Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP1:GA
gd
gd-CVE-2017-6362.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File gd-CVE-2017-6362.patch of Package gd
Index: libgd-2.1.0/src/gd_png.c =================================================================== --- libgd-2.1.0.orig/src/gd_png.c 2013-06-25 11:58:23.000000000 +0200 +++ libgd-2.1.0/src/gd_png.c 2017-09-05 16:27:14.350132051 +0200 @@ -473,6 +473,7 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFro return im; } +static int _gdImagePngCtxEx(gdImagePtr im, gdIOCtx * outfile, int level); BGD_DECLARE(void) gdImagePngEx (gdImagePtr im, FILE * outFile, int level) { @@ -495,8 +496,11 @@ BGD_DECLARE(void *) gdImagePngPtr (gdIma void *rv; gdIOCtx *out = gdNewDynamicCtx (2048, NULL); if (out == NULL) return NULL; - gdImagePngCtxEx (im, out, -1); - rv = gdDPExtractData (out, size); + if (!_gdImagePngCtxEx (im, out, -1)) { + rv = gdDPExtractData (out, size); + } else { + rv = NULL; + } out->gd_free (out); return rv; } @@ -506,8 +510,11 @@ BGD_DECLARE(void *) gdImagePngPtrEx (gdI void *rv; gdIOCtx *out = gdNewDynamicCtx (2048, NULL); if (out == NULL) return NULL; - gdImagePngCtxEx (im, out, level); - rv = gdDPExtractData (out, size); + if (!_gdImagePngCtxEx (im, out, level)) { + rv = gdDPExtractData (out, size); + } else { + rv = NULL; + } out->gd_free (out); return rv; } @@ -518,11 +525,17 @@ BGD_DECLARE(void) gdImagePngCtx (gdImage gdImagePngCtxEx (im, outfile, -1); } +BGD_DECLARE(void) gdImagePngCtxEx (gdImagePtr im, gdIOCtx * outfile, int level) +{ + _gdImagePngCtxEx(im, outfile, level); +} + /* This routine is based in part on code from Dale Lutz (Safe Software Inc.) * and in part on demo code from Chapter 15 of "PNG: The Definitive Guide" * (http://www.libpng.org/pub/png/book/). */ -BGD_DECLARE(void) gdImagePngCtxEx (gdImagePtr im, gdIOCtx * outfile, int level) +/* returns 0 on success, 1 on failure */ +static int _gdImagePngCtxEx(gdImagePtr im, gdIOCtx * outfile, int level) { int i, j, bit_depth = 0, interlace_type; int width = im->sx; @@ -540,10 +553,11 @@ BGD_DECLARE(void) gdImagePngCtxEx (gdIma #ifdef PNG_SETJMP_SUPPORTED jmpbuf_wrapper jbw; #endif + int ret = 0; /* width or height of value 0 is invalid in IHDR; see http://www.w3.org/TR/PNG-Chunks.html */ - if (width == 0 || height ==0) return; + if (width == 0 || height ==0) return 1; #ifdef PNG_SETJMP_SUPPORTED png_ptr = png_create_write_struct (PNG_LIBPNG_VER_STRING, @@ -554,21 +568,21 @@ BGD_DECLARE(void) gdImagePngCtxEx (gdIma #endif if (png_ptr == NULL) { gd_error("gd-png error: cannot allocate libpng main struct\n"); - return; + return 1; } info_ptr = png_create_info_struct (png_ptr); if (info_ptr == NULL) { gd_error("gd-png error: cannot allocate libpng info struct\n"); png_destroy_write_struct (&png_ptr, (png_infopp) NULL); - return; + return 1; } #ifdef PNG_SETJMP_SUPPORTED if (setjmp(jbw.jmpbuf)) { gd_error("gd-png error: setjmp returns error condition\n"); png_destroy_write_struct (&png_ptr, &info_ptr); - return; + return 1; } #endif @@ -620,6 +634,7 @@ BGD_DECLARE(void) gdImagePngCtxEx (gdIma } if (colors == 0) { gd_error("gd-png error: no colors in palette\n"); + ret = 1; goto bail; } if (colors < im->colorsTotal) { @@ -751,11 +766,13 @@ BGD_DECLARE(void) gdImagePngCtxEx (gdIma png_bytep *prow_pointers; int saveAlphaFlag = im->saveAlphaFlag; if (overflow2(sizeof (png_bytep), height)) { + ret = 1; goto bail; } row_pointers = gdMalloc (sizeof (png_bytep) * height); if (row_pointers == NULL) { gd_error("gd-png error: unable to allocate row_pointers\n"); + ret = 1; goto bail; } prow_pointers = row_pointers; @@ -767,6 +784,7 @@ BGD_DECLARE(void) gdImagePngCtxEx (gdIma gdFree (row_pointers[i]); /* 2.0.29: memory leak TBB */ gdFree(row_pointers); + ret = 1; goto bail; } pOutputRow = *prow_pointers++; @@ -800,11 +818,13 @@ BGD_DECLARE(void) gdImagePngCtxEx (gdIma if (remap) { png_bytep *row_pointers; if (overflow2(sizeof (png_bytep), height)) { + ret = 1; goto bail; } row_pointers = gdMalloc (sizeof (png_bytep) * height); if (row_pointers == NULL) { gd_error("gd-png error: unable to allocate row_pointers\n"); + ret = 1; goto bail; } for (j = 0; j < height; ++j) { @@ -814,6 +834,7 @@ BGD_DECLARE(void) gdImagePngCtxEx (gdIma gdFree (row_pointers[i]); /* TBB: memory leak */ gdFree (row_pointers); + ret = 1; goto bail; } for (i = 0; i < width; ++i) @@ -834,6 +855,7 @@ BGD_DECLARE(void) gdImagePngCtxEx (gdIma /* 1.6.3: maybe we should give that memory BACK! TBB */ bail: png_destroy_write_struct (&png_ptr, &info_ptr); + return ret; }
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor