diff options
Diffstat (limited to 'graphics/libwmf/patches/patch-src_extra_gd_gd.c')
-rw-r--r-- | graphics/libwmf/patches/patch-src_extra_gd_gd.c | 78 |
1 files changed, 78 insertions, 0 deletions
diff --git a/graphics/libwmf/patches/patch-src_extra_gd_gd.c b/graphics/libwmf/patches/patch-src_extra_gd_gd.c new file mode 100644 index 00000000000..2b31cea73de --- /dev/null +++ b/graphics/libwmf/patches/patch-src_extra_gd_gd.c @@ -0,0 +1,78 @@ +$NetBSD: patch-src_extra_gd_gd.c,v 1.1 2015/07/17 12:33:47 sevan Exp $ + +CVE-2007-3472 - Integer overflow in gdImageCreateTrueColor function. +CVE-2007-3473 - The gdImageCreateXbm function in the GD Graphics Library (libgd) +before 2.0.35 allows user-assisted remote attackers to cause a denial of service +(crash) via unspecified vectors involving a gdImageCreate failure. +CVE-2007-3477 - The (a) imagearc and (b) imagefilledarc functions in GD Graphics +Library (libgd) before 2.0.35 allow attackers to cause a denial of service (CPU +consumption) via a large (1) start or (2) end angle degree value. + +--- src/extra/gd/gd.c.orig 2005-07-27 20:35:05.000000000 +0000 ++++ src/extra/gd/gd.c +@@ -106,6 +106,18 @@ gdImageCreateTrueColor (int sx, int sy) + gdImagePtr im; + unsigned long cpa_size; + ++ if (overflow2(sx, sy)) { ++ return NULL; ++ } ++ ++ if (overflow2(sizeof (int *), sy)) { ++ return NULL; ++ } ++ ++ if (overflow2(sizeof(int), sx)) { ++ return NULL; ++ } ++ + im = (gdImage *) gdMalloc (sizeof (gdImage)); + if (im == 0) return 0; + memset (im, 0, sizeof (gdImage)); +@@ -1321,10 +1333,31 @@ gdImageFilledArc (gdImagePtr im, int cx, + int w2, h2; + w2 = w / 2; + h2 = h / 2; +- while (e < s) +- { +- e += 360; +- } ++ ++ if ((s % 360) == (e % 360)) { ++ s = 0; e = 360; ++ } else { ++ if (s > 360) { ++ s = s % 360; ++ } ++ ++ if (e > 360) { ++ e = e % 360; ++ } ++ ++ while (s < 0) { ++ s += 360; ++ } ++ ++ while (e < s) { ++ e += 360; ++ } ++ ++ if (s == e) { ++ s = 0; e = 360; ++ } ++ } ++ + for (i = s; (i <= e); i++) + { + int x, y; +@@ -2169,6 +2202,10 @@ gdImageCreateFromXbm (FILE * fd) + } + bytes = (w * h / 8) + 1; + im = gdImageCreate (w, h); ++ if (!im) { ++ return 0; ++ } ++ + gdImageColorAllocate (im, 255, 255, 255); + gdImageColorAllocate (im, 0, 0, 0); + x = 0; |