File gd-CVE-2016-5116.patch of Package gd.2670
From 4dc1a2d7931017d3625f2d7cff70a17ce58b53b4 Mon Sep 17 00:00:00 2001
From: Mike Frysinger <vapier@gentoo.org>
Date: Sat, 14 May 2016 01:38:18 -0400
Subject: [PATCH] xbm: avoid stack overflow (read) with large names #211
We use the name passed in to printf into a local stack buffer which is
limited to 4000 bytes. So given a large enough value, lots of stack
data is leaked. Rewrite the code to do simple memory copies with most
of the strings to avoid that issue, and only use stack buffer for small
numbers of constant size.
This closes #211.
---
src/gd_xbm.c | 34 +++++++++++++++++++++++++++-------
1 file changed, 27 insertions(+), 7 deletions(-)
diff --git a/src/gd_xbm.c b/src/gd_xbm.c
index 74d839b..d28fdfc 100644
--- a/src/gd_xbm.c
+++ b/src/gd_xbm.c
@@ -180,7 +180,7 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromXbm(FILE * fd)
/* {{{ gdCtxPrintf */
static void gdCtxPrintf(gdIOCtx * out, const char *format, ...)
{
- char buf[4096];
+ char buf[1024];
int len;
va_list args;
@@ -191,6 +191,9 @@ static void gdCtxPrintf(gdIOCtx * out, const char *format, ...)
}
/* }}} */
+/* The compiler will optimize strlen(constant) to a constant number. */
+#define gdCtxPuts(out, s) out->putBuf(out, s, strlen(s))
+
/* {{{ gdImageXbmCtx */
BGD_DECLARE(void) gdImageXbmCtx(gdImagePtr image, char* file_name, int fg, gdIOCtx * out)
{
@@ -215,9 +218,26 @@ BGD_DECLARE(void) gdImageXbmCtx(gdImagePtr image, char* file_name, int fg, gdIOC
}
}
- gdCtxPrintf(out, "#define %s_width %d\n", name, gdImageSX(image));
- gdCtxPrintf(out, "#define %s_height %d\n", name, gdImageSY(image));
- gdCtxPrintf(out, "static unsigned char %s_bits[] = {\n ", name);
+ /* Since "name" comes from the user, run it through a direct puts.
+ * Trying to printf it into a local buffer means we'd need a large
+ * or dynamic buffer to hold it all. */
+
+ /* #define <name>_width 1234 */
+ gdCtxPuts(out, "#define ");
+ gdCtxPuts(out, name);
+ gdCtxPuts(out, "_width ");
+ gdCtxPrintf(out, "%d\n", gdImageSX(image));
+
+ /* #define <name>_height 1234 */
+ gdCtxPuts(out, "#define ");
+ gdCtxPuts(out, name);
+ gdCtxPuts(out, "_height ");
+ gdCtxPrintf(out, "%d\n", gdImageSY(image));
+
+ /* static unsigned char <name>_bits[] = {\n */
+ gdCtxPuts(out, "static unsigned char ");
+ gdCtxPuts(out, name);
+ gdCtxPuts(out, "_bits[] = {\n ");
free(name);
@@ -234,9 +254,9 @@ BGD_DECLARE(void) gdImageXbmCtx(gdImagePtr image, char* file_name, int fg, gdIOC
if ((b == 128) || (x == sx && y == sy)) {
b = 1;
if (p) {
- gdCtxPrintf(out, ", ");
+ gdCtxPuts(out, ", ");
if (!(p%12)) {
- gdCtxPrintf(out, "\n ");
+ gdCtxPuts(out, "\n ");
p = 12;
}
}
@@ -248,6 +268,6 @@ BGD_DECLARE(void) gdImageXbmCtx(gdImagePtr image, char* file_name, int fg, gdIOC
}
}
}
- gdCtxPrintf(out, "};\n");
+ gdCtxPuts(out, "};\n");
}
/* }}} */