path: root/meta-oe/recipes-support/gd/gd/CVE-2016-6906-2.patch

From 58b6dde319c301b0eae27d12e2a659e067d80558 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Tue, 16 Aug 2016 16:26:19 +0200
Subject: [PATCH] Fix OOB reads of the TGA decompression buffer

It is possible to craft TGA files which will overflow the decompression
buffer, but not the image's bitmap. Therefore we also have to check for
potential decompression buffer overflows.

This issue had been reported by Ibrahim El-Sayed to security@libgd.org;
a modified case exposing an off-by-one error of the first patch had been
provided by Konrad Beckmann.

This commit is an amendment to commit fb0e0cce, so we use CVE-2016-6906
as well.

Upstream-Status: Backport
CVE: CVE-2016-6906

Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
---
 src/gd_tga.c                  |   8 +++++++-
 tests/tga/Makemodule.am       |   3 ++-
 tests/tga/heap_overflow.c     |  16 ++++++++++++----
 tests/tga/heap_overflow_1.tga | Bin 0 -> 605 bytes
 tests/tga/heap_overflow_2.tga | Bin 0 -> 8746 bytes
 5 files changed, 21 insertions(+), 6 deletions(-)
 create mode 100644 tests/tga/heap_overflow_1.tga
 create mode 100644 tests/tga/heap_overflow_2.tga

diff --git a/src/gd_tga.c b/src/gd_tga.c
index 68e4b17..f80f0b1 100644
--- a/src/gd_tga.c
+++ b/src/gd_tga.c
@@ -295,7 +295,13 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga )
 		buffer_caret = 0;
 
 		while( bitmap_caret < image_block_size ) {
-			
+
+			if (buffer_caret + pixel_block_size > rle_size) {
+				gdFree( decompression_buffer );
+				gdFree( conversion_buffer );
+				return -1;
+			}
+
 			if ((decompression_buffer[buffer_caret] & TGA_RLE_FLAG) == TGA_RLE_FLAG) {
 				encoded_pixels = ( ( decompression_buffer[ buffer_caret ] & ~TGA_RLE_FLAG ) + 1 );
 				buffer_caret++;
diff --git a/tests/tga/Makemodule.am b/tests/tga/Makemodule.am
index 916d707..ab08dbf 100644
--- a/tests/tga/Makemodule.am
+++ b/tests/tga/Makemodule.am
@@ -15,7 +15,8 @@ EXTRA_DIST += \
 	tga/bug00247a.tga \
 	tga/bug00248.tga \
 	tga/bug00248a.tga \
-	tga/heap_overflow.tga \
+	tga/heap_overflow_1.tga \
+	tga/heap_overflow_2.tga \
 	tga/tga_read_rgb.png \
 	tga/tga_read_rgb.tga \
 	tga/tga_read_rgb_rle.tga
diff --git a/tests/tga/heap_overflow.c b/tests/tga/heap_overflow.c
index 0e9a2d0..ddd4b63 100644
--- a/tests/tga/heap_overflow.c
+++ b/tests/tga/heap_overflow.c
@@ -1,5 +1,5 @@
 /**
- * Test that the crafted TGA file doesn't trigger OOB reads.
+ * Test that crafted TGA files don't trigger OOB reads.
  */
 
 
@@ -7,21 +7,29 @@
 #include "gdtest.h"
 
 
+static void check_file(char *basename);
 static size_t read_test_file(char **buffer, char *basename);
 
 
 int main()
 {
+    check_file("heap_overflow_1.tga");
+    check_file("heap_overflow_2.tga");
+
+    return gdNumFailures();
+}
+
+
+static void check_file(char *basename)
+{
     gdImagePtr im;
     char *buffer;
     size_t size;
 
-    size = read_test_file(&buffer, "heap_overflow.tga");
+    size = read_test_file(&buffer, basename);
     im = gdImageCreateFromTgaPtr(size, (void *) buffer);
     gdTestAssert(im == NULL);
     free(buffer);
-
-    return gdNumFailures();
 }
 
 
diff --git a/tests/tga/heap_overflow_1.tga b/tests/tga/heap_overflow_1.tga
new file mode 100644
index 0000000000000000000000000000000000000000..e9bc0ecb2a847ac6edba92dd0ff61167b49002cd
GIT binary patch
literal 605
zcmZQz;9`IQ9tIu;g&7<$F3o7Yg1qzyh6tefy9wZAs2d<Uh*yuz=?XwW4Qvuv#g2nS
zp93+mT0rVR>T&8(2TGy=f_l)@gSap~$FayUFu(!|SyJIFga^{8fGj~vwq8kkVgvv>
Cavop+

literal 0
HcmV?d00001

diff --git a/tests/tga/heap_overflow_2.tga b/tests/tga/heap_overflow_2.tga
new file mode 100644
index 0000000000000000000000000000000000000000..2b681f2df8941d6823aa761be0a7fa3c02c92cbf
GIT binary patch
literal 8746
zcmeIxF$#b%6a>*<djij4?cuz+Vi5?!RIY)@*eDAQ@`zPSwQE1NTI<YQEqdQG#s5@h
zwDFtAoIjm)CIQa|$z*q(vz}DbnPjrN&RI{Y=}a=&UFWPP)joCZ<31}ey8!(}FZZ71
zWop>#e)AY=opmMw&j!h4cb&7IRMVMcvb)Y%PpaumGTB|{tS8lUCYkK6bJmk;IzMDC
D4PYIN

literal 0
HcmV?d00001

-- 
2.10.2