Fix for CVE-2016-6161; from upstream
This commit is contained in:
parent
4597add3ba
commit
39fb0257fc
@ -1,9 +1,9 @@
|
||||
# $OpenBSD: Makefile,v 1.67 2016/06/30 13:27:42 jasper Exp $
|
||||
# $OpenBSD: Makefile,v 1.68 2016/07/06 08:46:01 jasper Exp $
|
||||
|
||||
COMMENT= library for dynamic creation of images
|
||||
|
||||
V= 2.1.1
|
||||
REVISION= 2
|
||||
REVISION= 3
|
||||
DISTNAME= libgd-$V
|
||||
PKGNAME= gd-$V
|
||||
|
||||
|
41
graphics/gd/patches/patch-src_gd_gif_out_c
Normal file
41
graphics/gd/patches/patch-src_gd_gif_out_c
Normal file
@ -0,0 +1,41 @@
|
||||
$OpenBSD: patch-src_gd_gif_out_c,v 1.1 2016/07/06 08:46:01 jasper Exp $
|
||||
|
||||
CVE-2016-6161
|
||||
https://github.com/libgd/libgd/commit/82b80dcb70a7ca8986125ff412bceddafc896842
|
||||
|
||||
--- src/gd_gif_out.c.orig Tue Jan 6 10:16:03 2015
|
||||
+++ src/gd_gif_out.c Wed Jul 6 10:43:57 2016
|
||||
@@ -1442,15 +1442,23 @@ nomatch:
|
||||
* code in turn. When the buffer fills up empty it and start over.
|
||||
*/
|
||||
|
||||
-static unsigned long masks[] = {
|
||||
+static const unsigned long masks[] = {
|
||||
0x0000, 0x0001, 0x0003, 0x0007, 0x000F,
|
||||
0x001F, 0x003F, 0x007F, 0x00FF,
|
||||
0x01FF, 0x03FF, 0x07FF, 0x0FFF,
|
||||
0x1FFF, 0x3FFF, 0x7FFF, 0xFFFF
|
||||
};
|
||||
|
||||
+/* Arbitrary value to mark output is done. When we see EOFCode, then we don't
|
||||
+ * expect to see any more data. If we do (e.g. corrupt image inputs), cur_bits
|
||||
+ * might be negative, so flag it to return early.
|
||||
+ */
|
||||
+#define CUR_BITS_FINISHED -1000
|
||||
+
|
||||
static void output(code_int code, GifCtx *ctx)
|
||||
{
|
||||
+ if (ctx->cur_bits == CUR_BITS_FINISHED)
|
||||
+ return;
|
||||
ctx->cur_accum &= masks[ctx->cur_bits];
|
||||
|
||||
if(ctx->cur_bits > 0) {
|
||||
@@ -1492,6 +1500,8 @@ static void output(code_int code, GifCtx *ctx)
|
||||
ctx->cur_accum >>= 8;
|
||||
ctx->cur_bits -= 8;
|
||||
}
|
||||
+ /* Flag that it's done to prevent re-entry. */
|
||||
+ ctx->cur_bits = CUR_BITS_FINISHED;
|
||||
|
||||
flush_char(ctx);
|
||||
}
|
Loading…
Reference in New Issue
Block a user