File gd-CVE-2014-9709.patch of Package gd.2670
From 47eb44b2e90ca88a08dca9f9a1aa9041e9587f43 Mon Sep 17 00:00:00 2001
From: Remi Collet <fedora@famillecollet.com>
Date: Sat, 13 Dec 2014 08:48:18 +0100
Subject: [PATCH] Fix possible buffer read overflow detected by
-fsanitize=address, thanks to Jan Bee
---
src/gd_gif_in.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
Index: src/gd_gif_in.c
===================================================================
--- src/gd_gif_in.c.orig 2013-06-25 11:58:23.000000000 +0200
+++ src/gd_gif_in.c 2015-03-24 15:02:44.776580918 +0100
@@ -75,8 +75,10 @@
#define STACK_SIZE ((1<<(MAX_LWZ_BITS))*2)
+#define CSD_BUF_SIZE 280
+
typedef struct {
- unsigned char buf[280];
+ unsigned char buf[CSD_BUF_SIZE];
int curbit;
int lastbit;
int done;
@@ -408,9 +410,13 @@
scd->lastbit = (2 + count) * 8;
}
- ret = 0;
- for (i = scd->curbit, j = 0; j < code_size; ++i, ++j) {
- ret |= ((scd->buf[i / 8] & (1 << (i % 8))) != 0) << j;
+ if ((scd->curbit + code_size - 1) >= (CSD_BUF_SIZE * 8)) {
+ ret = -1;
+ } else {
+ ret = 0;
+ for (i = scd->curbit, j = 0; j < code_size; ++i, ++j) {
+ ret |= ((scd->buf[i / 8] & (1 << (i % 8))) != 0) << j;
+ }
}
scd->curbit += code_size;