From 2d37bdc03a6e2b820fe380016f22592a7733e0be Mon Sep 17 00:00:00 2001
From: Catalin Enache <catalin.enache@windriver.com>
Date: Fri, 7 Apr 2017 12:32:49 +0300
Subject: [PATCH] Fix #354: Signed Integer Overflow gd_io.c

GD2 stores the number of horizontal and vertical chunks as words (i.e. 2
byte unsigned). These values are multiplied and assigned to an int when
reading the image, what can cause integer overflows. We have to avoid
that, and also make sure that either chunk count is actually greater
than zero. If illegal chunk counts are detected, we bail out from
reading the image.

Upstream-Status: Backport
CVE: CVE-2016-10168

Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
---
 src/gd_gd2.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/gd_gd2.c b/src/gd_gd2.c
index bae65ea..9006bd2 100644
--- a/src/gd_gd2.c
+++ b/src/gd_gd2.c
@@ -151,6 +151,10 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy,
 	GD2_DBG (printf ("%d Chunks vertically\n", *ncy));
 
 	if (gd2_compressed (*fmt)) {
+		if (*ncx <= 0 || *ncy <= 0 || *ncx > INT_MAX / *ncy) {
+			GD2_DBG(printf ("Illegal chunk counts: %d * %d\n", *ncx, *ncy));
+			goto fail1;
+		}
 		nc = (*ncx) * (*ncy);
 
 		GD2_DBG (printf ("Reading %d chunk index entries\n", nc));
-- 
2.10.2