diff options
Diffstat (limited to 'meta-oe/recipes-support/gd/gd/CVE-2016-10166.patch')
| -rw-r--r-- | meta-oe/recipes-support/gd/gd/CVE-2016-10166.patch | 60 |
1 files changed, 0 insertions, 60 deletions
diff --git a/meta-oe/recipes-support/gd/gd/CVE-2016-10166.patch b/meta-oe/recipes-support/gd/gd/CVE-2016-10166.patch deleted file mode 100644 index 7ccfbeabc2..0000000000 --- a/meta-oe/recipes-support/gd/gd/CVE-2016-10166.patch +++ /dev/null @@ -1,60 +0,0 @@ -From c92240c1670c20c2f854761d3a89ab61dd158c91 Mon Sep 17 00:00:00 2001 -From: "Christoph M. Becker" <cmbecker69@gmx.de> -Date: Sat, 6 Aug 2016 10:08:53 +0200 -Subject: [PATCH] Fix potential unsigned underflow - -No need to decrease `u`, so we don't do it. While we're at it, we also factor -out the overflow check of the loop, what improves performance and readability. - -This issue has been reported by Stefan Esser to security@libgd.org. - -Upstream-Status: Backport -CVE: CVE-2016-10166 - -Signed-off-by: Catalin Enache <catalin.enache@windriver.com> ---- - src/gd_interpolation.c | 19 ++++++++++--------- - 1 file changed, 10 insertions(+), 9 deletions(-) - -diff --git a/src/gd_interpolation.c b/src/gd_interpolation.c -index 7e7943d..9944349 100644 ---- a/src/gd_interpolation.c -+++ b/src/gd_interpolation.c -@@ -829,8 +829,13 @@ static inline LineContribType * _gdContributionsAlloc(unsigned int line_length, - { - unsigned int u = 0; - LineContribType *res; -- int overflow_error = 0; -+ size_t weights_size; - -+ if (overflow2(windows_size, sizeof(double))) { -+ return NULL; -+ } else { -+ weights_size = windows_size * sizeof(double); -+ } - res = (LineContribType *) gdMalloc(sizeof(LineContribType)); - if (!res) { - return NULL; -@@ -847,15 +852,11 @@ static inline LineContribType * _gdContributionsAlloc(unsigned int line_length, - return NULL; - } - for (u = 0 ; u < line_length ; u++) { -- if (overflow2(windows_size, sizeof(double))) { -- overflow_error = 1; -- } else { -- res->ContribRow[u].Weights = (double *) gdMalloc(windows_size * sizeof(double)); -- } -- if (overflow_error == 1 || res->ContribRow[u].Weights == NULL) { -+ res->ContribRow[u].Weights = (double *) gdMalloc(weights_size); -+ if (res->ContribRow[u].Weights == NULL) { - unsigned int i; -- u--; -- for (i=0;i<=u;i++) { -+ -+ for (i=0;i<u;i++) { - gdFree(res->ContribRow[i].Weights); - } - gdFree(res->ContribRow); --- -2.10.2 - |