File gd-CVE-2014-9709.patch of Package gd.2670

From 47eb44b2e90ca88a08dca9f9a1aa9041e9587f43 Mon Sep 17 00:00:00 2001
From: Remi Collet <fedora@famillecollet.com>
Date: Sat, 13 Dec 2014 08:48:18 +0100
Subject: [PATCH] Fix possible buffer read overflow detected by
 -fsanitize=address, thanks to Jan Bee

---
 src/gd_gif_in.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

Index: src/gd_gif_in.c
===================================================================
--- src/gd_gif_in.c.orig	2013-06-25 11:58:23.000000000 +0200
+++ src/gd_gif_in.c	2015-03-24 15:02:44.776580918 +0100
@@ -75,8 +75,10 @@
 
 #define STACK_SIZE ((1<<(MAX_LWZ_BITS))*2)
 
+#define CSD_BUF_SIZE 280
+
 typedef struct {
-	unsigned char buf[280];
+	unsigned char buf[CSD_BUF_SIZE];
 	int curbit;
 	int lastbit;
 	int done;
@@ -408,9 +410,13 @@
 		scd->lastbit = (2 + count) * 8;
 	}
 
-	ret = 0;
-	for (i = scd->curbit, j = 0; j < code_size; ++i, ++j) {
-		ret |= ((scd->buf[i / 8] & (1 << (i % 8))) != 0) << j;
+	if ((scd->curbit + code_size - 1) >= (CSD_BUF_SIZE * 8)) {
+		ret = -1;
+	} else {
+		ret = 0;
+		for (i = scd->curbit, j = 0; j < code_size; ++i, ++j) {
+			ret |= ((scd->buf[i / 8] & (1 << (i % 8))) != 0) << j;
+		}
 	}
 
 	scd->curbit += code_size;
openSUSE Build Service is sponsored by