From e343475c88f3b37f4695e2a3edfcc73d0fb2ca13 Mon Sep 17 00:00:00 2001 From: Marek Skalický Date: May 31 2016 10:09:34 +0000 Subject: Backported fixes of two memory leaks (CVE-2015-8877, CVE-2016-5116) --- diff --git a/gd-2.1.1-gdImagreScaleTwoPass-leak.patch b/gd-2.1.1-gdImagreScaleTwoPass-leak.patch new file mode 100644 index 0000000..a3fe414 --- /dev/null +++ b/gd-2.1.1-gdImagreScaleTwoPass-leak.patch @@ -0,0 +1,27 @@ +From 4751b606fa38edc456d627140898a7ec679fcc24 Mon Sep 17 00:00:00 2001 +From: Vladimir Mitrovic +Date: Wed, 5 Aug 2015 03:01:06 +0200 +Subject: [PATCH] gdImageScaleTwoPass memory leak fix + +Fixing memory leak in gdImageScaleTwoPass, as reported by @cmb69 and +confirmed by @vapier. This bug actually bit me in production and I'm +very thankful that it was reported with an easy fix. + +Fixes #173. +--- + src/gd_interpolation.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/gd_interpolation.c b/src/gd_interpolation.c +index fcc11e6..f00c946 100644 +--- a/src/gd_interpolation.c ++++ b/src/gd_interpolation.c +@@ -1087,7 +1087,7 @@ gdImageScaleTwoPass(const gdImagePtr src, const unsigned int new_width, + }/* if */ + + if (src != tmp_im) { +- gdFree(tmp_im); ++ gdImageDestroy(tmp_im); + }/* if */ + + return dst; diff --git a/gd-2.1.1-xbm-large-names-overflow.patch b/gd-2.1.1-xbm-large-names-overflow.patch new file mode 100644 index 0000000..c3ed113 --- /dev/null +++ b/gd-2.1.1-xbm-large-names-overflow.patch @@ -0,0 +1,89 @@ +From 4dc1a2d7931017d3625f2d7cff70a17ce58b53b4 Mon Sep 17 00:00:00 2001 +From: Mike Frysinger +Date: Sat, 14 May 2016 01:38:18 -0400 +Subject: [PATCH] xbm: avoid stack overflow (read) with large names #211 + +We use the name passed in to printf into a local stack buffer which is +limited to 4000 bytes. So given a large enough value, lots of stack +data is leaked. Rewrite the code to do simple memory copies with most +of the strings to avoid that issue, and only use stack buffer for small +numbers of constant size. + +This closes #211. +--- + src/gd_xbm.c | 34 +++++++++++++++++++++++++++------- + 1 file changed, 27 insertions(+), 7 deletions(-) + +diff --git a/src/gd_xbm.c b/src/gd_xbm.c +index 74d839b..d28fdfc 100644 +--- a/src/gd_xbm.c ++++ b/src/gd_xbm.c +@@ -180,7 +180,7 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromXbm(FILE * fd) + /* {{{ gdCtxPrintf */ + static void gdCtxPrintf(gdIOCtx * out, const char *format, ...) + { +- char buf[4096]; ++ char buf[1024]; + int len; + va_list args; + +@@ -191,6 +191,9 @@ static void gdCtxPrintf(gdIOCtx * out, const char *format, ...) + } + /* }}} */ + ++/* The compiler will optimize strlen(constant) to a constant number. */ ++#define gdCtxPuts(out, s) out->putBuf(out, s, strlen(s)) ++ + /* {{{ gdImageXbmCtx */ + BGD_DECLARE(void) gdImageXbmCtx(gdImagePtr image, char* file_name, int fg, gdIOCtx * out) + { +@@ -215,9 +218,26 @@ BGD_DECLARE(void) gdImageXbmCtx(gdImagePtr image, char* file_name, int fg, gdIOC + } + } + +- gdCtxPrintf(out, "#define %s_width %d\n", name, gdImageSX(image)); +- gdCtxPrintf(out, "#define %s_height %d\n", name, gdImageSY(image)); +- gdCtxPrintf(out, "static unsigned char %s_bits[] = {\n ", name); ++ /* Since "name" comes from the user, run it through a direct puts. ++ * Trying to printf it into a local buffer means we'd need a large ++ * or dynamic buffer to hold it all. */ ++ ++ /* #define _width 1234 */ ++ gdCtxPuts(out, "#define "); ++ gdCtxPuts(out, name); ++ gdCtxPuts(out, "_width "); ++ gdCtxPrintf(out, "%d\n", gdImageSX(image)); ++ ++ /* #define _height 1234 */ ++ gdCtxPuts(out, "#define "); ++ gdCtxPuts(out, name); ++ gdCtxPuts(out, "_height "); ++ gdCtxPrintf(out, "%d\n", gdImageSY(image)); ++ ++ /* static unsigned char _bits[] = {\n */ ++ gdCtxPuts(out, "static unsigned char "); ++ gdCtxPuts(out, name); ++ gdCtxPuts(out, "_bits[] = {\n "); + + free(name); + +@@ -234,9 +254,9 @@ BGD_DECLARE(void) gdImageXbmCtx(gdImagePtr image, char* file_name, int fg, gdIOC + if ((b == 128) || (x == sx && y == sy)) { + b = 1; + if (p) { +- gdCtxPrintf(out, ", "); ++ gdCtxPuts(out, ", "); + if (!(p%12)) { +- gdCtxPrintf(out, "\n "); ++ gdCtxPuts(out, "\n "); + p = 12; + } + } +@@ -248,6 +268,6 @@ BGD_DECLARE(void) gdImageXbmCtx(gdImagePtr image, char* file_name, int fg, gdIOC + } + } + } +- gdCtxPrintf(out, "};\n"); ++ gdCtxPuts(out, "};\n"); + } + /* }}} */ diff --git a/gd.spec b/gd.spec index 11da6ba..799f8ee 100644 --- a/gd.spec +++ b/gd.spec @@ -5,7 +5,7 @@ Summary: A graphics library for quick creation of PNG or JPEG images Name: gd Version: 2.1.1 -Release: 3%{?prever}%{?short}%{?dist} +Release: 4%{?prever}%{?short}%{?dist} Group: System Environment/Libraries License: MIT URL: http://libgd.bitbucket.org/ @@ -22,7 +22,12 @@ Source2: getver.pl Source3: invalid_neg_size.gd2 Patch1: gd-2.1.0-multilib.patch +# CVE-2016-3074 Patch2: gd-heap-overflow.patch +# CVE-2015-8877 +Patch3: gd-2.1.1-gdImagreScaleTwoPass-leak.patch +# CVE-2016-5116 +Patch4: gd-2.1.1-xbm-large-names-overflow.patch BuildRequires: freetype-devel BuildRequires: fontconfig-devel @@ -81,6 +86,8 @@ files for gd, a graphics library for creating PNG and JPEG graphics. %setup -q -n libgd-%{version}%{?prever:-%{prever}} %patch1 -p1 -b .mlib %patch2 -p1 +%patch3 -p1 -b .image-scale +%patch4 -p1 -b .xbm-overflow # Workaround for missing file cp %{SOURCE2} config/getver.pl @@ -151,6 +158,9 @@ grep %{version} $RPM_BUILD_ROOT%{_libdir}/pkgconfig/gdlib.pc %changelog +* Thu May 31 2016 Marek Skalicky - 2.1.1-4 +- Backported fixes of two memory leaks (CVE-2015-8877, CVE-2016-5116) + * Thu Apr 28 2016 Marek Skalicky - 2.1.1-3 - Fixed heap overflow (CVE-2016-3074)