Fix CVE-2018-5711 - Potential infinite loop in gdImageCreateFromGifCtx

2018-03-26 12:49:23 +02:00 · 2018-03-26 12:49:23 +02:00 · 6d559884cf
commit 6d559884cf
parent aeaa355fc4
2 changed files with 69 additions and 1 deletions
--- a/gd-2.2.5-upstream.patch
+++ b/gd-2.2.5-upstream.patch
@ -0,0 +1,62 @@
+From a11f47475e6443b7f32d21f2271f28f417e2ac04 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Wed, 29 Nov 2017 19:37:38 +0100
+Subject: [PATCH] Fix #420: Potential infinite loop in gdImageCreateFromGifCtx
+
+Due to a signedness confusion in `GetCode_` a corrupt GIF file can
+trigger an infinite loop.  Furthermore we make sure that a GIF without
+any palette entries is treated as invalid *after* open palette entries
+have been removed.
+
+CVE-2018-5711
+
+See also https://bugs.php.net/bug.php?id=75571.
+---
+ src/gd_gif_in.c             |  12 ++++++------
+ tests/gif/.gitignore        |   1 +
+ tests/gif/CMakeLists.txt    |   1 +
+ tests/gif/Makemodule.am     |   2 ++
+ tests/gif/php_bug_75571.c   |  28 ++++++++++++++++++++++++++++
+ tests/gif/php_bug_75571.gif | Bin 0 -> 1731 bytes
+ 6 files changed, 38 insertions(+), 6 deletions(-)
+ create mode 100644 tests/gif/php_bug_75571.c
+ create mode 100644 tests/gif/php_bug_75571.gif
+
+diff --git a/src/gd_gif_in.c b/src/gd_gif_in.c
+index daf26e79..0a8bd717 100644
+--- a/src/gd_gif_in.c
+++ b/src/gd_gif_in.c
+@@ -335,11 +335,6 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromGifCtx(gdIOCtxPtr fd)
+ 		return 0;
+ 	}
+ 
+-	if(!im->colorsTotal) {
+-		gdImageDestroy(im);
+-		return 0;
+-	}
+-
+ 	/* Check for open colors at the end, so
+ 	 * we can reduce colorsTotal and ultimately
+ 	 * BitsPerPixel */
+@@ -351,6 +346,11 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromGifCtx(gdIOCtxPtr fd)
+ 		}
+ 	}
+ 
+	if(!im->colorsTotal) {
+		gdImageDestroy(im);
+		return 0;
+	}
+
+ 	return im;
+ }
+ 
+@@ -447,7 +447,7 @@ static int
+ GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_size, int flag, int *ZeroDataBlockP)
+ {
+ 	int i, j, ret;
+-	unsigned char count;
+	int count;
+ 
+ 	if(flag) {
+ 		scd->curbit = 0;
+ 
--- a/gd.spec
+++ b/gd.spec
@ -9,7 +9,7 @@
 Summary:       A graphics library for quick creation of PNG or JPEG images
 Name:          gd
 Version:       2.2.5
-Release:       2%{?prever}%{?short}%{?dist}
+Release:       3%{?prever}%{?short}%{?dist}
 Group:         System Environment/Libraries
 License:       MIT
 URL:           http://libgd.github.io/
@ -22,6 +22,8 @@ Source0:       https://github.com/libgd/libgd/releases/download/gd-%{version}/li
 %endif

 Patch1:        gd-2.1.0-multilib.patch
+# CVE-2018-5711 - https://github.com/libgd/libgd/commit/a11f47475e6443b7f32d21f2271f28f417e2ac04
+Patch2:        gd-2.2.5-upstream.patch

 BuildRequires: freetype-devel
 BuildRequires: fontconfig-devel
@ -85,6 +87,7 @@ files for gd, a graphics library for creating PNG and JPEG graphics.
 %prep
 %setup -q -n libgd-%{version}%{?prever:-%{prever}}
 %patch1 -p1 -b .mlib
+%patch2 -p1 -b .upstream

 : $(perl config/getver.pl)

@ -165,6 +168,9 @@ grep %{version} $RPM_BUILD_ROOT%{_libdir}/pkgconfig/gdlib.pc


 %changelog
+* Mon Mar 26 2018 Marek Skalický <mskalick@redhat.com> - 2.2.5-3
+- Fix CVE-2018-5711 - Potential infinite loop in gdImageCreateFromGifCtx
+
 * Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.5-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild