main/gd/CVE-2016-3074.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77

From 2bb97f407c1145c850416a3bfbcc8cf124e68a19 Mon Sep 17 00:00:00 2001
From: Mike Frysinger <vapier@gentoo.org>
Date: Sat, 16 Apr 2016 03:51:22 -0400
Subject: [PATCH] gd2: handle corrupt images better (CVE-2016-3074)

Make sure we do some range checking on corrupted chunks.

Thanks to Hans Jerry Illikainen <hji@dyntopia.com> for indepth report
and reproducer information.  Made for easy test case writing :).
---
 .gitignore                     |   1 +
 src/gd_gd2.c                   |   2 ++
 tests/Makefile.am              |   3 ++-
 tests/gd2/gd2_read_corrupt.c   |  25 +++++++++++++++++++++++++
 tests/gd2/invalid_neg_size.gd2 | Bin 0 -> 1676 bytes
 5 files changed, 30 insertions(+), 1 deletion(-)
 create mode 100644 tests/gd2/gd2_read_corrupt.c
 create mode 100644 tests/gd2/invalid_neg_size.gd2

diff --git a/src/gd_gd2.c b/src/gd_gd2.c
index 6f28461..a50b33d 100644
--- a/src/gd_gd2.c
+++ b/src/gd_gd2.c
@@ -165,6 +165,8 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy,
 			if (gdGetInt (&cidx[i].size, in) != 1) {
 				goto fail2;
 			};
+			if (cidx[i].offset < 0 || cidx[i].size < 0)
+				goto fail2;
 		};
 		*chunkIdx = cidx;
 	};
diff --git a/tests/Makefile.am b/tests/Makefile.am
index ed2c35b..b582266 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -129,7 +129,8 @@ endif
 
 if HAVE_LIBZ
 check_PROGRAMS += \
-	gd2/gd2_null
+	gd2/gd2_null \
+	gd2/gd2_read_corrupt
 endif
 
 if HAVE_LIBPNG
diff --git a/tests/gd2/gd2_read_corrupt.c b/tests/gd2/gd2_read_corrupt.c
new file mode 100644
index 0000000..11f6a67
--- /dev/null
+++ b/tests/gd2/gd2_read_corrupt.c
@@ -0,0 +1,25 @@
+/* Just try to read the invalid gd2 image & not crash. */
+#include "gd.h"
+#include <stdio.h>
+#include <stdlib.h>
+#include "gdtest.h"
+
+int main()
+{
+	gdImagePtr im;
+	FILE *fp;
+	char path[1024];
+
+	/* Read the corrupt image. */
+	sprintf(path, "%s/gd2/invalid_neg_size.gd2", GDTEST_TOP_DIR);
+	fp = fopen(path, "rb");
+	if (!fp) {
+		printf("failed, cannot open file\n");
+		return 1;
+	}
+	im = gdImageCreateFromGd2(fp);
+	fclose(fp);
+
+	/* Should have failed & rejected it. */
+	return im == NULL ? 0 : 1;
+}