- Resolves: #1076676 CVE-2014-2497

Previous patch indroduced memory leak. Using upstream version. 463c3bd09b
2015-01-08 13:49:40 +01:00 · 2015-01-08 13:49:40 +01:00 · b076ebc318
commit b076ebc318
parent cd2020e967
2 changed files with 34 additions and 18 deletions
--- a/gd-2.1.0-color_c_null_pointer.patch
+++ b/gd-2.1.0-color_c_null_pointer.patch
@ -1,18 +1,29 @@
-diff -up ./src/gdxpm.c.color_c_null_pointer ./src/gdxpm.c
+From 463c3bd09bfe8e924e19acad7a2a6af16953a704 Mon Sep 17 00:00:00 2001
--- ./src/gdxpm.c.color_c_null_pointer	2013-06-25 11:58:23.000000000 +0200
+From: Remi Collet <fedora@famillecollet.com>
-+++ ./src/gdxpm.c	2014-07-16 16:43:44.000000000 +0200
+Date: Mon, 4 Aug 2014 10:31:25 +0200
-@@ -62,6 +62,13 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFro
+Subject: [PATCH] CVE-2014-2497, NULL pointer dereference, fix #126
- 
+
- 	for(i = 0; i < number; i++) {
+---
- 		char *c_color = image.colorTable[i].c_color;
+ src/gdxpm.c | 10 ++++++++++
-+		if (!c_color)
+ 1 file changed, 10 insertions(+)
-+		{
+
-+			/* unsupported color key or color key not defined */
+diff -up ./src/gdxpm.c.1076676 ./src/gdxpm.c
-+			gdImageDestroy(im);
+--- ./src/gdxpm.c.1076676	2013-06-25 11:58:23.000000000 +0200
-+			im = 0;
+++ ./src/gdxpm.c	2015-01-08 13:39:36.600424371 +0100
@@ -49,6 +49,16 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFro
 	if(overflow2(sizeof(int), number)) {
 		goto done;
 	}
 +	for(i = 0; i < number; i++) {
 +		/*
 +		   avoid NULL pointer dereference
 +		   TODO better fix need to manage monochrome/monovisual
 +		   see m_color or g4_color or g_color
 +		*/
 +		if (!image.colorTable[i].c_color) {
 +			goto done;
 +		}
- 		if(strcmp(c_color, "None") == 0) {
+	}
- 			colors[i] = gdImageGetTransparent(im);
+ 
- 			if(colors[i] == -1) colors[i] = gdImageColorAllocate(im, 0, 0, 0);
+ 	colors = (int *)gdMalloc(sizeof(int) * number);
-diff -up ./x.color_c_null_pointer ./x
+ 	if(colors == NULL) {
--- a/gd.spec
+++ b/gd.spec
@ -5,7 +5,7 @@
 Summary:       A graphics library for quick creation of PNG or JPEG images
 Name:          gd
 Version:       2.1.0
-Release:       7%{?prever}%{?short}%{?dist}
+Release:       8%{?prever}%{?short}%{?dist}
 Group:         System Environment/Libraries
 License:       MIT
 URL:           http://libgd.bitbucket.org/
@ -18,7 +18,7 @@ Source0:       https://bitbucket.org/libgd/gd-libgd/downloads/libgd-%{version}%{
 %endif
 Patch1:        gd-2.1.0-multilib.patch
 Patch2:        gd-fixautoconf.patch
-Patch3:	       gd-2.1.0-color_c_null_pointer.patch
+Patch3:        gd-2.1.0-color_c_null_pointer.patch
 BuildRequires: freetype-devel
 BuildRequires: fontconfig-devel
@ -141,6 +141,11 @@ make check
 %changelog
 * Thu Jan 08 2015 Jozef Mlich <jmlich@redhat.com - 2.1.0-8
 - Resolves: #1076676 CVE-2014-2497
  Previous patch indroduced memory leak. Using upstream version.
  https://bitbucket.org/libgd/gd-libgd/commits/463c3bd09bfe8e924e19acad7a2a6af16953a704
 * Sat Aug 16 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.1.0-7
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild