diff options
author | Sakib Sajal <sakib.sajal@windriver.com> | 2020-03-18 12:54:36 -0700 |
---|---|---|
committer | Khem Raj <raj.khem@gmail.com> | 2020-03-18 15:35:33 -0700 |
commit | e6b805c3b2ab8ceb153d87caa7d8187252c94cdd (patch) | |
tree | c7b4f016b632edfd442d8414c15edc1b4ba5bb70 /meta-oe/recipes-support/gd/gd | |
parent | 568684f14d6b1e8658293dddfc4491883becd96d (diff) | |
download | meta-openembedded-e6b805c3b2ab8ceb153d87caa7d8187252c94cdd.tar.gz |
gd: Fix CVE-2018-14553
Backport fix from upstream to fix NULL pointer dereference.
Upstream-Status: Backport
CVE: CVE-2018-14553
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Diffstat (limited to 'meta-oe/recipes-support/gd/gd')
-rw-r--r-- | meta-oe/recipes-support/gd/gd/CVE-2018-14553.patch | 110 |
1 files changed, 110 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/gd/gd/CVE-2018-14553.patch b/meta-oe/recipes-support/gd/gd/CVE-2018-14553.patch new file mode 100644 index 0000000000..344f34febd --- /dev/null +++ b/meta-oe/recipes-support/gd/gd/CVE-2018-14553.patch @@ -0,0 +1,110 @@ +From a93eac0e843148dc2d631c3ba80af17e9c8c860f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?F=C3=A1bio=20Cabral=20Pacheco?= <fcabralpacheco@gmail.com> +Date: Fri, 20 Dec 2019 12:03:33 -0300 +Subject: [PATCH] Fix potential NULL pointer dereference in gdImageClone() + +--- + src/gd.c | 9 +-------- + tests/gdimageclone/.gitignore | 1 + + tests/gdimageclone/CMakeLists.txt | 1 + + tests/gdimageclone/Makemodule.am | 3 ++- + tests/gdimageclone/style.c | 30 ++++++++++++++++++++++++++++++ + 5 files changed, 35 insertions(+), 9 deletions(-) + create mode 100644 tests/gdimageclone/style.c + +diff --git a/src/gd.c b/src/gd.c +index 592a028..d564d1f 100644 +--- a/src/gd.c ++++ b/src/gd.c +@@ -2865,14 +2865,6 @@ BGD_DECLARE(gdImagePtr) gdImageClone (gdImagePtr src) { + } + } + +- if (src->styleLength > 0) { +- dst->styleLength = src->styleLength; +- dst->stylePos = src->stylePos; +- for (i = 0; i < src->styleLength; i++) { +- dst->style[i] = src->style[i]; +- } +- } +- + dst->interlace = src->interlace; + + dst->alphaBlendingFlag = src->alphaBlendingFlag; +@@ -2907,6 +2899,7 @@ BGD_DECLARE(gdImagePtr) gdImageClone (gdImagePtr src) { + + if (src->style) { + gdImageSetStyle(dst, src->style, src->styleLength); ++ dst->stylePos = src->stylePos; + } + + for (i = 0; i < gdMaxColors; i++) { +diff --git a/tests/gdimageclone/.gitignore b/tests/gdimageclone/.gitignore +index a70782d..f4129cc 100644 +--- a/tests/gdimageclone/.gitignore ++++ b/tests/gdimageclone/.gitignore +@@ -1 +1,2 @@ + /bug00300 ++/style +diff --git a/tests/gdimageclone/CMakeLists.txt b/tests/gdimageclone/CMakeLists.txt +index e6ccc31..662f4e9 100644 +--- a/tests/gdimageclone/CMakeLists.txt ++++ b/tests/gdimageclone/CMakeLists.txt +@@ -1,5 +1,6 @@ + LIST(APPEND TESTS_FILES + bug00300 ++ style + ) + + ADD_GD_TESTS() +diff --git a/tests/gdimageclone/Makemodule.am b/tests/gdimageclone/Makemodule.am +index 4b1b54c..51abf5c 100644 +--- a/tests/gdimageclone/Makemodule.am ++++ b/tests/gdimageclone/Makemodule.am +@@ -1,5 +1,6 @@ + libgd_test_programs += \ +- gdimageclone/bug00300 ++ gdimageclone/bug00300 \ ++ gdimageclone/style + + EXTRA_DIST += \ + gdimageclone/CMakeLists.txt +diff --git a/tests/gdimageclone/style.c b/tests/gdimageclone/style.c +new file mode 100644 +index 0000000..c2b246e +--- /dev/null ++++ b/tests/gdimageclone/style.c +@@ -0,0 +1,30 @@ ++/** ++ * Cloning an image should exactly reproduce all style related data ++ */ ++ ++ ++#include <string.h> ++#include "gd.h" ++#include "gdtest.h" ++ ++ ++int main() ++{ ++ gdImagePtr im, clone; ++ int style[] = {0, 0, 0}; ++ ++ im = gdImageCreate(8, 8); ++ gdImageSetStyle(im, style, sizeof(style)/sizeof(style[0])); ++ ++ clone = gdImageClone(im); ++ gdTestAssert(clone != NULL); ++ ++ gdTestAssert(clone->styleLength == im->styleLength); ++ gdTestAssert(clone->stylePos == im->stylePos); ++ gdTestAssert(!memcmp(clone->style, im->style, sizeof(style)/sizeof(style[0]))); ++ ++ gdImageDestroy(clone); ++ gdImageDestroy(im); ++ ++ return gdNumFailures(); ++} +-- +2.20.1 + |