Security fix for gd-2.0.33. (CVE-2006-2906)

Fixes an infinite loop error within the handling of GIF images. Detailed information: http://secunia.com/advisories/20500/ Fix from Xavier Roche via Ubuntu via NetBSD ok naddy@
2006-06-15 22:18:25 +00:00 · 2006-06-15 22:18:25 +00:00 · 6cb9a7ea81
commit 6cb9a7ea81
parent 3ae63a12bc
2 changed files with 67 additions and 2 deletions
--- a/graphics/gd/Makefile
+++ b/graphics/gd/Makefile
@ -1,9 +1,9 @@
-# $OpenBSD: Makefile,v 1.44 2006/01/08 01:38:36 steven Exp $
+# $OpenBSD: Makefile,v 1.45 2006/06/15 22:18:25 bernd Exp $

 COMMENT=	"library for dynamic creation of images"

 DISTNAME=	gd-2.0.33
-PKGNAME=	${DISTNAME}p2
+PKGNAME=	${DISTNAME}p3
 SHARED_LIBS=	gd	20.33
 CATEGORIES=	graphics
 MASTER_SITES=	http://www.boutell.com/gd/http/
--- a/graphics/gd/patches/patch-gd_gif_in_c
+++ b/graphics/gd/patches/patch-gd_gif_in_c
@ -0,0 +1,65 @@
+$OpenBSD: patch-gd_gif_in_c,v 1.1 2006/06/15 22:18:25 bernd Exp $
+
+Security fix for CVE-2006-2906, from Xavier Roche via Ubuntu via NetBSD.
+
+--- gd_gif_in.c.orig	Mon Nov  1 19:28:56 2004
+++ gd_gif_in.c	Thu Jun 15 12:38:02 2006
+@@ -118,6 +118,7 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFro
+        char            version[4];
+        /* 2.0.28: threadsafe storage */
+        int ZeroDataBlock = FALSE;
+       int             maxcount = 1024;
+ 
+        gdImagePtr im = 0;
+        if (! ReadOK(fd,buf,6)) {
+@@ -164,6 +165,8 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFro
+                }
+ 
+                if (c != ',') {         /* Not a valid start character */
+		       if (--maxcount < 0)
+			       goto terminated;  /* Looping */
+                        continue;
+                }
+ 
+@@ -242,6 +245,7 @@ static int
+ DoExtension(gdIOCtx *fd, int label, int *Transparent, int *ZeroDataBlockP)
+ {
+        static unsigned char     buf[256];
+       int                      maxcount = 1024;
+ 
+        switch (label) {
+        case 0xf9:              /* Graphic Control Extension */
+@@ -254,13 +258,13 @@ DoExtension(gdIOCtx *fd, int label, int 
+                if ((buf[0] & 0x1) != 0)
+                        *Transparent = buf[3];
+ 
+-               while (GetDataBlock(fd, (unsigned char*) buf, ZeroDataBlockP) != 0)
+               while (GetDataBlock(fd, (unsigned char*) buf, ZeroDataBlockP) != 0 && --maxcount >= 0)
+                        ;
+                return FALSE;
+        default:
+                break;
+        }
+-       while (GetDataBlock(fd, (unsigned char*) buf, ZeroDataBlockP) != 0)
+       while (GetDataBlock(fd, (unsigned char*) buf, ZeroDataBlockP) != 0 && --maxcount >= 0)
+                ;
+ 
+        return FALSE;
+@@ -419,14 +423,15 @@ LWZReadByte_(gdIOCtx *fd, int flag, int 
+                } else if (code == end_code) {
+                        int             count;
+                        unsigned char   buf[260];
+		       int             maxcount = 1024;
+ 
+                        if (*ZeroDataBlockP)
+                                return -2;
+ 
+-                       while ((count = GetDataBlock(fd, buf, ZeroDataBlockP)) > 0)
+                       while ((count = GetDataBlock(fd, buf, ZeroDataBlockP)) > 0  && --maxcount >= 0)
+                                ;
+ 
+-                       if (count != 0)
+                       if (count != 0 || maxcount < 0)
+                        return -2;
+                }
+