rpms/gd/FC-5 gd-2.0.33-loop1.patch, NONE, 1.1 gd-2.0.33-loop2.patch, NONE, 1.1 gd-2.0.33-sf.patch, NONE, 1.1 gd.spec, 1.31, 1.32
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Tue May 29 12:38:39 UTC 2007
- Previous message (by thread): rpms/mikmod/FC-6 mikmod.spec, 1.32, 1.33 sources, 1.3, 1.4 mikmod-3.1.6-security.patch, 1.1, NONE mikmod-3.1.6-tar.patch, 1.1, NONE mikmod-3.1.6-varargs.patch, 1.1, NONE mikmod-strip.patch, 1.1, NONE patch-mikmod-3.1.6-a, 1.1, NONE
- Next message (by thread): rpms/gd/FC-6 gd-2.0.33-loop1.patch, NONE, 1.1 gd-2.0.33-sf.patch, NONE, 1.1 gd.spec, 1.37, 1.38
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: varekova
Update of /cvs/dist/rpms/gd/FC-5
In directory cvs.devel.redhat.com:/tmp/cvs-serv12136
Modified Files:
gd.spec
Added Files:
gd-2.0.33-loop1.patch gd-2.0.33-loop2.patch gd-2.0.33-sf.patch
Log Message:
- fix cve-2006-2906 gd denial of service
- fix another problem with infinite loop
gd-2.0.33-loop1.patch:
gd_gif_in.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
--- NEW FILE gd-2.0.33-loop1.patch ---
--- gd-2.0.33/gd_gif_in.c.loop 2004-11-01 19:28:56.000000000 +0100
+++ gd-2.0.33/gd_gif_in.c 2007-05-29 14:09:37.000000000 +0200
@@ -254,13 +254,13 @@
if ((buf[0] & 0x1) != 0)
*Transparent = buf[3];
- while (GetDataBlock(fd, (unsigned char*) buf, ZeroDataBlockP) != 0)
+ while (GetDataBlock(fd, (unsigned char*) buf, ZeroDataBlockP) > 0)
;
return FALSE;
default:
break;
}
- while (GetDataBlock(fd, (unsigned char*) buf, ZeroDataBlockP) != 0)
+ while (GetDataBlock(fd, (unsigned char*) buf, ZeroDataBlockP) > 0)
;
return FALSE;
gd-2.0.33-loop2.patch:
gd_gif_in.c | 7 ++++---
1 files changed, 4 insertions(+), 3 deletions(-)
--- NEW FILE gd-2.0.33-loop2.patch ---
--- gd-2.0.33/gd_gif_in.c.loop 2004-11-01 19:28:56.000000000 +0100
+++ gd-2.0.33/gd_gif_in.c 2006-07-10 14:59:42.000000000 +0200
@@ -418,16 +418,17 @@
return firstcode;
} else if (code == end_code) {
int count;
+ int max_count = 1024;
unsigned char buf[260];
if (*ZeroDataBlockP)
return -2;
- while ((count = GetDataBlock(fd, buf, ZeroDataBlockP)) > 0)
+ while ((count = GetDataBlock(fd, buf, ZeroDataBlockP)) > 0 && --max_count >= 0 )
;
- if (count != 0)
- return -2;
+ if (count != 0 || max_count < 0 )
+ return -2;
}
incode = code;
gd-2.0.33-sf.patch:
gd_gif_in.c | 44 ++++++++++++++++++++++++++++++--------------
1 files changed, 30 insertions(+), 14 deletions(-)
--- NEW FILE gd-2.0.33-sf.patch ---
--- gd-2.0.33/gd_gif_in.c.pom 2007-05-29 14:16:33.000000000 +0200
+++ gd-2.0.33/gd_gif_in.c 2007-05-29 14:23:16.000000000 +0200
@@ -42,7 +42,7 @@
#define LOCALCOLORMAP 0x80
#define BitSet(byte, bit) (((byte) & (bit)) == (bit))
-#define ReadOK(file,buffer,len) (gdGetBuf(buffer, len, file) != 0)
+#define ReadOK(file,buffer,len) (gdGetBuf(buffer, len, file) > 0)
#define LM_to_uint(a,b) (((b)<<8)|(a))
@@ -141,6 +141,8 @@
Background = buf[5];
AspectRatio = buf[6];
#endif
+ imw = LM_to_uint(buf[0],buf[1]);
+ imh = LM_to_uint(buf[2],buf[3]);
if (BitSet(buf[4], LOCALCOLORMAP)) { /* Global Colormap */
if (ReadColorMap(fd, BitPixel, ColorMap)) {
@@ -177,12 +179,16 @@
bitPixel = 1<<((buf[8]&0x07)+1);
- imw = LM_to_uint(buf[4],buf[5]);
- imh = LM_to_uint(buf[6],buf[7]);
- if (!(im = gdImageCreate(imw, imh))) {
- return 0;
- }
- im->interlace = BitSet(buf[8], INTERLACE);
+ if (!useGlobalColormap) {
+ if (ReadColorMap(fd, bitPixel, localColorMap)) {
+ return 0;
+ }
+ }
+
+ if (!(im = gdImageCreate(imw, imh))) {
+ return 0;
+ }
+ im->interlace = BitSet(buf[8], INTERLACE);
if (! useGlobalColormap) {
if (ReadColorMap(fd, bitPixel, localColorMap)) {
return 0;
@@ -205,6 +211,10 @@
if (!im) {
return 0;
}
+ if (!im->colorsTotal) {
+ gdImageDestroy(im);
+ return 0;
+ }
/* Check for open colors at the end, so
we can reduce colorsTotal and ultimately
BitsPerPixel */
@@ -327,7 +337,7 @@
buf[0] = buf[last_byte-2];
buf[1] = buf[last_byte-1];
- if ((count = GetDataBlock(fd, &buf[2], ZeroDataBlockP)) == 0)
+ if ((count = GetDataBlock(fd, &buf[2], ZeroDataBlockP)) <= 0)
done = TRUE;
last_byte = 2 + count;
@@ -493,6 +503,18 @@
int v;
int xpos = 0, ypos = 0, pass = 0;
int i;
+
+ /*
+ ** Initialize the Compression routines
+ */
+ if (! ReadOK(fd,&c,1)) {
+ return;
+ }
+
+ if (c > MAX_LWZ_BITS) {
+ return;
+ }
+
/* Stash the color map into the image */
for (i=0; (i<gdMaxColors); i++) {
im->red[i] = cmap[CM_RED][i];
@@ -502,12 +524,6 @@
}
/* Many (perhaps most) of these colors will remain marked open. */
im->colorsTotal = gdMaxColors;
- /*
- ** Initialize the Compression routines
- */
- if (! ReadOK(fd,&c,1)) {
- return;
- }
if (LWZReadByte(fd, TRUE, c, ZeroDataBlockP) < 0) {
return;
}
Index: gd.spec
===================================================================
RCS file: /cvs/dist/rpms/gd/FC-5/gd.spec,v
retrieving revision 1.31
retrieving revision 1.32
diff -u -r1.31 -r1.32
--- gd.spec 29 Jan 2007 09:18:51 -0000 1.31
+++ gd.spec 29 May 2007 12:38:36 -0000 1.32
@@ -1,7 +1,7 @@
Summary: A graphics library for quick creation of PNG or JPEG images
Name: gd
Version: 2.0.33
-Release: 7%{?dist}
+Release: 8%{?dist}
Group: System Environment/Libraries
License: BSD-style
URL: http://www.boutell.com/gd/
@@ -10,6 +10,9 @@
Patch1: gd-2.0.33-SetAAPixel.patch
Patch2: gd-2.0.33-security.patch
Patch3: gd-2.0.33-cve-07-0455.patch
+Patch4: gd-2.0.33-loop2.patch
+Patch5: gd-2.0.33-loop1.patch
+Patch6: gd-2.0.33-sf.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: freetype-devel, fontconfig-devel, libX11-devel, libXpm-devel
BuildRequires: libjpeg-devel, libpng-devel, zlib-devel
@@ -52,6 +55,9 @@
%patch1 -p1 -b .SetAAPixel
%patch2 -p1 -b .security
%patch3 -p1 -b .cve-07-0455
+%patch4 -p1 -b .loop1
+%patch5 -p1 -b .loop2
+%patch6 -p1 -b .sf
%build
%configure --disable-rpath
@@ -90,6 +96,10 @@
%changelog
+* Tue May 29 2007 Ivana Varekova <varekova at redhat.com> - 2.0.33-8
+- fix cve-2006-2906 gd denial of service
+- fix another problem with infinite loop
+
* Mon Jan 29 2007 Ivana Varekova <varekova at redhat.com> - 2.0.33-7
- Resolves: #224610
CVE-2007-0455 gd buffer overrun
- Previous message (by thread): rpms/mikmod/FC-6 mikmod.spec, 1.32, 1.33 sources, 1.3, 1.4 mikmod-3.1.6-security.patch, 1.1, NONE mikmod-3.1.6-tar.patch, 1.1, NONE mikmod-3.1.6-varargs.patch, 1.1, NONE mikmod-strip.patch, 1.1, NONE patch-mikmod-3.1.6-a, 1.1, NONE
- Next message (by thread): rpms/gd/FC-6 gd-2.0.33-loop1.patch, NONE, 1.1 gd-2.0.33-sf.patch, NONE, 1.1 gd.spec, 1.37, 1.38
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-cvs-commits
mailing list