diff options
author | Catalin Enache <catalin.enache@windriver.com> | 2017-05-22 16:01:11 +0300 |
---|---|---|
committer | Martin Jansa <Martin.Jansa@gmail.com> | 2017-06-05 11:01:45 +0200 |
commit | 0ae067ae242747bd9484a07bf9760822e6badc36 (patch) | |
tree | 0b96af0c58fd4a6903ee54e5c15fa0ecc981d678 | |
parent | 1fc882cdc477633207db0236619d8f447fad7563 (diff) | |
download | meta-openembedded-contrib-0ae067ae242747bd9484a07bf9760822e6badc36.tar.gz |
gd : CVE-2016-6906
The read_image_tga function in gd_tga.c in the GD Graphics Library (aka libgd)
before 2.2.4 allows remote attackers to cause a denial of service (out-of-bounds read)
via a crafted TGA file, related to the decompression buffer.
Reference:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6906
Upstream patches:
https://github.com/libgd/libgd/commit/fb0e0cce0b9f25389ab56604c3547351617e1415
https://github.com/libgd/libgd/commit/58b6dde319c301b0eae27d12e2a659e067d80558
Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
5 files changed, 703 insertions, 1 deletions
diff --git a/meta-oe/recipes-support/gd/gd/.gitignore-the-new-test-case.patch b/meta-oe/recipes-support/gd/gd/.gitignore-the-new-test-case.patch new file mode 100644 index 0000000000..eab4975cb6 --- /dev/null +++ b/meta-oe/recipes-support/gd/gd/.gitignore-the-new-test-case.patch @@ -0,0 +1,24 @@ +From 8520274759cb8f95e483b02a445aff225e13467b Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" <cmbecker69@gmx.de> +Date: Tue, 16 Aug 2016 16:00:27 +0200 +Subject: [PATCH] .gitignore the new test case + +Upstream-Status: Backport + +Signed-off-by: Catalin Enache <catalin.enache@windriver.com> +--- + tests/tga/.gitignore | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tests/tga/.gitignore b/tests/tga/.gitignore +index e88e124..7a659b1 100644 +--- a/tests/tga/.gitignore ++++ b/tests/tga/.gitignore +@@ -4,3 +4,4 @@ + /bug00248 + /bug00248a + /tga_null ++/tga_read +-- +2.10.2 + diff --git a/meta-oe/recipes-support/gd/gd/CVE-2016-6906-1.patch b/meta-oe/recipes-support/gd/gd/CVE-2016-6906-1.patch new file mode 100644 index 0000000000..97b7f72498 --- /dev/null +++ b/meta-oe/recipes-support/gd/gd/CVE-2016-6906-1.patch @@ -0,0 +1,167 @@ +From fb0e0cce0b9f25389ab56604c3547351617e1415 Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" <cmbecker69@gmx.de> +Date: Tue, 16 Aug 2016 16:26:19 +0200 +Subject: [PATCH] Fix OOB reads of the TGA decompression buffer + +It is possible to craft TGA files which will overflow the decompression +buffer, but not the image's bitmap. Therefore we augment the check for the +bitmap's overflow with a check for the buffer's overflow. + +This issue had been reported by Ibrahim El-Sayed to security@libgd.org. + +CVE-2016-6906 + +Upstream-Status: Backport +CVE: CVE-2016-6906 + +Signed-off-by: Catalin Enache <catalin.enache@windriver.com> +--- + src/gd_tga.c | 6 ++++-- + tests/tga/.gitignore | 1 + + tests/tga/CMakeLists.txt | 1 + + tests/tga/Makemodule.am | 2 ++ + tests/tga/heap_overflow.c | 51 ++++++++++++++++++++++++++++++++++++++++++++ + tests/tga/heap_overflow.tga | Bin 0 -> 605 bytes + 6 files changed, 59 insertions(+), 2 deletions(-) + create mode 100644 tests/tga/heap_overflow.c + create mode 100644 tests/tga/heap_overflow.tga + +diff --git a/src/gd_tga.c b/src/gd_tga.c +index 8737b04..68e4b17 100644 +--- a/src/gd_tga.c ++++ b/src/gd_tga.c +@@ -300,7 +300,8 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga ) + encoded_pixels = ( ( decompression_buffer[ buffer_caret ] & ~TGA_RLE_FLAG ) + 1 ); + buffer_caret++; + +- if ((bitmap_caret + (encoded_pixels * pixel_block_size)) > image_block_size) { ++ if ((bitmap_caret + (encoded_pixels * pixel_block_size)) > image_block_size ++ || buffer_caret + pixel_block_size > rle_size) { + gdFree( decompression_buffer ); + gdFree( conversion_buffer ); + return -1; +@@ -316,7 +317,8 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga ) + encoded_pixels = decompression_buffer[ buffer_caret ] + 1; + buffer_caret++; + +- if ((bitmap_caret + (encoded_pixels * pixel_block_size)) > image_block_size) { ++ if ((bitmap_caret + (encoded_pixels * pixel_block_size)) > image_block_size ++ || buffer_caret + (encoded_pixels * pixel_block_size) > rle_size) { + gdFree( decompression_buffer ); + gdFree( conversion_buffer ); + return -1; +diff --git a/tests/tga/.gitignore b/tests/tga/.gitignore +index 7a659b1..cf0556b 100644 +--- a/tests/tga/.gitignore ++++ b/tests/tga/.gitignore +@@ -3,5 +3,6 @@ + /bug00247a + /bug00248 + /bug00248a ++/heap_overflow + /tga_null + /tga_read +diff --git a/tests/tga/CMakeLists.txt b/tests/tga/CMakeLists.txt +index 789fb14..11542a0 100644 +--- a/tests/tga/CMakeLists.txt ++++ b/tests/tga/CMakeLists.txt +@@ -5,6 +5,7 @@ LIST(APPEND TESTS_FILES + bug00247a + bug00248 + bug00248a ++ heap_overflow + tga_read + ) + +diff --git a/tests/tga/Makemodule.am b/tests/tga/Makemodule.am +index a1e6af6..916d707 100644 +--- a/tests/tga/Makemodule.am ++++ b/tests/tga/Makemodule.am +@@ -4,6 +4,7 @@ libgd_test_programs += \ + tga/bug00247a \ + tga/bug00248 \ + tga/bug00248a \ ++ tga/heap_overflow \ + tga/tga_null \ + tga/tga_read + +@@ -14,6 +15,7 @@ EXTRA_DIST += \ + tga/bug00247a.tga \ + tga/bug00248.tga \ + tga/bug00248a.tga \ ++ tga/heap_overflow.tga \ + tga/tga_read_rgb.png \ + tga/tga_read_rgb.tga \ + tga/tga_read_rgb_rle.tga +diff --git a/tests/tga/heap_overflow.c b/tests/tga/heap_overflow.c +new file mode 100644 +index 0000000..0e9a2d0 +--- /dev/null ++++ b/tests/tga/heap_overflow.c +@@ -0,0 +1,51 @@ ++/** ++ * Test that the crafted TGA file doesn't trigger OOB reads. ++ */ ++ ++ ++#include "gd.h" ++#include "gdtest.h" ++ ++ ++static size_t read_test_file(char **buffer, char *basename); ++ ++ ++int main() ++{ ++ gdImagePtr im; ++ char *buffer; ++ size_t size; ++ ++ size = read_test_file(&buffer, "heap_overflow.tga"); ++ im = gdImageCreateFromTgaPtr(size, (void *) buffer); ++ gdTestAssert(im == NULL); ++ free(buffer); ++ ++ return gdNumFailures(); ++} ++ ++ ++static size_t read_test_file(char **buffer, char *basename) ++{ ++ char *filename; ++ FILE *fp; ++ size_t exp_size, act_size; ++ ++ filename = gdTestFilePath2("tga", basename); ++ fp = fopen(filename, "rb"); ++ gdTestAssert(fp != NULL); ++ ++ fseek(fp, 0, SEEK_END); ++ exp_size = ftell(fp); ++ fseek(fp, 0, SEEK_SET); ++ ++ *buffer = malloc(exp_size); ++ gdTestAssert(*buffer != NULL); ++ act_size = fread(*buffer, sizeof(**buffer), exp_size, fp); ++ gdTestAssert(act_size == exp_size); ++ ++ fclose(fp); ++ free(filename); ++ ++ return act_size; ++} +diff --git a/tests/tga/heap_overflow.tga b/tests/tga/heap_overflow.tga +new file mode 100644 +index 0000000000000000000000000000000000000000..e9bc0ecb2a847ac6edba92dd0ff61167b49002cd +GIT binary patch +literal 605 +zcmZQz;9`IQ9tIu;g&7<$F3o7Yg1qzyh6tefy9wZAs2d<Uh*yuz=?XwW4Qvuv#g2nS +zp93+mT0rVR>T&8(2TGy=f_l)@gSap~$FayUFu(!|SyJIFga^{8fGj~vwq8kkVgvv> +Cavop+ + +literal 0 +HcmV?d00001 + +-- +2.10.2 + diff --git a/meta-oe/recipes-support/gd/gd/CVE-2016-6906-2.patch b/meta-oe/recipes-support/gd/gd/CVE-2016-6906-2.patch new file mode 100644 index 0000000000..8b6de97112 --- /dev/null +++ b/meta-oe/recipes-support/gd/gd/CVE-2016-6906-2.patch @@ -0,0 +1,135 @@ +From 58b6dde319c301b0eae27d12e2a659e067d80558 Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" <cmbecker69@gmx.de> +Date: Tue, 16 Aug 2016 16:26:19 +0200 +Subject: [PATCH] Fix OOB reads of the TGA decompression buffer + +It is possible to craft TGA files which will overflow the decompression +buffer, but not the image's bitmap. Therefore we also have to check for +potential decompression buffer overflows. + +This issue had been reported by Ibrahim El-Sayed to security@libgd.org; +a modified case exposing an off-by-one error of the first patch had been +provided by Konrad Beckmann. + +This commit is an amendment to commit fb0e0cce, so we use CVE-2016-6906 +as well. + +Upstream-Status: Backport +CVE: CVE-2016-6906 + +Signed-off-by: Catalin Enache <catalin.enache@windriver.com> +--- + src/gd_tga.c | 8 +++++++- + tests/tga/Makemodule.am | 3 ++- + tests/tga/heap_overflow.c | 16 ++++++++++++---- + tests/tga/heap_overflow_1.tga | Bin 0 -> 605 bytes + tests/tga/heap_overflow_2.tga | Bin 0 -> 8746 bytes + 5 files changed, 21 insertions(+), 6 deletions(-) + create mode 100644 tests/tga/heap_overflow_1.tga + create mode 100644 tests/tga/heap_overflow_2.tga + +diff --git a/src/gd_tga.c b/src/gd_tga.c +index 68e4b17..f80f0b1 100644 +--- a/src/gd_tga.c ++++ b/src/gd_tga.c +@@ -295,7 +295,13 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga ) + buffer_caret = 0; + + while( bitmap_caret < image_block_size ) { +- ++ ++ if (buffer_caret + pixel_block_size > rle_size) { ++ gdFree( decompression_buffer ); ++ gdFree( conversion_buffer ); ++ return -1; ++ } ++ + if ((decompression_buffer[buffer_caret] & TGA_RLE_FLAG) == TGA_RLE_FLAG) { + encoded_pixels = ( ( decompression_buffer[ buffer_caret ] & ~TGA_RLE_FLAG ) + 1 ); + buffer_caret++; +diff --git a/tests/tga/Makemodule.am b/tests/tga/Makemodule.am +index 916d707..ab08dbf 100644 +--- a/tests/tga/Makemodule.am ++++ b/tests/tga/Makemodule.am +@@ -15,7 +15,8 @@ EXTRA_DIST += \ + tga/bug00247a.tga \ + tga/bug00248.tga \ + tga/bug00248a.tga \ +- tga/heap_overflow.tga \ ++ tga/heap_overflow_1.tga \ ++ tga/heap_overflow_2.tga \ + tga/tga_read_rgb.png \ + tga/tga_read_rgb.tga \ + tga/tga_read_rgb_rle.tga +diff --git a/tests/tga/heap_overflow.c b/tests/tga/heap_overflow.c +index 0e9a2d0..ddd4b63 100644 +--- a/tests/tga/heap_overflow.c ++++ b/tests/tga/heap_overflow.c +@@ -1,5 +1,5 @@ + /** +- * Test that the crafted TGA file doesn't trigger OOB reads. ++ * Test that crafted TGA files don't trigger OOB reads. + */ + + +@@ -7,21 +7,29 @@ + #include "gdtest.h" + + ++static void check_file(char *basename); + static size_t read_test_file(char **buffer, char *basename); + + + int main() + { ++ check_file("heap_overflow_1.tga"); ++ check_file("heap_overflow_2.tga"); ++ ++ return gdNumFailures(); ++} ++ ++ ++static void check_file(char *basename) ++{ + gdImagePtr im; + char *buffer; + size_t size; + +- size = read_test_file(&buffer, "heap_overflow.tga"); ++ size = read_test_file(&buffer, basename); + im = gdImageCreateFromTgaPtr(size, (void *) buffer); + gdTestAssert(im == NULL); + free(buffer); +- +- return gdNumFailures(); + } + + +diff --git a/tests/tga/heap_overflow_1.tga b/tests/tga/heap_overflow_1.tga +new file mode 100644 +index 0000000000000000000000000000000000000000..e9bc0ecb2a847ac6edba92dd0ff61167b49002cd +GIT binary patch +literal 605 +zcmZQz;9`IQ9tIu;g&7<$F3o7Yg1qzyh6tefy9wZAs2d<Uh*yuz=?XwW4Qvuv#g2nS +zp93+mT0rVR>T&8(2TGy=f_l)@gSap~$FayUFu(!|SyJIFga^{8fGj~vwq8kkVgvv> +Cavop+ + +literal 0 +HcmV?d00001 + +diff --git a/tests/tga/heap_overflow_2.tga b/tests/tga/heap_overflow_2.tga +new file mode 100644 +index 0000000000000000000000000000000000000000..2b681f2df8941d6823aa761be0a7fa3c02c92cbf +GIT binary patch +literal 8746 +zcmeIxF$#b%6a>*<djij4?cuz+Vi5?!RIY)@*eDAQ@`zPSwQE1NTI<YQEqdQG#s5@h +zwDFtAoIjm)CIQa|$z*q(vz}DbnPjrN&RI{Y=}a=&UFWPP)joCZ<31}ey8!(}FZZ71 +zWop>#e)AY=opmMw&j!h4cb&7IRMVMcvb)Y%PpaumGTB|{tS8lUCYkK6bJmk;IzMDC +D4PYIN + +literal 0 +HcmV?d00001 + +-- +2.10.2 + diff --git a/meta-oe/recipes-support/gd/gd/Fix-290-TGA-RLE-decoding-is-broken.patch b/meta-oe/recipes-support/gd/gd/Fix-290-TGA-RLE-decoding-is-broken.patch new file mode 100644 index 0000000000..64f5c62964 --- /dev/null +++ b/meta-oe/recipes-support/gd/gd/Fix-290-TGA-RLE-decoding-is-broken.patch @@ -0,0 +1,359 @@ +From 4f8e26f2a40ffaa3a5b77be6a49989a1a42e2b83 Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" <cmbecker69@gmx.de> +Date: Tue, 16 Aug 2016 14:27:23 +0200 +Subject: [PATCH] Fix #290: TGA RLE decoding is broken + +We make it work only, for now. Actually, it doesn't make sense that +`oTga::bitmap` is an `int *` as we're storing only bytes there. If this +will be changed, we can even get rid of the `conversion_buffer` in +`read_image_tga` altogether, and read the image data into the +`decompression_buffer` (if RLE'd) or the `tga->bitmap` (if uncompressed) +directly. + +Upstream-Status: Backport + +Signed-off-by: Catalin Enache <catalin.enache@windriver.com> +--- + src/gd_tga.c | 18 ++++++++++-------- + tests/tga/CMakeLists.txt | 1 + + tests/tga/Makemodule.am | 8 ++++++-- + tests/tga/tga_read.c | 40 ++++++++++++++++++++++++++++++++++++++++ + tests/tga/tga_read_rgb.png | Bin 0 -> 2349 bytes + tests/tga/tga_read_rgb.tga | Bin 0 -> 90444 bytes + tests/tga/tga_read_rgb_rle.tga | Bin 0 -> 9987 bytes + 7 files changed, 57 insertions(+), 10 deletions(-) + create mode 100644 tests/tga/tga_read.c + create mode 100644 tests/tga/tga_read_rgb.png + create mode 100644 tests/tga/tga_read_rgb.tga + create mode 100644 tests/tga/tga_read_rgb_rle.tga + +diff --git a/src/gd_tga.c b/src/gd_tga.c +index ec6781f..8737b04 100644 +--- a/src/gd_tga.c ++++ b/src/gd_tga.c +@@ -207,12 +207,13 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga ) + { + int pixel_block_size = (tga->bits / 8); + int image_block_size = (tga->width * tga->height) * pixel_block_size; +- uint8_t* decompression_buffer = NULL; ++ int* decompression_buffer = NULL; + unsigned char* conversion_buffer = NULL; + int buffer_caret = 0; + int bitmap_caret = 0; + int i = 0; + int encoded_pixels; ++ int rle_size; + + if(overflow2(tga->width, tga->height)) { + return -1; +@@ -266,7 +267,7 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga ) + /*! \brief Read in RLE compressed RGB TGA + * Chunk load the pixel data from an RLE compressed RGB type TGA. + */ +- decompression_buffer = (uint8_t*) gdMalloc(image_block_size * sizeof(uint8_t)); ++ decompression_buffer = (int*) gdMalloc(image_block_size * sizeof(int)); + if (decompression_buffer == NULL) { + return -1; + } +@@ -277,7 +278,8 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga ) + return -1; + } + +- if (gdGetBuf(conversion_buffer, image_block_size, ctx) != image_block_size) { ++ rle_size = gdGetBuf(conversion_buffer, image_block_size, ctx); ++ if (rle_size <= 0) { + gdFree(conversion_buffer); + gdFree(decompression_buffer); + return -1; +@@ -285,7 +287,7 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga ) + + buffer_caret = 0; + +- while( buffer_caret < image_block_size) { ++ while( buffer_caret < rle_size) { + decompression_buffer[buffer_caret] = (int)conversion_buffer[buffer_caret]; + buffer_caret++; + } +@@ -298,14 +300,14 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga ) + encoded_pixels = ( ( decompression_buffer[ buffer_caret ] & ~TGA_RLE_FLAG ) + 1 ); + buffer_caret++; + +- if ((bitmap_caret + (encoded_pixels * pixel_block_size)) >= image_block_size) { ++ if ((bitmap_caret + (encoded_pixels * pixel_block_size)) > image_block_size) { + gdFree( decompression_buffer ); + gdFree( conversion_buffer ); + return -1; + } + + for (i = 0; i < encoded_pixels; i++) { +- memcpy(tga->bitmap + bitmap_caret, decompression_buffer + buffer_caret, pixel_block_size); ++ memcpy(tga->bitmap + bitmap_caret, decompression_buffer + buffer_caret, pixel_block_size * sizeof(int)); + bitmap_caret += pixel_block_size; + } + buffer_caret += pixel_block_size; +@@ -314,13 +316,13 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga ) + encoded_pixels = decompression_buffer[ buffer_caret ] + 1; + buffer_caret++; + +- if ((bitmap_caret + (encoded_pixels * pixel_block_size)) >= image_block_size) { ++ if ((bitmap_caret + (encoded_pixels * pixel_block_size)) > image_block_size) { + gdFree( decompression_buffer ); + gdFree( conversion_buffer ); + return -1; + } + +- memcpy(tga->bitmap + bitmap_caret, decompression_buffer + buffer_caret, encoded_pixels * pixel_block_size); ++ memcpy(tga->bitmap + bitmap_caret, decompression_buffer + buffer_caret, encoded_pixels * pixel_block_size * sizeof(int)); + bitmap_caret += (encoded_pixels * pixel_block_size); + buffer_caret += (encoded_pixels * pixel_block_size); + } +diff --git a/tests/tga/CMakeLists.txt b/tests/tga/CMakeLists.txt +index c3a589c..789fb14 100644 +--- a/tests/tga/CMakeLists.txt ++++ b/tests/tga/CMakeLists.txt +@@ -5,6 +5,7 @@ LIST(APPEND TESTS_FILES + bug00247a + bug00248 + bug00248a ++ tga_read + ) + + ADD_GD_TESTS() +diff --git a/tests/tga/Makemodule.am b/tests/tga/Makemodule.am +index dff828f..a1e6af6 100644 +--- a/tests/tga/Makemodule.am ++++ b/tests/tga/Makemodule.am +@@ -4,7 +4,8 @@ libgd_test_programs += \ + tga/bug00247a \ + tga/bug00248 \ + tga/bug00248a \ +- tga/tga_null ++ tga/tga_null \ ++ tga/tga_read + + EXTRA_DIST += \ + tga/CMakeLists.txt \ +@@ -12,4 +13,7 @@ EXTRA_DIST += \ + tga/bug00247.tga \ + tga/bug00247a.tga \ + tga/bug00248.tga \ +- tga/bug00248a.tga ++ tga/bug00248a.tga \ ++ tga/tga_read_rgb.png \ ++ tga/tga_read_rgb.tga \ ++ tga/tga_read_rgb_rle.tga +diff --git a/tests/tga/tga_read.c b/tests/tga/tga_read.c +new file mode 100644 +index 0000000..310b72f +--- /dev/null ++++ b/tests/tga/tga_read.c +@@ -0,0 +1,40 @@ ++/** ++ * Basic test case for reading TGA files. ++ */ ++ ++ ++#include "gd.h" ++#include "gdtest.h" ++ ++ ++static void assert_equals(char *exp, char *orig); ++ ++ ++int main() ++{ ++ assert_equals("tga_read_rgb.png", "tga_read_rgb.tga"); ++ assert_equals("tga_read_rgb.png", "tga_read_rgb_rle.tga"); ++ ++ return gdNumFailures(); ++} ++ ++ ++static void assert_equals(char *exp, char *orig) ++{ ++ gdImagePtr im; ++ FILE *fp; ++ char *filename; ++ ++ fp = gdTestFileOpen2("tga", orig); ++ gdTestAssertMsg(fp != NULL, "can't open %s", orig); ++ ++ im = gdImageCreateFromTga(fp); ++ gdTestAssertMsg(im != NULL, "can't read %s", orig); ++ fclose(fp); ++ ++ filename = gdTestFilePath2("tga", exp); ++ gdAssertImageEqualsToFile(filename, im); ++ gdFree(filename); ++ ++ gdImageDestroy(im); ++} +diff --git a/tests/tga/tga_read_rgb.png b/tests/tga/tga_read_rgb.png +new file mode 100644 +index 0000000000000000000000000000000000000000..bc468e3d927eaeb77d2f5c3bc35b970457f60f18 +GIT binary patch +literal 2349 +zcmZ`*c{tSX7XOaO7-6K6b&RD_MnXy$nHe#bsVG~TvfZ*vO?Jle8%ar+AySDfStFGh +zG#*)pL0RUPJ(FedBaE?x-*o@D_deZwpZ7WMdCuo~-t)faoX_)~lW+lNCI*p(001C{ +zHOJWSbt_+Pfp_!w<m@>WzS`|-X@&uIeytaE1*v>QB*5J9HUNl9{Spw6`Sc(k6uyJC +zHWeNNLm|3~tCo{U002|57?VrEU+1$sy;a&|;-kbZl`6E_C%>gqbDtC=57F3fUD$)k +zSG5DTL6#NnU=7wGcCw|<f|{rZi)5q<cVW*NQPQCY0xPU0_nGG#D?wR37BO^o^261% +z+}quQI_1ZP=gTNp-n|;#)z~^;78o=e@tRYrS#8Jc>M{W*OdYEgjJp6u9Rb7l#X%t` +zun;^h28uEP=P3Px?|rNGF#17D%A(CJ_ar|?n^0nq!~w+Wg23867ryn!Zlb|~&7A~z +zqkP=IPyLrOM?58>2rEq=&{*9OMU!HNWJkg`(`y(=2{WLg392OTDyiM2$iCLcv5LCG +zjWwRq46Da$pV|V^4Gvs36k1dWF^V4c8j%3~jN{*0*$phpF|-#zi@;k@t-s?cqW&sd +zPh{x~@zm`!5V23*L&Qb=_elN~nEEqQhrhNZiRU#|qjK>6ptaYgj*sAcuS+t-7X5aB +zUI5f*aL0Dut+y0vde?tg7QMa^0`(plvuD^Q>)J(abQY>@6P_*YY;XJ54VC^_f7F2x +z21ee^35}!<L@bW?<-JgJ-%sahFv68xPXghCl|CsCc-P-A{`kl_3By}Mq}YnYYmSt4 +z8h8mx?<zBgq9CzV4*#zR8t}x5Or8!9Rn6LgajJ!B)ebxEtrwC@*p4M@D51#?OEY}< +zqJHu+sCRU2YXNxiq(DP@*(Ui?Jz;IQ@O$Lbf}e8Nwij*L&iUd$N4-Ykfp$vDx#uv? +z#_eULpAbPvN<tVA>Ek##rQDAOW+@)2?%}XiiSi^ted1PQu{v0&?bA^r%z?7*An3_H +zvYFv8{p8fsCguNR$#3=6O{^H&8kT9N92CeaRAj3Y_cNl-znY8JZ{MpO#OK}A<_w9J +zWMI2Kl?xv|S-FTV(aUG_`UWTZOFJGgv2)>JR#*H2Uad(wyqbIZt?w|Dw|k<eY&&9F +zcr!zDg7=#H^=^MC+W02GN{78K=4Kuq90c@$7f$7+h)^YFm}-?3cEdU+Ivh5RC<+Yy +zOz(7r<tT|Z34S@glz^9lpp@OstDBGA(iwk<LQ#r@i_)^MV*Re3^qB#j7N}4etZfK> +zt6<wtj&M2(TLgTh3AH(}4;f4j=<Iu^axvT0!8B)K0O!7g?WnhIyGH5@EtT77&?E{6 +zB5<#{PWJOxQkF}LskzI@;(qVCjE%v-h|S8;`k#h^W5wR-cadW2H2Mk+7QZhqSRd!M +zcQ8fpx~O^(^O#2gXiWDX&u@lZT#qjPG~Xh0UobVq#~Lumf!%S9`Jhf%MH?4Re5-17 +z7BP>D>=sy59jEGoeEx_W13BnmhAs?*j6#bG1a@#16O~1>q+P2@%QN~``Ws7=WX;F9 +z`=p5I$1ig*G|iW8vslr2^8hj+A0HWDoT-@fn5I53ZWWp!r8fMghmpjdqC%E#%2HFI +zY&A(g!Li3+$<B^y8^Hw5!sXd&k%Ev!a;~aB#joj1?2ntu9|!GAFUwyc0oe_~y<}?E +zUh@HUbCI(x2W1rmg7ckzRL2Ew#cdujut+*-t0g)81Tu+3ZH4uP`r1d1kSooU@5ybL +zR5_J%A5sbak)KrSf>(r|V*&yCb;Ha(&ACi9w;?kQ7q1$hwjli^);+KIJAh|K&YL#E +z+b(`PZN>V_5?v`hu-U429K9fO%8*k8pE=jDkn5ZJK|Vgl*@&QE^;mwlCxWbq4(hyi +zUuz)bk@5^HOk@gB`SaWZfX07Eom07js%np8Xot&?YP8R+3|jrR4c#zO{LO<?^G84O +zoP}G`MK)LZDo_$#nWR09X>NY_mL~1^BUG})*4b;Z_zq+`Q@kzUHC&`trCiQYum;1? +zBic+0Bl>LLYU?>!B3k!Ils}uXR*`OEr3`f<P@HZFk`0fP5`^X=BOtC?@!vUq7B4OF +zZEw6+3eoFRE@xEw(%DfIybhJuo03Du2ldm$20Sn3hj15Lu&gPQp=N%r%hME$*j{^@ +zRTffQhH7JLB-70qVkSm$9Zt`mahHLT7O^JnNqAAJs0C^n+1uj_E-}S^?&_U=H?;D_ +z1U9UJAz|+7z|Yq(6${A~5fhc}hH5twnKukf#Dn_JnQ$J4-Z$d}*Trq>?aKr2p19c6 +zYJ}r+^s>6aD~mrp;oIUhlig4sM)Jg3=J{K;dp#BCzRu1sU3D1wJl{jA^Y#ShVT+|^ +zUyjiM&wD~v3zy}K!zWm%3cpu#(*)cmxw1+n+C7V|hcZ6h8CZLubXt&J)h$6yflV6> +zOVv_gDb*glO9FLL8x6bqM6(F#pGhGy+jjOyt9-daMWGrJKF{XvnT#^TeYaq2MG)qw +zJ=RV;Mwg*goOa?(wM=EH<#AS$egRj*wnm+Bu4Pb{$-O}GZSiuT1UdBDwv2Rz)b3+L +zRA=nkaWHB7I$T~B%;KynnS0b@3YpKqt$2;qzwLf>DZ4RFCQB!=QQ`Ft&y_PThuDsA +zckawmbFnA9Tl7+Ez%a)>>T+Nh@8UxzrZP`<pHEXVd#|2v=f_b#A@|oAzbk6Q_>|O) +zgw?Xli!)-)xrF2z=thH-TI;|>UVYK64@asT%484CF-pjk+~~wA+Z%fZYua+sDJ<Nf +zfO`bfl}ig_0&C7BCuBa)xZ?-mQO=bQ2N5;>Sw}~|(tM}hK+z>+^8QQhOsTxl+2AJ+ +zX8WjlS|;0WRv7s_Bk=@u$v3GL@qC?&jcNEv<o68kaz!pHOs@;#CSh|{!j&zrsfn8j +z6|o#^6C2NO9!G&u;Q0U5hkpCs|2Z3I$nNY~x}Tl<rOB|1KiB|RQyiuYbv@>9Cook& + +literal 0 +HcmV?d00001 + +diff --git a/tests/tga/tga_read_rgb.tga b/tests/tga/tga_read_rgb.tga +new file mode 100644 +index 0000000000000000000000000000000000000000..5f11f5a080f3424dff6ff368db6af140a5777e23 +GIT binary patch +literal 90444 +zcmeI4Kab?b5yc6Af(;c(13`fU*%&xb;tQC_*aPhI`Y#kR+DO4FyO7x>23DD|fPu*! +zc$3RVz$FeASlIpmlR7c>{0XS{cwI!Xhn!*0&G0z9w?L_y)m6=&?%yLhCt|YfC)vBd +z@3Mbp-(`!RR#lbBv<6~842S_SAO^&M7!U(uKn#chF(3xSfEW-1Vn7Ut0Wly3#DEwO +z17bi7hygJm2E>3E5CdYM&A?}$ex4m_TFdrYYCYz+9zh#Fz&|9|x2zKn^W#B#+TPQk +zkGJqug1wSH+UqE;=D8ly$2|8{dOgm*N*~8rNAWn%b(B8lxv$dearRaEIL<nX$9b-! +z^fAwUm0pjtuhPeH)=@mpa~-9RdG4$9dYpZgK8~}F;&GnqD1FRxU!~XM?5p%~oOKkB +z^IXTEkMH5{66|-Z6BF}fVs88T*I)i3JJhoOSJ|O9w{_I#nWx?l)duSh)duUtlh$At +z17Cjm-|T(t=^t5ksQGyXeY}RR66}rB$6N4TCD<$JL)!2RcC~{xmhcaW#u{p)fITEy +zttmer=|ik~9;VU``gjIkB^qnU`Ab-pXwrv%OZ+UJZKV%gx2JNgp5i>D59woyTux<9 +z(uedh6&9yB59vetm?D=`nUnM(eN2VLDb7RskUpl!<y7V*eMlcuVR4G{kUpf3DRMcL +zIY}SV$5dFH;yfm%k4wB~a-Co=-1}Dr-lw`wu&?y~m97o@G#T{q3H)`Uv4-!7EMeD) +zw)K9=Z~mTThuUAV|7C~TzV%W6$E~45nY6k?xn!MZFO2s+{6m8MjdfuTKfpgE*thW< +z{Cw2@xOHLsAGrJk{yNcELpGPN>qM)WwmHy;dAx?N66{Tw1IK#{s}k%La$6ep^HE#+ +za9lo1VAA+y4Y_=oz@+gjedzt&v$!^qahUWWUeAKpvG42Bhn^$GX6~HMCw)jC=fvyS +zbCo`%kFl9Mr}If4(#JXRI`&+p59woU=FaJS(ueeMPP~piSLs9g7@N6sI-m3*eVh}o +zW6yPB`q2AV`u~)Z`u~(cA78-VB^qn^p2#KaF44B$FA47vAM{(Ncz3vdANUYI_Vq~T +zJFok7_+8Hr{@dw6AD4;m*uMzx*i#=x;yd<VQBUIaym%dZzk)u#fWJ#L*6_E}FJX6y +zR{!R@|ExhDui;aE=k$%!$6N58@;j%mqz`GsGuYJ*`gjJP^1JEGWequh2}}9ibmmGQ +z`krwX_ipJ!*U+x(reg27kUpdjX`!D1>7##b#EsTQ`Va%U4)il1ee|!5xY623A7Vh) +zfqn+0kN&k0H(DF%Lk#FT(9eMM(Z4q0Mr$K|hyh&(`Wcv*KJ@;s-aDDpdnZ93Q+a<^ +z`j9>*rH}Wyw|@5N=h^$%`<z>~{m%qin`x{~&_)6OkZ858w2#x+NA1ID_95uwC47}= +zz52*T_`_V+ZoXxF%76dsKew<oecZR}82QUk$J(XkqFq?rVsrM=+dI91F>*dfeUR^p +zOs8;+{5;gLHn&=|ON(1<&R+VEKDzjZ2Kw$F(#J>m?+&_ubg5)Jru)Zfp6{oApOQYd +zwa^ujKBNz5CFMK%pzr4xvxIHj*iUG$U^$H6v1y&(p%Guen9G_f*dx5vTC9wj2G56n +z|5yYq@Of%s<Hq`6AI$y@fakh_U0A;Ni03elS1=yhthu+C<>UB*F_<5lxjeqIJnut3 +z$IoG`U%^;I&v~(rw(xbnjlQMNoBDNqtoebp40e+5=NOml8^f{p%x`^%M%@zTb9U92 +zey`caUXzcCKJMFfjC?Z2I$CbIXp=9ClcgtjY;nf67)H!$*JzV-%cp;I=eWXg*SM{G +z<g|2%V~)!lp64;Nt>)excV35he&noN-o;q_P5nGz@Fe=cxFsxRdfmf(i(%wkbmVOi +z<GmvulgFhoW*&QO%(TX~{yvYo+;Ngy9%9Bgxif~z9^;-Z_AjlDKIHhib%?RP2szXo +zb1ZKaayY(coc$}-*dLD9FsrNkam>0$*aBw#8>@*ua-LwUy=ULlxgBeMVC(4mz?d=L +z_l$AfL*EMCbKYVYeX+I**76U1IV`@fly#^3k7J@WwoB=3qAm}dkd@q$&?aw;nHAPY +zkGSW%b<U`^)n{WM$234rTl(r4|H<k?-x@VGuhRF0{=)U=9sRs-S^X9J$Kr45=K*VE +z?x@dK7_WdC|75w=hTj*&HZG^d4C4MiQTjTz(eKCSdA4$}-^NU9?0BsB7<EJRv5M<> +zjM~z1wy>NiUh`*t=0grOa$~XBqwf(`bL{&Nv(L)Dt+i$hM%}T0Ywn2gyzFaqH+62u +znjhFYg+6XEuIZ!mnU_qvoEF0_&M_9A1#2Vj?;)kd&10{Pnbz3W-{(;`L?3xqJ!<_u +zq|pK5ox157qc4Ur$oM{eY<ASIP~Xx3bHlid(;DrJ#oyG=1J0<AOW0kav99wzjQAR6 +z`Y5~h4E?#wX&8>;RaY%z$lG}i?DabAc{6t3SU!%Lz54L^aXXxotd-Wsw#6;B%OjUM +zD?;50zR?BR9J{qHINtkNk>fv?*DlXfkI5XH*VMTkYkuIY=KN6KHP49M!q(h-<VYWW +zLC^-DH?WQ4)wtdAz7+ZEP_y$|;Kr`MgL4d5yYXXo?W<x{=lvjcT_Syye%-B&oGX~! +zW14-9bW>S=?Dw6+?RztJJVw_s>il&!w;aSvSk0-$y1eBu-};Bt`kXMv2A<sC!l)bG +zQ%nb~b#d{XpA~t{XF&S`wt&^23BL6loVw@AAFds+>%V`jj1%vpoYuag&vZk-^mW!o +z{6l{K=$sQ6J4jooBdbp^vdU+vg?&!%Lto8v6gS<p*3sv%&2eF-hXQTt&W>B3NxTo| +zJ$0?XuD>^IF^>ND-+x>CivCBKX=F=Z==0BJ%qu%s7{p9R-CoAQ)Ykbp4&p1v+l7tI +ze2ZJmd-QdlGs;=m81zx!;LnQM`!EhYwMczD`tjIK-E-v+*Av$l%x)axyw+1Q)CIlg +zpM1yqC=fG!(BE)O{-I56_<INY%evG32YWu48COQeJ6T1%gpnoM6RdT;#c>h(*uRR# +zY-)Yn+8oQ(mKHZ3`i<p!4%SDH{&lEtt)tJeHuC&D>#-1P*4OgH`*7Y<*NSTlW~l?u +z_^$TWzM?kP5H+#s8MCx~HSd@q%j9RD)x0AwhZ#4y8?Rv;{hN@pf@l0b9J7w+TUZ@E +zj+<H^_ig0Zm>gprYP!Z|KdsSc$gk`Cn0;;JbB;C+{UXjy-E-v+*ORR^SdQ-lUL&6M +zE`2O_=z-(-dq`>LH1C-49PDc6tVLb!*r{V7-Y|}SUhiYZIQE8p%=dqYHMKtO+pL3i +zjmdEt=NMNo`wWHEBeo9lt#z~<?~%K5<8;=D_u;&!u9e>laJ+!s!q&m=;i;P(W_sz| +zBlPomtc10+gk#qFF$;fAwz2;Oj7$x+MW|c2nmQKZxy4=HEn;Mob_2U$U;Kx7t2XYp +zW90GN9LL7I568{8;kbmqa&-lc87nNd%d-|%1?#Ly-E-v+*Av(!|E7m#AN`)8pWK^1 +zntzY?IclF~1)z(S(?_E{e>U+xocGkVirDA1zqJQA=ChN3KDzOHqxR`m0J^w<*>l{g +z?@XzCuKeM83jEu>fu366a~1CyYgpX3=-Vg7kFx^M1fQvL7@yhf*{XNl#rtsHQ`d?+ +z3Jt6x9e7RncENo8opuGF3A<;QHd_C`JU)Bso-2R2o@}k54}K5X^yq~5lcnX#pLPYH +z5BttRos|2|Cf<khp1M}?+Cv8mSnjO#eI(A;@rPf5)IC@J>GY(v)!K>yF(3xSfEW-1 +zVn7Ut0Wly3#DEwO17bi7hygJm2E>3E5CdXB42S_SAO^&M7!U(uKn#chF(3xSfEW-1 +pVn7Ut0Wly3rpJK2`Txh?|LN;LKmWt?-@f?SH@|xR>#u*F{Rp+*(8>S+ + +literal 0 +HcmV?d00001 + +diff --git a/tests/tga/tga_read_rgb_rle.tga b/tests/tga/tga_read_rgb_rle.tga +new file mode 100644 +index 0000000000000000000000000000000000000000..ce845ad0c3da65205af25854d64568b1cf0921e3 +GIT binary patch +literal 9987 +zcmeI2J!~9R5Xbk<L5NgWrh*l6K@rf2A`LFK334O|$EPT_a+TuJx!kjzIGiJ2I<P>x +ziiRRbk%9(oq!dtCIspYA&6UugGcC>X|IOQdZ+$+;#>5ek&eFVnJ3DVa{%>aX?a5Je +zF>-%5qwk}eQT$4wzvw%Lr!o5$L%T1%_;U0&GrMhYD|*=1u+QBMI7bBz5GWAXUI?5o +z4)=h152)YuP~W$``}B?1quuDQ!tKvI-d*GdmoNVj?N0AU(FV5-mWdwpH55x49>GD6 +z=%BBmXlU4mV>@qJ8fX!<cQoubnZc3TbVtK}?@1Y0!9an5mD0dE28xA&sM>=CL?@={ +z0-|RLqE&j)8olUxtrw;AqBVNamHEBs60Ks5R&l9p6>VC@T4)u!Z+{g<yLY2MYn^Q1 +zd9ELFE4tU$u)n0?3plJ1J?v}PZ)msyr`8V<5?$KSu-0S-M?&o#4QoBb4;grXfdT`M +zN=c*-Fi>D%n-xb5tYDzPz)HDn9RtO}K-2&bfLTDa$ReF=%5-@43+;@(Xqh_Lqg5;e +zg}THltzs{<ie37oodrXq8PIa=9O>E>BBIs4hP5RP*Wqxy6Qz9`Y(v8pI6+HwtX$ra +zy1k}`<+7Ep?x=h3^=RRT3_QR<fq_Rg0|yu=Ft9z}zzPNm46Kv})-g~l4EUq{0-{A0 +z@uf#ui57)+Y^yj$Kb#Ty+&-!K64#`N?AC_rx07^75BGbIkyuBfFo`X6d}cobiI>AG +z_yH!{gxCD>ho1(boNM2tG;8-@MK-H=sqwzy_Dk<p<<Y;ghphqw-d=+40((iXvX>d} +zeC*AO?;PyiJI7egrh5aA*tASEv0P|sHWdv;37nkl7;GWQvslElsh1w>E)mVkrK5Wr +zvyT~j8_(=*6BF=71Iw<4W?fOstUs?=BFaQ*Da#xiBX|}K8QkJdG}zFPqlKLAcr83* +zWg<d$C_)R@Zt(9GMk4VnKb+4e=emmuJZ@>Q+HzQdV{TOj;%(7%jzp+KJSs$|sS9Fk +zi>8|_;%+MHn6)L%h}LxJYN%Lsjm=l2JEG}rgt!}vT81WTD?iXN22oo(>Q%FW$7$$! +zt&?$T0IopDHZ|A}nmLfzok8W3vju;nlA35T-r~-!Mh%-@xp^A6E=V4LfMg^hw4o2J +zZI)js`N&kV*g%#wDTZ~m<nWLi1ePizuWxAjE=soYvC=mb&tTOxu05X^q<~*Zj<9wL +zP=$-ZWz~5>cOy6~E}sky$N;c`=y|Ej2+1ZQ2f9i4w?h@e2{8NMT~!94nB@itGuLH} +zXVpo_fLn+Ny=`_6ub%qVxz9IOHOQr&m-w|E<2CfOb2=CaIW-6=RoY?8DbvigNhHcJ +zG#i_20Ls>TP|sG<1T!>Hm<6C_+a^z4YoiJ>5de05QI0M6IheVSK%5>}CEC#MwBHBI +ziIa1Wpa&iZ_r@?tJkJ5<afw}YS{54Q*|ADIR<0rq7ju0Ezq{lB$w1gObbznQZdZVC +zC{fEsk6_CHMd|PuWL7zD?Gbil$1PB(y&Zkn_I|ZCmODo!ml!;5_YN=f8&f%XLJ69i +zw+YreoXy~Iho>|{-W{nZBP!8&Q$t}P*I~(hRwZ6%$Lp+>-V88<W1vX?KTsG@4Mp7* +zP43JO--G~U!gJBc0<A+dG0?19zUEwf+}?LWRX6~j_TKxg%r*$-xiTt}Yajv!vcmP) +zqnTh(gvtWBmMHdlF_;5HXb)v)Q_z7o(;nJBIi5s&D7DGOkh+Oa-OSuJgOmf2R1I-V +zRL&L6j_DV<hr<B?9Mn_S!{H7Uhx4N2TcLZ}5FFv{ZJA>rG8_ARaUB|->lMt--ZnEI +zTJ7{U4;S{j2Ay9PTlySLkZpPkSyjD9xB@11Gqz?H&}bm6INZyXa|<usjtD%sjy+Z` +zO^{AKuWKHIUn2Ss=N8*9c5f<jyF%cp-^Zcb5%Fp{gGhMmxXnNb1>}y*$KYeSt=BT^ +z9)n8f69who6DC3I4i6#*smWsw#8aACPLFDXvaYploY`rTzv^v6%`=fZ=~tM<Gx7U2 +zGVu^u%W!94&zt&L+f3G5W^S(`9GhA$F^gxQaDFP%)PFP84q_$@7HzQb60>~+#d%*t +zf%)V_G>Dlk3}01X6V9YA0}KH#x+MuyPXYm7$4BlC*YhI}#g|)Uh0-v*i7ggcv&@^C +zjYO%ac80KpJfmhZkwXX$pH_*;t&cQIT_(xF6ht!Iic3UdT(%7ihfT|wtXWA&V1Sf; +zU3WEU`G(*m{rfc5Lu-SUf;0gW_gTQ5!wKEEk(Qj)=S2;}8FVa^9uYEg=U`?TJS&;e +zZ|IGrGhpnT4H$<N0L>R>%fn7eg+%K9in1ezX3K%Y`r6i<mRK!fyE0L3T&%#2e?}WI +zcSMQE6&v2hGddfHYR&MD28%5H1s1ZQZU%;X@Wf!oTq<&1f;-%4`%tL#0yUz{`gTy@ +x8%~Vp2_Ce5$E=Cyg!2^tf$X%_aF4$a-uv+CN7vrJ_RjTJKYsJtTUTF;{sH~|7$pDz + +literal 0 +HcmV?d00001 + +-- +2.10.2 + diff --git a/meta-oe/recipes-support/gd/gd_2.2.3.bb b/meta-oe/recipes-support/gd/gd_2.2.3.bb index 4e21d532d5..562170694c 100644 --- a/meta-oe/recipes-support/gd/gd_2.2.3.bb +++ b/meta-oe/recipes-support/gd/gd_2.2.3.bb @@ -16,7 +16,11 @@ SRC_URI = "git://github.com/libgd/libgd.git;branch=GD-2.2 \ file://fix-gcc-unused-functions.patch \ file://CVE-2016-10166.patch \ file://CVE-2016-10167.patch \ - file://CVE-2016-10168.patch" + file://CVE-2016-10168.patch \ + file://.gitignore-the-new-test-case.patch \ + file://Fix-290-TGA-RLE-decoding-is-broken.patch;apply=no \ + file://CVE-2016-6906-1.patch;apply=no \ + file://CVE-2016-6906-2.patch;apply=no" SRCREV = "46ceef5970bf3a847ff61d1bdde7501d66c11d0c" @@ -35,6 +39,19 @@ EXTRA_OECONF += " --disable-rpath \ EXTRA_OEMAKE = 'LDFLAGS="${LDFLAGS}"' +do_git_apply () { + cd ${S} + if [ ! -f tests/tga/tga_read_rgb.png ]; then + git apply ${S}/../Fix-290-TGA-RLE-decoding-is-broken.patch + git apply ${S}/../CVE-2016-6906-1.patch + git apply ${S}/../CVE-2016-6906-2.patch + fi +} + +do_patch_append() { + bb.build.exec_func('do_git_apply', d) +} + do_install_append() { # cleanup buildpaths from gdlib.pc sed -i -e 's#${STAGING_DIR_HOST}##g' ${D}${libdir}/pkgconfig/gdlib.pc |