Overview

File gd-CVE-2016-7568.patch of Package gd.8568

Index: libgd-2.1.0/src/gd_webp.c
===================================================================
--- libgd-2.1.0.orig/src/gd_webp.c	2013-06-25 11:58:23.000000000 +0200
+++ libgd-2.1.0/src/gd_webp.c	2016-10-13 18:06:15.266939283 +0200
@@ -6,6 +6,7 @@
 #include <math.h>
 #include <string.h>
 #include <stdlib.h>
+#include <limits.h>
 #include "gd.h"
 #include "gd_errors.h"
 
@@ -160,6 +161,19 @@ int mapQualityToVP8QP(int quality) {
 	return (int)(vp8qp + 0.5);
 }
 
+int overflow_add(int a, int b)
+{
+       if( a > INT_MAX - b)
+               return 1;
+	return 0;
+}
+
+int overflow3(int a, int b, int c)
+{
+       return (overflow2(a,b) + overflow2(a*b, c));
+}
+
+
 /* This routine is based in part on code from Dale Lutz (Safe Software Inc.)
  *  and in part on demo code from Chapter 15 of "PNG: The Definitive Guide"
  *  (http://www.cdrom.com/pub/png/pngbook.html).
@@ -181,6 +195,18 @@ BGD_DECLARE(void) gdImageWebpCtx (gdImag
 	yuv_height = (height + 1) >> 1;
 	yuv_nbytes = width * height + 2 * yuv_width * yuv_height;
 
+        if (overflow2(width, height)) {
+          return;
+        }
+
+        if (overflow3(2, yuv_width, yuv_height)) {
+          return;
+        }
+
+        if (overflow_add(width * height, 2 * yuv_width * yuv_height)) {
+          return;
+        }
+
 	if ((Y = (unsigned char *)gdCalloc(yuv_nbytes, sizeof(unsigned char))) == NULL) {
 		gd_error("gd-webp error: cannot allocate Y buffer");
 		return;
openSUSE Build Service is sponsored by
Places