Package: libgd2 / 2.1.0-5+deb8u11

Metadata

Package Version Patches format
libgd2 2.1.0-5+deb8u11 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
0001 Fix possible buffer read overflow detected by fsanit.patch | (download)

src/gd_gif_in.c | 11 9 + 2 - 0 !
1 file changed, 9 insertions(+), 2 deletions(-)

 fix possible buffer read overflow detected by -fsanitize=address,
 thanks to Jan Bee


0002 gdlib config uses pkgconfig.patch | (download)

config/gdlib-config.in | 41 18 + 23 - 0 !
1 file changed, 18 insertions(+), 23 deletions(-)

 gdlib-config-uses-pkgconfig


0003 fix compiled in version.patch | (download)

configure.ac | 13 8 + 5 - 0 !
src/gd.h.in | 10 5 + 5 - 0 !
2 files changed, 13 insertions(+), 10 deletions(-)

 fix-compiled-in-version


0004 subdir objects.patch | (download)

configure.ac | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 subdir-objects


0005 CVE 2014 2497 NULL pointer dereference fix 126.patch | (download)

src/gdxpm.c | 10 10 + 0 - 0 !
1 file changed, 10 insertions(+)

 cve-2014-2497, null pointer dereference, fix #126


0006 gd2 handle corrupt images better CVE 2016 3074.patch | (download)

src/gd_gd2.c | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 gd2-handle-corrupt-images-better-cve-2016-3074


0007 CVE 2015 8874.patch | (download)

src/gd.c | 11 11 + 0 - 0 !
1 file changed, 11 insertions(+)

 cve-2015-8874


0008 gdImageScaleTwoPass memory leak fix.patch | (download)

src/gd_interpolation.c | 25 4 + 21 - 0 !
1 file changed, 4 insertions(+), 21 deletions(-)

 gdimagescaletwopass memory leak fix

Fixing memory leak in gdImageScaleTwoPass, as reported by @cmb69 and
confirmed by @vapier.  This bug actually bit me in production and I'm
very thankful that it was reported with an easy fix.

Fixes #173.

0009 Fixed memory overrun bug in gdImageScaleTwoPass.patch | (download)

src/gd_interpolation.c | 6 3 + 3 - 0 !
1 file changed, 3 insertions(+), 3 deletions(-)

 fixed memory overrun bug in gdimagescaletwopass

_gdContributionsCalc would compute a window size and then adjust
the left and right positions of the window to make a window within
that size.  However, it was storing the values in the struct *before*
it made the adjustment.  This change fixes that.

0010 Fix 86 gdImageScale segfaults with most interpolatio.patch | (download)

src/gd_interpolation.c | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 fix #86: gdimagescale segfaults with most interpolation types

Code fails to propagate the interpolation type to an intermediate
temp image.  This change fixes that.

0011 fix php bug 72339 CVE 2016 5766 Integer Overflow in .patch | (download)

src/gd_gd2.c | 5 4 + 1 - 0 !
1 file changed, 4 insertions(+), 1 deletion(-)

 fix php bug 72339 (cve-2016-5766),
 Integer Overflow in _gd2GetHeader() resulting in heap overflow


0012 fix php 72494 invalid color index not handled can le.patch | (download)

src/gd_crop.c | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 fix php 72494, invalid color index not handled, can lead to crash


0013 gif avoid out of bound reads of masks array 209.patch | (download)

src/gd_gif_out.c | 12 11 + 1 - 0 !
1 file changed, 11 insertions(+), 1 deletion(-)

 gif: avoid out-of-bound reads of masks array #209

When given invalid inputs, we might be fed the EOF marker before it is
actually the EOF.  The gif logic assumes once it sees the EOF marker,
there won't be any more data, so it leaves the cur_bits index possibly
negative.  So when we get more data, we underflow the masks array.

Flag it so we don't try to output anything more.  The image is invalid,
so we shouldn't be truncating any valid inputs.

This fixes #209.

0014 Fix 247 A read out of bands was found in the parsing.patch | (download)

src/gd_tga.c | 11 9 + 2 - 0 !
1 file changed, 9 insertions(+), 2 deletions(-)

 fix #247, a read out-of-bands was found in the parsing of tga files


0015 bug 248 fix Out Of Bounds Read in read_image_tga.patch | (download)

src/gd_tga.c | 29 18 + 11 - 0 !
1 file changed, 18 insertions(+), 11 deletions(-)

 bug #248, fix out-of-bounds read in read_image_tga


0016 Unsupported TGA bpp alphabit combinations should err.patch | (download)

src/gd_tga.c | 16 6 + 10 - 0 !
1 file changed, 6 insertions(+), 10 deletions(-)

 unsupported tga bpp/alphabit combinations should error gracefully

Currently, only 24bpp without alphabits and 32bpp with 8 alphabits are
really supported. All other combinations will be rejected with a warning.

(cherry picked from commit cb1a0b7e54e9aa118270c23a4a6fe560e4590dc9)

0017 xbm avoid stack overflow read with large names 211.patch | (download)

src/gd_xbm.c | 34 27 + 7 - 0 !
1 file changed, 27 insertions(+), 7 deletions(-)

 xbm: avoid stack overflow (read) with large names #211

We use the name passed in to printf into a local stack buffer which is
limited to 4000 bytes.  So given a large enough value, lots of stack
data is leaked.  Rewrite the code to do simple memory copies with most
of the strings to avoid that issue, and only use stack buffer for small
numbers of constant size.

This closes #211.

0018 CVE 2016 6207.patch | (download)

src/gd.c | 2 1 + 1 - 0 !
src/gd_interpolation.c | 52 44 + 8 - 0 !
2 files changed, 45 insertions(+), 9 deletions(-)

 cve-2016-6207


0019 Patch for security bug https bugs.php.net bug.php id.patch | (download)

src/gd_io_dp.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 patch for security bug https://bugs.php.net/bug.php?id=73280


0020 Fix invalid read in gdImageCreateFromTiffPtr.patch | (download)

src/gd_io_dp.c | 15 10 + 5 - 0 !
src/gd_tiff.c | 27 15 + 12 - 0 !
tests/tiff/CMakeLists.txt | 1 1 + 0 - 0 !
tests/tiff/tiff_invalid_read.c | 61 61 + 0 - 0 !
tests/tiff/tiff_invalid_read_1.tiff | 3 3 + 0 - 0 !
tests/tiff/tiff_invalid_read_2.tiff | 3 3 + 0 - 0 !
tests/tiff/tiff_invalid_read_3.tiff | 3 3 + 0 - 0 !
7 files changed, 96 insertions(+), 17 deletions(-)

 fix invalid read in gdimagecreatefromtiffptr()

tiff_invalid_read.tiff is corrupt, and causes an invalid read in
gdImageCreateFromTiffPtr(), but not in gdImageCreateFromTiff(). The culprit
is dynamicGetbuf(), which doesn't check for out-of-bound reads. In this case,
dynamicGetbuf() is called with a negative dp->pos, but also positive buffer
overflows have to be handled, in which case 0 has to be returned (cf. commit
75e29a9).

Fixing dynamicGetbuf() exhibits that the corrupt TIFF would still create
the image, because the return value of TIFFReadRGBAImage() is not checked.
We do that, and let createFromTiffRgba() fail if TIFFReadRGBAImage() fails.

This issue had been reported by Ibrahim El-Sayed to security@libgd.org.

0021 CVE 2016 7568 Fix integer overflow in gdImageWebpCtx.patch | (download)

src/gd_webp.c | 12 12 + 0 - 0 !
1 file changed, 12 insertions(+)

 fix integer overflow in gdimagewebpctx

Integer overflow can be happened in expression gdImageSX(im) * 4 *
gdImageSY(im). It could lead to heap buffer overflow in the following
code. This issue has been reported to the PHP Bug Tracking System. The
proof-of-concept file will be supplied some days later. This issue was
discovered by Ke Liu of Tencent's Xuanwu LAB.

0022 fix 215 gdImageFillToBorder stack overflow when inva.patch | (download)

src/gd.c | 8 7 + 1 - 0 !
1 file changed, 7 insertions(+), 1 deletion(-)

 fix #215 gdimagefilltoborder stack-overflow when invalid color is
 used


0023 Fix OOB reads of the TGA decompression buffer.patch | (download)

src/gd_tga.c | 6 4 + 2 - 0 !
1 file changed, 4 insertions(+), 2 deletions(-)

 fix oob reads of the tga decompression buffer

It is possible to craft TGA files which will overflow the decompression
buffer, but not the image's bitmap. Therefore we augment the check for the
bitmap's overflow with a check for the buffer's overflow.

This issue had been reported by Ibrahim El-Sayed to security@libgd.org.

0024 Fix double free in gdImageWebPtr.patch | (download)

src/gd_webp.c | 143 84 + 59 - 0 !
1 file changed, 84 insertions(+), 59 deletions(-)

 fix double-free in gdimagewebptr()

The issue is that gdImageWebpCtx() (which is called by gdImageWebpPtr() and
the other WebP output functions to do the real work) does not return whether
it succeeded or failed, so this is not checked in gdImageWebpPtr() and the
function wrongly assumes everything is okay, which is not, in this case,
because there is a size limitation for WebP, namely that the width and
height must by less than 16383.

We can't change the signature of gdImageWebpCtx() for API compatibility
reasons, so we introduce the static helper _gdImageWebpCtx() which returns
success respective failure, so gdImageWebpPtr() and gdImageWebpPtrEx() can
check the return value. We leave it solely to libwebp for now to report
warnings regarding the failing write.

This issue had been reported by Ibrahim El-Sayed to security@libgd.org.

CVE-2016-6912

0025 Fix potential unsigned underflow.patch | (download)

src/gd_interpolation.c | 19 10 + 9 - 0 !
1 file changed, 10 insertions(+), 9 deletions(-)

 fix potential unsigned underflow

No need to decrease `u`, so we don't do it. While we're at it, we also factor
out the overflow check of the loop, what improves performance and readability.

This issue has been reported by Stefan Esser to security@libgd.org.

0026 Fix DOS vulnerability in gdImageCreateFromGd2Ctx.patch | (download)

src/gd_gd2.c | 14 6 + 8 - 0 !
1 file changed, 6 insertions(+), 8 deletions(-)

 fix dos vulnerability in gdimagecreatefromgd2ctx()

We must not pretend that there are image data if there are none. Instead
we fail reading the image file gracefully.

Conflicts:
	tests/gd2/CMakeLists.txt

0027 Fix OOB reads of the TGA decompression buffer.patch | (download)

src/gd_tga.c | 90 36 + 54 - 0 !
1 file changed, 36 insertions(+), 54 deletions(-)

 fix oob reads of the tga decompression buffer

It is possible to craft TGA files which will overflow the decompression
buffer, but not the image's bitmap. Therefore we also have to check for
potential decompression buffer overflows.

This issue had been reported by Ibrahim El-Sayed to security@libgd.org;
a modified case exposing an off-by-one error of the first patch had been
provided by Konrad Beckmann.

This commit is an amendment to commit fb0e0cce, so we use CVE-2016-6906
as well.

0028 Fix 340 System frozen.patch | (download)

src/gd.c | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 fix #340: system frozen

gdImageCreate() doesn't check for oversized images and as such is prone
to DoS vulnerabilities. We fix that by applying the same overflow check
that is already in place for gdImageCreateTrueColor().

CVE-2016-9317

Conflicts:
	src/gd.c

0029 Fix 354 Signed Integer Overflow gd_io.c.patch | (download)

src/gd_gd2.c | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 fix #354: signed integer overflow gd_io.c

GD2 stores the number of horizontal and vertical chunks as words (i.e. 2
byte unsigned). These values are multiplied and assigned to an int when
reading the image, what can cause integer overflows. We have to avoid
that, and also make sure that either chunk count is actually greater
than zero. If illegal chunk counts are detected, we bail out from
reading the image.

0030 Close 339 Fix unitialized memory read vulnerability .patch | (download)

src/gd_gif_in.c | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

 close #339: fix unitialized memory read vulnerability in gif reading
0031 Fix 381 libgd double free vulnerability.patch | (download)

src/gd_png.c | 40 31 + 9 - 0 !
1 file changed, 31 insertions(+), 9 deletions(-)

 fix #381: libgd double-free vulnerability