-
Notifications
You must be signed in to change notification settings - Fork 563
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[AUTO-CHERRYPICK] Patch CVE-2022-28506 and CVE-2023-48161 in giflib -…
… branch main (#10733) Co-authored-by: suresh-thelkar <[email protected]>
- Loading branch information
1 parent
6cc1442
commit a41e552
Showing
3 changed files
with
79 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,30 @@ | ||
| From 006158597ac945d1992c9411f393eb228fb9c7bc Mon Sep 17 00:00:00 2001 | ||
| From: Suresh Thelkar <[email protected]> | ||
| Date: Fri, 11 Oct 2024 10:39:07 +0530 | ||
| Subject: [PATCH] Patch for CVE-2022-28506 | ||
|
|
||
| Upstream patch details are given below. | ||
| https://sourceforge.net/u/mmuzila/giflib/ci/5b74cdd9c1285514eaa4675347ba3eea81d32c65/ | ||
| --- | ||
| gif2rgb.c | 5 +++++ | ||
| 1 file changed, 5 insertions(+) | ||
|
|
||
| diff --git a/gif2rgb.c b/gif2rgb.c | ||
| index 9d16664..82f1130 100644 | ||
| --- a/gif2rgb.c | ||
| +++ b/gif2rgb.c | ||
| @@ -294,6 +294,11 @@ static void DumpScreen2RGB(char *FileName, int OneFileFlag, | ||
| GifRow = ScreenBuffer[i]; | ||
| GifQprintf("\b\b\b\b%-4d", ScreenHeight - i); | ||
| for (j = 0, BufferP = Buffer; j < ScreenWidth; j++) { | ||
| + /* Check if color is within color palete */ | ||
| + if (GifRow[j] >= ColorMap->ColorCount) | ||
| + { | ||
| + GIF_EXIT(GifErrorString(D_GIF_ERR_IMAGE_DEFECT)); | ||
| + } | ||
| ColorMapEntry = &ColorMap->Colors[GifRow[j]]; | ||
| *BufferP++ = ColorMapEntry->Red; | ||
| *BufferP++ = ColorMapEntry->Green; | ||
| -- | ||
| 2.34.1 | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,43 @@ | ||
| From e9ed0342ff3da16c646e355c1bb8a37ab0c93240 Mon Sep 17 00:00:00 2001 | ||
| From: Bogdan Codres <[email protected]> | ||
| Date: Fri, 8 Mar 2024 01:30:45 +0800 | ||
| Subject: [PATCH] Free Buffers from DumpScreen2RGB in error case | ||
|
|
||
| ==581==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000002bfc at pc 0x557cbdc9b28d bp 0x7ffde35804b0 sp 0x7ffde35804a0 | ||
| READ of size 1 at 0x602000002bfc thread T0 | ||
| #0 0x557cbdc9b28c in DumpScreen2RGB ../../giflib-5.1.4/util/gif2rgb.c:323 | ||
| #1 0x557cbdc9b28c in GIF2RGB ../../giflib-5.1.4/util/gif2rgb.c:480 | ||
| #2 0x557cbdc9b28c in main ../../giflib-5.1.4/util/gif2rgb.c:538 | ||
| #3 0x7fb09ad8214a in __libc_start_main (/lib64/libc.so.6+0x391602414a) | ||
| #4 0x557cbdc9bb19 in _start (/usr/bin/gif2rgb+0x5b19) | ||
|
|
||
| 0x602000002bfc is located 0 bytes to the right of 12-byte region [0x602000002bf0,0x602000002bfc) | ||
| allocated by thread T0 here: | ||
| #0 0x7fb09b021138 in __interceptor_calloc (/usr/lib64/libasan.so.5+0xee138) | ||
| #1 0x7fb09af2ab1e in GifMakeMapObject ../../giflib-5.1.4/lib/gifalloc.c:55 | ||
|
|
||
| SUMMARY: AddressSanitizer: heap-buffer-overflow ../../giflib-5.1.4/util/gif2rgb.c:323 in DumpScreen2RGB | ||
|
|
||
| Signed-off-by: Bogdan Codres <[email protected]> | ||
| --- | ||
| util/gif2rgb.c | 3 +++ | ||
| 1 file changed, 3 insertions(+) | ||
|
|
||
| diff --git a/gif2rgb.c b/gif2rgb.c | ||
| index bdc861f..9916fde 100644 | ||
| --- a/gif2rgb.c | ||
| +++ b/gif2rgb.c | ||
| @@ -327,6 +327,9 @@ static void DumpScreen2RGB(char *FileName, int OneFileFlag, | ||
| if (fwrite(Buffers[0], ScreenWidth, 1, rgbfp[0]) != 1 || | ||
| fwrite(Buffers[1], ScreenWidth, 1, rgbfp[1]) != 1 || | ||
| fwrite(Buffers[2], ScreenWidth, 1, rgbfp[2]) != 1) | ||
| + free((char *) Buffers[0]); | ||
| + free((char *) Buffers[1]); | ||
| + free((char *) Buffers[2]); | ||
| GIF_EXIT("Write to file(s) failed."); | ||
| } | ||
|
|
||
| -- | ||
| 2.26.1 | ||
|
|
||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,14 +1,16 @@ | ||
| Name: giflib | ||
| Summary: A library and utilities for processing GIFs | ||
| Version: 5.2.1 | ||
| Release: 6%{?dist} | ||
| Release: 7%{?dist} | ||
| License: MIT | ||
| Vendor: Microsoft Corporation | ||
| Distribution: Mariner | ||
| URL: http://www.sourceforge.net/projects/giflib/ | ||
| Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz | ||
| # Move quantize.c back into libgif.so (#1750122) | ||
| Patch0: giflib_quantize.patch | ||
| Patch1: CVE-2023-48161.patch | ||
| Patch2: CVE-2022-28506.patch | ||
| BuildRequires: gcc | ||
| BuildRequires: make | ||
| BuildRequires: xmlto | ||
|
|
@@ -59,6 +61,9 @@ find %{buildroot} -name '*.a' -print -delete | |
| %{_mandir}/man1/*.1* | ||
|
|
||
| %changelog | ||
| * Fri Oct 11 2024 Suresh Thelkar <[email protected]> - 5.2.1-7 | ||
| - Patch CVE-2023-48161 and CVE-2022-28506 | ||
|
|
||
| * Mon Jul 11 2022 Olivia Crain <[email protected]> - 5.2.1-6 | ||
| - Promote to mariner-official-base repo | ||
| - Lint spec | ||
|
|
||