| From 2d37bdc03a6e2b820fe380016f22592a7733e0be Mon Sep 17 00:00:00 2001 |
| From: Catalin Enache <catalin.enache@windriver.com> |
| Date: Fri, 7 Apr 2017 12:32:49 +0300 |
| Subject: [PATCH] Fix #354: Signed Integer Overflow gd_io.c |
| |
| GD2 stores the number of horizontal and vertical chunks as words (i.e. 2 |
| byte unsigned). These values are multiplied and assigned to an int when |
| reading the image, what can cause integer overflows. We have to avoid |
| that, and also make sure that either chunk count is actually greater |
| than zero. If illegal chunk counts are detected, we bail out from |
| reading the image. |
| |
| Upstream-Status: Backport |
| CVE: CVE-2016-10168 |
| |
| Signed-off-by: Catalin Enache <catalin.enache@windriver.com> |
| --- |
| src/gd_gd2.c | 4 ++++ |
| 1 file changed, 4 insertions(+) |
| |
| diff --git a/src/gd_gd2.c b/src/gd_gd2.c |
| index bae65ea..9006bd2 100644 |
| --- a/src/gd_gd2.c |
| +++ b/src/gd_gd2.c |
| @@ -151,6 +151,10 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy, |
| GD2_DBG (printf ("%d Chunks vertically\n", *ncy)); |
| |
| if (gd2_compressed (*fmt)) { |
| + if (*ncx <= 0 || *ncy <= 0 || *ncx > INT_MAX / *ncy) { |
| + GD2_DBG(printf ("Illegal chunk counts: %d * %d\n", *ncx, *ncy)); |
| + goto fail1; |
| + } |
| nc = (*ncx) * (*ncy); |
| |
| GD2_DBG (printf ("Reading %d chunk index entries\n", nc)); |
| -- |
| 2.10.2 |
| |