File gd-CVE-2014-9709.patch of Package gd.openSUSE_13.1_Update

From 47eb44b2e90ca88a08dca9f9a1aa9041e9587f43 Mon Sep 17 00:00:00 2001
From: Remi Collet <fedora@famillecollet.com>
Date: Sat, 13 Dec 2014 08:48:18 +0100
Subject: [PATCH] Fix possible buffer read overflow detected by
 -fsanitize=address, thanks to Jan Bee

---
 src/gd_gif_in.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

Index: gd_gif_in.c
===================================================================
--- gd_gif_in.c.orig	2015-03-24 15:17:27.275122905 +0100
+++ gd_gif_in.c	2015-03-24 15:20:43.741702096 +0100
@@ -70,8 +70,10 @@
 
 #define STACK_SIZE ((1<<(MAX_LWZ_BITS))*2)
 
+#define CSD_BUF_SIZE 280
+
 typedef struct {
-	unsigned char    buf[280];
+	unsigned char    buf[CSD_BUF_SIZE];
 	int              curbit, lastbit, done, last_byte;
 } CODE_STATIC_DATA;
 
@@ -381,9 +383,14 @@
                scd->lastbit = (2+count)*8 ;
        }
 
-       ret = 0;
-       for (i = scd->curbit, j = 0; j < code_size; ++i, ++j)
-               ret |= ((scd->buf[ i / 8 ] & (1 << (i % 8))) != 0) << j;
+       if ((scd->curbit + code_size - 1) >= (CSD_BUF_SIZE * 8)) {
+               ret = -1;
+       } else {
+               ret = 0;
+               for (i = scd->curbit, j = 0; j < code_size; ++i, ++j) {
+                       ret |= ((scd->buf[i / 8] & (1 << (i % 8))) != 0) << j;
+               }
+       }
 
        scd->curbit += code_size;
        return ret;
Places

File gd-CVE-2014-9709.patch of Package gd.openSUSE_13.1_Update

Places
