gnu/packages/patches/gd-CVE-2016-8670.patch

   1 Fix CVE-2016-8670 (buffer overflow in dynamicGetbuf()):
   2
   3 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8670
   4 http://seclists.org/oss-sec/2016/q4/138
   5
   6 Patch copied from upstream source repository:
   7
   8 https://github.com/libgd/libgd/commit/53110871935244816bbb9d131da0bccff734bfe9
   9
  10 From 53110871935244816bbb9d131da0bccff734bfe9 Mon Sep 17 00:00:00 2001
  11 From: "Christoph M. Becker" <cmbecker69@gmx.de>
  12 Date: Wed, 12 Oct 2016 11:15:32 +0200
  13 Subject: [PATCH] Avoid potentially dangerous signed to unsigned conversion
  14
  15 We make sure to never pass a negative `rlen` as size to memcpy(). See
  16 also <https://bugs.php.net/bug.php?id=73280>.
  17
  18 Patch provided by Emmanuel Law.
  19 ---
  20  src/gd_io_dp.c | 2 +-
  21  1 file changed, 1 insertion(+), 1 deletion(-)
  22
  23 diff --git a/src/gd_io_dp.c b/src/gd_io_dp.c
  24 index 135eda3..228bfa5 100644
  25 --- a/src/gd_io_dp.c
  26 +++ b/src/gd_io_dp.c
  27 @@ -276,7 +276,7 @@ static int dynamicGetbuf(gdIOCtxPtr ctx, void *buf, int len)
  28         if(remain >= len) {
  29                 rlen = len;
  30         } else {
  31 -               if(remain == 0) {
  32 +               if(remain <= 0) {
  33                         /* 2.0.34: EOF is incorrect. We use 0 for
  34                          * errors and EOF, just like fileGetbuf,
  35                          * which is a simple fread() wrapper.
  36 --
  37 2.10.1
  38