[gd] Resolves: #1076676 CVE-2014-2497 NULL pointer dereference in gdImageCreateFromXpm()

Jozef Mlich jmlich at fedoraproject.org
Wed Jul 16 16:11:04 UTC 2014 

commit 547d117bd81f7014899916bc7f9c8031748be089
Author: Jozef Mlich <jmlich at redhat.com>
Date:   Wed Jul 16 18:08:46 2014 +0200

    Resolves: #1076676 CVE-2014-2497 NULL pointer dereference in gdImageCreateFromXpm()

 gd-2.1.0-color_c_null_pointer.patch |   18 ++++++++++++++++++
 gd.spec                             |    8 +++++++-
 2 files changed, 25 insertions(+), 1 deletions(-)
---
diff --git a/gd-2.1.0-color_c_null_pointer.patch b/gd-2.1.0-color_c_null_pointer.patch
new file mode 100644
index 0000000..95b3eeb
--- /dev/null
+++ b/gd-2.1.0-color_c_null_pointer.patch
@@ -0,0 +1,18 @@
+diff -up ./src/gdxpm.c.color_c_null_pointer ./src/gdxpm.c
+--- ./src/gdxpm.c.color_c_null_pointer	2013-06-25 11:58:23.000000000 +0200
++++ ./src/gdxpm.c	2014-07-16 16:43:44.000000000 +0200
+@@ -62,6 +62,13 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFro
+ 
+ 	for(i = 0; i < number; i++) {
+ 		char *c_color = image.colorTable[i].c_color;
++		if (!c_color)
++		{
++			/* unsupported color key or color key not defined */
++			gdImageDestroy(im);
++			im = 0;
++			goto done;
++		}
+ 		if(strcmp(c_color, "None") == 0) {
+ 			colors[i] = gdImageGetTransparent(im);
+ 			if(colors[i] == -1) colors[i] = gdImageColorAllocate(im, 0, 0, 0);
+diff -up ./x.color_c_null_pointer ./x
diff --git a/gd.spec b/gd.spec
index 82dcb4a..dd1326a 100644
--- a/gd.spec
+++ b/gd.spec
@@ -5,7 +5,7 @@
 Summary:       A graphics library for quick creation of PNG or JPEG images
 Name:          gd
 Version:       2.1.0
-Release:       5%{?prever}%{?short}%{?dist}
+Release:       6%{?prever}%{?short}%{?dist}
 Group:         System Environment/Libraries
 License:       MIT
 URL:           http://libgd.bitbucket.org/
@@ -18,6 +18,7 @@ Source0:       https://bitbucket.org/libgd/gd-libgd/downloads/libgd-%{version}%{
 %endif
 Patch1:        gd-2.1.0-multilib.patch
 Patch2:        gd-fixautoconf.patch
+Patch3:	       gd-2.1.0-color_c_null_pointer.patch
 
 BuildRequires: freetype-devel
 BuildRequires: fontconfig-devel
@@ -75,6 +76,7 @@ files for gd, a graphics library for creating PNG and JPEG graphics.
 %setup -q -n libgd-%{version}%{?prever:-%{prever}}
 %patch1 -p1 -b .mlib
 %patch2 -p1 -b .automake
+%patch3 -p1 -b .color_c_null_pointer
 
 # https://bitbucket.org/libgd/gd-libgd/issue/77
 sed -e '/GD_VERSION_STRING/s/-alpha//' \
@@ -139,6 +141,10 @@ make check
 
 
 %changelog
+* Wed Jul 16 2014 Jozef Mlich <jmlich at redhat.com> - 2.1.0-6
+- Resolves: #1076676 CVE-2014-2497
+  NULL pointer dereference in gdImageCreateFromXpm()
+
 * Sat Jun 07 2014 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 2.1.0-5
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild

More information about the scm-commits mailing list