Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[CVE-2016-6911]: Fix invalid read in gdImageCreateFromTiffPtr() #353

Closed
wants to merge 2 commits into from

Conversation

omron93
Copy link
Contributor

@omron93 omron93 commented Dec 5, 2016

Posting fix for CVE.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840806
https://bugzilla.redhat.com/show_bug.cgi?id=1388787
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6911.html

Author is @cmb69, so why it is not in master?

Original patch:

From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Tue, 2 Aug 2016 12:10:33 +0200
Subject: [CVE-2016-6911]: Fix invalid read in gdImageCreateFromTiffPtr()

tiff_invalid_read.tiff is corrupt, and causes an invalid read in
gdImageCreateFromTiffPtr(), but not in gdImageCreateFromTiff(). The culprit
is dynamicGetbuf(), which doesn't check for out-of-bound reads. In this case,
dynamicGetbuf() is called with a negative dp->pos, but also positive buffer
overflows have to be handled, in which case 0 has to be returned (cf. commit
75e29a9).

Fixing dynamicGetbuf() exhibits that the corrupt TIFF would still create
the image, because the return value of TIFFReadRGBAImage() is not checked.
We do that, and let createFromTiffRgba() fail if TIFFReadRGBAImage() fails.

This issue had been reported by Ibrahim El-Sayed to security@libgd.org.
...

(https://bugzilla.suse.com/attachment.cgi?id=697849)

@cmb69
Copy link
Contributor

cmb69 commented Dec 5, 2016

Author is @cmb69, so why it is not in master?

At least for me, the question is rather why this issue had already been publicly disclosed!

@omron93
Copy link
Contributor Author

omron93 commented Dec 5, 2016

Wow, I am not the right person to answer this :-(

@cmb69 Should I close this PR or something?

@cmb69
Copy link
Contributor

cmb69 commented Dec 5, 2016

Should I close this PR or something?

Well, the cat is out of the bag anyway, so it might be best to leave this PR open as a reminder for our RMs. :-)

@cmb69
Copy link
Contributor

cmb69 commented Jan 18, 2017

This has now been committed as 4859d69, so I'm closing the ticket.

@cmb69 cmb69 closed this Jan 18, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants