search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
gnu: python-babel: Update to 2.7.0.
[guix.git] / gnu / packages / patches / gd-CVE-2019-6978.patch
blob69fc5056fccb4d34e9c7d5fa5777569e47e92145
1 Fix CVE-2019-6978:
2
3 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6978
4
5 Patch copied from upstream source repository:
6
7 https://github.com/libgd/libgd/commit/553702980ae89c83f2d6e254d62cf82e204956d0
8
9 From 553702980ae89c83f2d6e254d62cf82e204956d0 Mon Sep 17 00:00:00 2001
10 From: "Christoph M. Becker" <cmbecker69@gmx.de>
11 Date: Thu, 17 Jan 2019 11:54:55 +0100
12 Subject: [PATCH] Fix #492: Potential double-free in gdImage*Ptr()
13
14 Whenever `gdImage*Ptr()` calls `gdImage*Ctx()` and the latter fails, we
15 must not call `gdDPExtractData()`; otherwise a double-free would
16 happen. Since `gdImage*Ctx()` are void functions, and we can't change
17 that for BC reasons, we're introducing static helpers which are used
18 internally.
19
20 We're adding a regression test for `gdImageJpegPtr()`, but not for
21 `gdImageGifPtr()` and `gdImageWbmpPtr()` since we don't know how to
22 trigger failure of the respective `gdImage*Ctx()` calls.
23
24 This potential security issue has been reported by Solmaz Salimi (aka.
25 Rooney).
26 ---
27 src/gd_gif_out.c | 18 +++++++++++++++---
28 src/gd_jpeg.c | 20 ++++++++++++++++----
29 src/gd_wbmp.c | 21 ++++++++++++++++++---
30 tests/jpeg/.gitignore | 1 +
31 tests/jpeg/CMakeLists.txt | 1 +
32 tests/jpeg/Makemodule.am | 3 ++-
33 tests/jpeg/jpeg_ptr_double_free.c | 31 +++++++++++++++++++++++++++++++
34 7 files changed, 84 insertions(+), 11 deletions(-)
35 create mode 100644 tests/jpeg/jpeg_ptr_double_free.c
36
37 diff --git a/src/gd_gif_out.c b/src/gd_gif_out.c
38 index 298a581..d5a9534 100644
39 --- a/src/gd_gif_out.c
40 +++ b/src/gd_gif_out.c
41 @@ -99,6 +99,7 @@ static void char_init(GifCtx *ctx);
42 static void char_out(int c, GifCtx *ctx);
43 static void flush_char(GifCtx *ctx);
44
45 +static int _gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out);
46
47
48
49 @@ -131,8 +132,11 @@ BGD_DECLARE(void *) gdImageGifPtr(gdImagePtr im, int *size)
50 void *rv;
51 gdIOCtx *out = gdNewDynamicCtx(2048, NULL);
52 if (out == NULL) return NULL;
53 - gdImageGifCtx(im, out);
54 - rv = gdDPExtractData(out, size);
55 + if (!_gdImageGifCtx(im, out)) {
56 + rv = gdDPExtractData(out, size);
57 + } else {
58 + rv = NULL;
59 + }
60 out->gd_free(out);
61 return rv;
62 }
63 @@ -220,6 +224,12 @@ BGD_DECLARE(void) gdImageGif(gdImagePtr im, FILE *outFile)
64
65 */
66 BGD_DECLARE(void) gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out)
67 +{
68 + _gdImageGifCtx(im, out);
69 +}
70 +
71 +/* returns 0 on success, 1 on failure */
72 +static int _gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out)
73 {
74 gdImagePtr pim = 0, tim = im;
75 int interlace, BitsPerPixel;
76 @@ -231,7 +241,7 @@ BGD_DECLARE(void) gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out)
77 based temporary image. */
78 pim = gdImageCreatePaletteFromTrueColor(im, 1, 256);
79 if(!pim) {
80 - return;
81 + return 1;
82 }
83 tim = pim;
84 }
85 @@ -247,6 +257,8 @@ BGD_DECLARE(void) gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out)
86 /* Destroy palette based temporary image. */
87 gdImageDestroy( pim);
88 }
89 +
90 + return 0;
91 }
92
93
94 diff --git a/src/gd_jpeg.c b/src/gd_jpeg.c
95 index fc05842..96ef430 100644
96 --- a/src/gd_jpeg.c
97 +++ b/src/gd_jpeg.c
98 @@ -117,6 +117,8 @@ static void fatal_jpeg_error(j_common_ptr cinfo)
99 exit(99);
100 }
101
102 +static int _gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality);
103 +
104 /*
105 * Write IM to OUTFILE as a JFIF-formatted JPEG image, using quality
106 * QUALITY. If QUALITY is in the range 0-100, increasing values
107 @@ -231,8 +233,11 @@ BGD_DECLARE(void *) gdImageJpegPtr(gdImagePtr im, int *size, int quality)
108 void *rv;
109 gdIOCtx *out = gdNewDynamicCtx(2048, NULL);
110 if (out == NULL) return NULL;
111 - gdImageJpegCtx(im, out, quality);
112 - rv = gdDPExtractData(out, size);
113 + if (!_gdImageJpegCtx(im, out, quality)) {
114 + rv = gdDPExtractData(out, size);
115 + } else {
116 + rv = NULL;
117 + }
118 out->gd_free(out);
119 return rv;
120 }
121 @@ -253,6 +258,12 @@ void jpeg_gdIOCtx_dest(j_compress_ptr cinfo, gdIOCtx *outfile);
122
123 */
124 BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality)
125 +{
126 + _gdImageJpegCtx(im, outfile, quality);
127 +}
128 +
129 +/* returns 0 on success, 1 on failure */
130 +static int _gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality)
131 {
132 struct jpeg_compress_struct cinfo;
133 struct jpeg_error_mgr jerr;
134 @@ -287,7 +298,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality)
135 if(row) {
136 gdFree(row);
137 }
138 - return;
139 + return 1;
140 }
141
142 cinfo.err->emit_message = jpeg_emit_message;
143 @@ -328,7 +339,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality)
144 if(row == 0) {
145 gd_error("gd-jpeg: error: unable to allocate JPEG row structure: gdCalloc returns NULL\n");
146 jpeg_destroy_compress(&cinfo);
147 - return;
148 + return 1;
149 }
150
151 rowptr[0] = row;
152 @@ -405,6 +416,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality)
153 jpeg_finish_compress(&cinfo);
154 jpeg_destroy_compress(&cinfo);
155 gdFree(row);
156 + return 0;
157 }
158
159
160 diff --git a/src/gd_wbmp.c b/src/gd_wbmp.c
161 index f19a1c9..a49bdbe 100644
162 --- a/src/gd_wbmp.c
163 +++ b/src/gd_wbmp.c
164 @@ -88,6 +88,8 @@ int gd_getin(void *in)
165 return (gdGetC((gdIOCtx *)in));
166 }
167
168 +static int _gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out);
169 +
170 /*
171 Function: gdImageWBMPCtx
172
173 @@ -100,6 +102,12 @@ int gd_getin(void *in)
174 out - the stream where to write
175 */
176 BGD_DECLARE(void) gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out)
177 +{
178 + _gdImageWBMPCtx(image, fg, out);
179 +}
180 +
181 +/* returns 0 on success, 1 on failure */
182 +static int _gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out)
183 {
184 int x, y, pos;
185 Wbmp *wbmp;
186 @@ -107,7 +115,7 @@ BGD_DECLARE(void) gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out)
187 /* create the WBMP */
188 if((wbmp = createwbmp(gdImageSX(image), gdImageSY(image), WBMP_WHITE)) == NULL) {
189 gd_error("Could not create WBMP\n");
190 - return;
191 + return 1;
192 }
193
194 /* fill up the WBMP structure */
195 @@ -123,11 +131,15 @@ BGD_DECLARE(void) gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out)
196
197 /* write the WBMP to a gd file descriptor */
198 if(writewbmp(wbmp, &gd_putout, out)) {
199 + freewbmp(wbmp);
200 gd_error("Could not save WBMP\n");
201 + return 1;
202 }
203
204 /* des submitted this bugfix: gdFree the memory. */
205 freewbmp(wbmp);
206 +
207 + return 0;
208 }
209
210 /*
211 @@ -271,8 +283,11 @@ BGD_DECLARE(void *) gdImageWBMPPtr(gdImagePtr im, int *size, int fg)
212 void *rv;
213 gdIOCtx *out = gdNewDynamicCtx(2048, NULL);
214 if (out == NULL) return NULL;
215 - gdImageWBMPCtx(im, fg, out);
216 - rv = gdDPExtractData(out, size);
217 + if (!_gdImageWBMPCtx(im, fg, out)) {
218 + rv = gdDPExtractData(out, size);
219 + } else {
220 + rv = NULL;
221 + }
222 out->gd_free(out);
223 return rv;
224 }
225 #diff --git a/tests/jpeg/.gitignore b/tests/jpeg/.gitignore
226 #index c28aa87..13bcf04 100644
227 #--- a/tests/jpeg/.gitignore
228 #+++ b/tests/jpeg/.gitignore
229 #@@ -3,5 +3,6 @@
230 # /jpeg_empty_file
231 # /jpeg_im2im
232 # /jpeg_null
233 #+/jpeg_ptr_double_free
234 # /jpeg_read
235 # /jpeg_resolution
236 diff --git a/tests/jpeg/CMakeLists.txt b/tests/jpeg/CMakeLists.txt
237 index 19964b0..a8d8162 100644
238 --- a/tests/jpeg/CMakeLists.txt
239 +++ b/tests/jpeg/CMakeLists.txt
240 @@ -2,6 +2,7 @@ IF(JPEG_FOUND)
241 LIST(APPEND TESTS_FILES
242 jpeg_empty_file
243 jpeg_im2im
244 + jpeg_ptr_double_free
245 jpeg_null
246 )
247
248 diff --git a/tests/jpeg/Makemodule.am b/tests/jpeg/Makemodule.am
249 index 7e5d317..b89e169 100644
250 --- a/tests/jpeg/Makemodule.am
251 +++ b/tests/jpeg/Makemodule.am
252 @@ -2,7 +2,8 @@ if HAVE_LIBJPEG
253 libgd_test_programs += \
254 jpeg/jpeg_empty_file \
255 jpeg/jpeg_im2im \
256 - jpeg/jpeg_null
257 + jpeg/jpeg_null \
258 + jpeg/jpeg_ptr_double_free
259
260 if HAVE_LIBPNG
261 libgd_test_programs += \
262 diff --git a/tests/jpeg/jpeg_ptr_double_free.c b/tests/jpeg/jpeg_ptr_double_free.c
263 new file mode 100644
264 index 0000000..df5a510
265 --- /dev/null
266 +++ b/tests/jpeg/jpeg_ptr_double_free.c
267 @@ -0,0 +1,31 @@
268 +/**
269 + * Test that failure to convert to JPEG returns NULL
270 + *
271 + * We are creating an image, set its width to zero, and pass this image to
272 + * `gdImageJpegPtr()` which is supposed to fail, and as such should return NULL.
273 + *
274 + * See also <https://github.com/libgd/libgd/issues/381>
275 + */
276 +
277 +
278 +#include "gd.h"
279 +#include "gdtest.h"
280 +
281 +
282 +int main()
283 +{
284 + gdImagePtr src, dst;
285 + int size;
286 +
287 + src = gdImageCreateTrueColor(1, 10);
288 + gdTestAssert(src != NULL);
289 +
290 + src->sx = 0; /* this hack forces gdImageJpegPtr() to fail */
291 +
292 + dst = gdImageJpegPtr(src, &size, 0);
293 + gdTestAssert(dst == NULL);
294 +
295 + gdImageDestroy(src);
296 +
297 + return gdNumFailures();
298 +}
299 --
300 2.20.1
301
My copy of guix