gd2: handle corrupt images better (CVE-2016-3074)

Make sure we do some range checking on corrupted chunks.

Thanks to Hans Jerry Illikainen <hji@dyntopia.com> for indepth report
and reproducer information.  Made for easy test case writing :).

Author: vapier

.gitignore

@@ -150,6 +150,7 @@ Makefile.in
 /tests/gd2/gd2_im2im
 /tests/gd2/gd2_null
 /tests/gd2/gd2_read
+/tests/gd2/gd2_read_corrupt
 /tests/gdimagearc/bug00079
 /tests/gdimageline/gdimageline_aa
 /tests/gdimageline/bug00072

src/gd_gd2.c

@@ -165,6 +165,8 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy,
 			if (gdGetInt (&cidx[i].size, in) != 1) {
 				goto fail2;
 			};
+			if (cidx[i].offset < 0 || cidx[i].size < 0)
+				goto fail2;
 		};
 		*chunkIdx = cidx;
 	};

tests/Makefile.am

@@ -129,7 +129,8 @@ endif
 
 if HAVE_LIBZ
 check_PROGRAMS += \
-	gd2/gd2_null
+	gd2/gd2_null \
+	gd2/gd2_read_corrupt
 endif
 
 if HAVE_LIBPNG

tests/gd2/gd2_read_corrupt.c

@@ -0,0 +1,25 @@
+/* Just try to read the invalid gd2 image & not crash. */
+#include "gd.h"
+#include <stdio.h>
+#include <stdlib.h>
+#include "gdtest.h"
+
+int main()
+{
+	gdImagePtr im;
+	FILE *fp;
+	char path[1024];
+
+	/* Read the corrupt image. */
+	sprintf(path, "%s/gd2/invalid_neg_size.gd2", GDTEST_TOP_DIR);
+	fp = fopen(path, "rb");
+	if (!fp) {
+		printf("failed, cannot open file\n");
+		return 1;
+	}
+	im = gdImageCreateFromGd2(fp);
+	fclose(fp);
+
+	/* Should have failed & rejected it. */
+	return im == NULL ? 0 : 1;
+}