Commit | Line | Data |
---|---|---|
e1376e25 LF |
1 | Fix CVE-2016-8670 (buffer overflow in dynamicGetbuf()): |
2 | ||
3 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8670 | |
4 | http://seclists.org/oss-sec/2016/q4/138 | |
5 | ||
6 | Patch copied from upstream source repository: | |
7 | ||
8 | https://github.com/libgd/libgd/commit/53110871935244816bbb9d131da0bccff734bfe9 | |
9 | ||
10 | From 53110871935244816bbb9d131da0bccff734bfe9 Mon Sep 17 00:00:00 2001 | |
11 | From: "Christoph M. Becker" <cmbecker69@gmx.de> | |
12 | Date: Wed, 12 Oct 2016 11:15:32 +0200 | |
13 | Subject: [PATCH] Avoid potentially dangerous signed to unsigned conversion | |
14 | ||
15 | We make sure to never pass a negative `rlen` as size to memcpy(). See | |
16 | also <https://bugs.php.net/bug.php?id=73280>. | |
17 | ||
18 | Patch provided by Emmanuel Law. | |
19 | --- | |
20 | src/gd_io_dp.c | 2 +- | |
21 | 1 file changed, 1 insertion(+), 1 deletion(-) | |
22 | ||
23 | diff --git a/src/gd_io_dp.c b/src/gd_io_dp.c | |
24 | index 135eda3..228bfa5 100644 | |
25 | --- a/src/gd_io_dp.c | |
26 | +++ b/src/gd_io_dp.c | |
27 | @@ -276,7 +276,7 @@ static int dynamicGetbuf(gdIOCtxPtr ctx, void *buf, int len) | |
28 | if(remain >= len) { | |
29 | rlen = len; | |
30 | } else { | |
31 | - if(remain == 0) { | |
32 | + if(remain <= 0) { | |
33 | /* 2.0.34: EOF is incorrect. We use 0 for | |
34 | * errors and EOF, just like fileGetbuf, | |
35 | * which is a simple fread() wrapper. | |
36 | -- | |
37 | 2.10.1 | |
38 |