diff options
| author |   Haiqing Bai <Haiqing.Bai@windriver.com> | 2020-03-04 14:24:13 +0800 |
|---|---|---|
| committer |   Armin Kuster <akuster808@gmail.com> | 2020-03-21 19:44:00 -0700 |
| commit | 9aea795890af4de0b8e6587f1f2778109446736d (patch) | |
| tree | e60217743287f27233e8a274814bd1a8cb368214 | |
| parent | 9e60d30669a2ad0598e9abf0cd15ee06b523986b (diff) | |
| download | meta-openembedded-contrib-9aea795890af4de0b8e6587f1f2778109446736d.tar.gz | |
gd: fix CVE-2017-6363
Backport the CVE patch from the upstream to fix the heap-based buffer
over-read in tiffWriter.
Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
| -rw-r--r-- | meta-oe/recipes-support/gd/gd/CVE-2017-6363.patch | 35 | ||||
| -rw-r--r-- | meta-oe/recipes-support/gd/gd_2.2.5.bb | 1 |
2 files changed, 36 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/gd/gd/CVE-2017-6363.patch b/meta-oe/recipes-support/gd/gd/CVE-2017-6363.patch new file mode 100644 index 0000000000..25b5880ff9 --- /dev/null +++ b/meta-oe/recipes-support/gd/gd/CVE-2017-6363.patch @@ -0,0 +1,35 @@ +From 8f7b60ea7db87de5df76169e3f3918e401ef8bf7 Mon Sep 17 00:00:00 2001 +From: Mike Frysinger <vapier@gentoo.org> +Date: Wed, 31 Jan 2018 14:50:16 -0500 +Subject: [PATCH] gd/gd2: make sure transparent palette index is within bounds + #383 + +The gd image formats allow for a palette of 256 colors, +so if the transparent index is out of range, disable it. + +Upstream-Status: Backport +[https://github.com/libgd/libgd.git commit:0be86e1926939a98afbd2f3a23c673dfc4df2a7c] +CVE-2017-6363 + +Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com> +--- + src/gd_gd.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/gd_gd.c b/src/gd_gd.c +index f8d39cb..5a86fc3 100644 +--- a/src/gd_gd.c ++++ b/src/gd_gd.c +@@ -54,7 +54,8 @@ _gdGetColors (gdIOCtx * in, gdImagePtr im, int gd2xFlag) + if (!gdGetWord (&im->transparent, in)) { + goto fail1; + } +- if (im->transparent == 257) { ++ /* Make sure transparent index is within bounds of the palette. */ ++ if (im->transparent >= 256 || im->transparent < 0) { + im->transparent = (-1); + } + } +-- +1.9.1 + diff --git a/meta-oe/recipes-support/gd/gd_2.2.5.bb b/meta-oe/recipes-support/gd/gd_2.2.5.bb index 35f9bb2516..dda2e67d6d 100644 --- a/meta-oe/recipes-support/gd/gd_2.2.5.bb +++ b/meta-oe/recipes-support/gd/gd_2.2.5.bb @@ -17,6 +17,7 @@ SRC_URI = "git://github.com/libgd/libgd.git;branch=GD-2.2 \ file://0001-annotate.c-gdft.c-Replace-strncpy-with-memccpy-to-fi.patch \ file://CVE-2018-1000222.patch \ file://CVE-2019-6978.patch \ + file://CVE-2017-6363.patch \ " SRCREV = "8255231b68889597d04d451a72438ab92a405aba" |