From 6cb9a7ea813353e9820f5e652f9bf202ba3d239a Mon Sep 17 00:00:00 2001 From: bernd Date: Thu, 15 Jun 2006 22:18:25 +0000 Subject: [PATCH] Security fix for gd-2.0.33. (CVE-2006-2906) Fixes an infinite loop error within the handling of GIF images. Detailed information: http://secunia.com/advisories/20500/ Fix from Xavier Roche via Ubuntu via NetBSD ok naddy@ --- graphics/gd/Makefile | 4 +- graphics/gd/patches/patch-gd_gif_in_c | 65 +++++++++++++++++++++++++++ 2 files changed, 67 insertions(+), 2 deletions(-) create mode 100644 graphics/gd/patches/patch-gd_gif_in_c diff --git a/graphics/gd/Makefile b/graphics/gd/Makefile index a2af8331e63..8c14299b13a 100644 --- a/graphics/gd/Makefile +++ b/graphics/gd/Makefile @@ -1,9 +1,9 @@ -# $OpenBSD: Makefile,v 1.44 2006/01/08 01:38:36 steven Exp $ +# $OpenBSD: Makefile,v 1.45 2006/06/15 22:18:25 bernd Exp $ COMMENT= "library for dynamic creation of images" DISTNAME= gd-2.0.33 -PKGNAME= ${DISTNAME}p2 +PKGNAME= ${DISTNAME}p3 SHARED_LIBS= gd 20.33 CATEGORIES= graphics MASTER_SITES= http://www.boutell.com/gd/http/ diff --git a/graphics/gd/patches/patch-gd_gif_in_c b/graphics/gd/patches/patch-gd_gif_in_c new file mode 100644 index 00000000000..6df7a6fe472 --- /dev/null +++ b/graphics/gd/patches/patch-gd_gif_in_c @@ -0,0 +1,65 @@ +$OpenBSD: patch-gd_gif_in_c,v 1.1 2006/06/15 22:18:25 bernd Exp $ + +Security fix for CVE-2006-2906, from Xavier Roche via Ubuntu via NetBSD. + +--- gd_gif_in.c.orig Mon Nov 1 19:28:56 2004 ++++ gd_gif_in.c Thu Jun 15 12:38:02 2006 +@@ -118,6 +118,7 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFro + char version[4]; + /* 2.0.28: threadsafe storage */ + int ZeroDataBlock = FALSE; ++ int maxcount = 1024; + + gdImagePtr im = 0; + if (! ReadOK(fd,buf,6)) { +@@ -164,6 +165,8 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFro + } + + if (c != ',') { /* Not a valid start character */ ++ if (--maxcount < 0) ++ goto terminated; /* Looping */ + continue; + } + +@@ -242,6 +245,7 @@ static int + DoExtension(gdIOCtx *fd, int label, int *Transparent, int *ZeroDataBlockP) + { + static unsigned char buf[256]; ++ int maxcount = 1024; + + switch (label) { + case 0xf9: /* Graphic Control Extension */ +@@ -254,13 +258,13 @@ DoExtension(gdIOCtx *fd, int label, int + if ((buf[0] & 0x1) != 0) + *Transparent = buf[3]; + +- while (GetDataBlock(fd, (unsigned char*) buf, ZeroDataBlockP) != 0) ++ while (GetDataBlock(fd, (unsigned char*) buf, ZeroDataBlockP) != 0 && --maxcount >= 0) + ; + return FALSE; + default: + break; + } +- while (GetDataBlock(fd, (unsigned char*) buf, ZeroDataBlockP) != 0) ++ while (GetDataBlock(fd, (unsigned char*) buf, ZeroDataBlockP) != 0 && --maxcount >= 0) + ; + + return FALSE; +@@ -419,14 +423,15 @@ LWZReadByte_(gdIOCtx *fd, int flag, int + } else if (code == end_code) { + int count; + unsigned char buf[260]; ++ int maxcount = 1024; + + if (*ZeroDataBlockP) + return -2; + +- while ((count = GetDataBlock(fd, buf, ZeroDataBlockP)) > 0) ++ while ((count = GetDataBlock(fd, buf, ZeroDataBlockP)) > 0 && --maxcount >= 0) + ; + +- if (count != 0) ++ if (count != 0 || maxcount < 0) + return -2; + } +