail2;
};
+ if (cidx[i].offset < 0 || cidx[i].size < 0)
+ goto fail2;
};
*chunkIdx = cidx;
};
diff --git a/tests/Makefile.am b/tests/Makefile.am
index ed2c35b..b582266 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -129,7 +129,8 @@ endif
if HAVE_LIBZ
check_PROGRAMS += \
- gd2/gd2_null
+ gd2/gd2_null \
+ gd2/gd2_read_corrupt
endif
if HAVE_LIBPNG
diff --git a/tests/gd2/gd2_read_corrupt.c b/tests/gd2/gd2_read_corrupt.c
new file mode 100644
index 0000000..11f6a67
--- /dev/null
+++ b/tests/gd2/gd2_read_corrupt.c
@@ -0,0 +1,25 @@
+/* Just try to read the invalid gd2 image & not crash. */
+#include "gd.h"
+#include <stdio.h>
+#include <stdlib.h>
+#include "gdtest.h"
+
+int main()
+{
+ gdImagePtr im;
+ FILE *fp;
+ char path[1024];
+
+ /* Read the corrupt image. */
+ sprintf(path, "%s/gd2/invalid_neg_size.gd2", GDTEST_TOP_DIR);
+ fp = fopen(path, "rb");
+ if (!fp) {
+ printf("failed, cannot open file\n");
+ return 1;
+ }
+ im = gdImageCreateFromGd2(fp);
+ fclose(fp);
+
+ /* Should have failed & rejected it. */
+ return im == NULL ? 0 : 1;
+}
diff --git a/tests/gd2/invalid_neg_size.gd2 b/tests/gd2/invalid_neg_size.gd2
new file mode 100644
index 0000000000000000000000000000000000000000..3075f15a81a5ac0312f1548ef7733726c58c1f24
GIT binary patch
literal 1676
zcmYdKF=Aj~VqgS92QbaVz`&x(z`&3Xq-XpG0w8-7jE2By2#o9ys9<DFVVM2jkq&_A
zrDUq`{Y^Pj0@g4#f0QiA55HlZ@HF9tMV4@gn1|r?E8jjStJyO=Js<hwb(hMKkhS`+
zIH#n4b81fOwK1Q}GC6xgli<E9^KAlt^6h-|{O7gG+mZ)9yjgNsGr@B1WVxObuQtrM
z#=^yN#mUv!UZ(isn|)g<Gm@q5JT~X>)=nrYtl!eO@Y0j(uP24Oy8cV*JZTi%$LjUn
zHzKcM%atz4N1|6Bc&yqQwj{71^7_XwahG!Za#qgRp0&AK_7P)ivKtpiqy+Qht#SF*
zMaQJhn^t_9qk56qrqA%Mh<Mrlt=-}^_8Zw$*2~9UTQu|P_ebAXt^L@%Vt&w)*ca?Q
zmoGA&ZC@r<dvR&!HA|J%GCJj_qO%-7e~P{{Z%T`}?Mk-4Qs-VbA2hzb+D@-d@!0Z+
zna|e#ek}Mja+lhIXxR|+VBxjjJloZ}IRBU@_!{=-_#X*LR5`n@?<Lo!M7h*c?@zVv
zYd=`G>{#vZ%zd@pEzz2O-%mf&R%I<VH&wT7kAHuuw|n=Ay_LQ$h6%e%zJGeR{l>8q
zf?T2nbvg-FtoADt&xdhev;R0l>jm4q7qbJdANGtCPvX9R`uql)<-sap|IGrVrT6W5
zXnv=f!*bd}GjY+2hGIKyAG$nqUSL?uGc}?vV9J_*x4-T7>?=Ea+<1Qdhx_^N-fMX)
OZWwA+Ogk&gc>@5dGaWbp
literal 0
HcmV?d00001
|
