Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP2:GA
gd.21223
gd-CVE-2016-7568.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File gd-CVE-2016-7568.patch of Package gd.21223
Index: libgd-2.1.0/src/gd_webp.c =================================================================== --- libgd-2.1.0.orig/src/gd_webp.c 2013-06-25 11:58:23.000000000 +0200 +++ libgd-2.1.0/src/gd_webp.c 2016-10-13 18:06:15.266939283 +0200 @@ -6,6 +6,7 @@ #include <math.h> #include <string.h> #include <stdlib.h> +#include <limits.h> #include "gd.h" #include "gd_errors.h" @@ -160,6 +161,19 @@ int mapQualityToVP8QP(int quality) { return (int)(vp8qp + 0.5); } +int overflow_add(int a, int b) +{ + if( a > INT_MAX - b) + return 1; + return 0; +} + +int overflow3(int a, int b, int c) +{ + return (overflow2(a,b) + overflow2(a*b, c)); +} + + /* This routine is based in part on code from Dale Lutz (Safe Software Inc.) * and in part on demo code from Chapter 15 of "PNG: The Definitive Guide" * (http://www.cdrom.com/pub/png/pngbook.html). @@ -181,6 +195,18 @@ BGD_DECLARE(void) gdImageWebpCtx (gdImag yuv_height = (height + 1) >> 1; yuv_nbytes = width * height + 2 * yuv_width * yuv_height; + if (overflow2(width, height)) { + return; + } + + if (overflow3(2, yuv_width, yuv_height)) { + return; + } + + if (overflow_add(width * height, 2 * yuv_width * yuv_height)) { + return; + } + if ((Y = (unsigned char *)gdCalloc(yuv_nbytes, sizeof(unsigned char))) == NULL) { gd_error("gd-webp error: cannot allocate Y buffer"); return;
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor