[oe][meta-oe][kirkstone][PATCH] giflib: Fix CVE CVE-2022-28506

($INBOX_DIR/description missing)
 help / color / mirror / Atom feed

From: Nikhil R <nikhilar2410@gmail.com>
To: openembedded-devel@lists.openembedded.org, nikhilar2410@gmail.com
Cc: ranjitsinh.rathod@kpit.com, Nikhil R <nikhil.r@kpit.com>
Subject: [oe][meta-oe][kirkstone][PATCH] giflib: Fix CVE CVE-2022-28506
Date: Wed, 17 Apr 2024 11:25:23 +0530	[thread overview]
Message-ID: <20240417055523.237264-1-nikhil.r@kpit.com> (raw)

There is a heap buffer overflow in DumpScreen2RGB() in gif2rgb.c.  This
occurs when a crafted gif file, where size of color table is < 256 but
image data contains pixels with color code highier than size of color
table. This causes oferflow of ColorMap->Colors array.

Fix the issue by checking if value of each pixel is within bounds of
given color table. If the value is out of color table, print error
message and exit.

Signed-off-by: Nikhil R <nikhil.r@kpit.com>
---
 .../giflib/files/CVE-2022-28506.patch         | 40 +++++++++++++++++++
 .../recipes-devtools/giflib/giflib_5.2.1.bb   |  4 +-
 2 files changed, 43 insertions(+), 1 deletion(-)
 create mode 100644 meta-oe/recipes-devtools/giflib/files/CVE-2022-28506.patch

diff --git a/meta-oe/recipes-devtools/giflib/files/CVE-2022-28506.patch b/meta-oe/recipes-devtools/giflib/files/CVE-2022-28506.patch
new file mode 100644
index 000000000..221e10811
--- /dev/null
+++ b/meta-oe/recipes-devtools/giflib/files/CVE-2022-28506.patch
@@ -0,0 +1,40 @@
+From 368f28c0034ecfb6dd4b3412af4cc589a56e0611 Mon Sep 17 00:00:00 2001
+From: Matej Muzila <mmuzila@redhat.com>
+Date: Mon, 30 May 2022 09:04:27 +0200
+Subject: [PATCH] Fix heap-buffer overflow (CVE-2022-28506)
+
+There is a heap buffer overflow in DumpScreen2RGB() in gif2rgb.c.  This
+occurs when a crafted gif file, where size of color table is < 256 but
+image data contains pixels with color code highier than size of color
+table. This causes oferflow of ColorMap->Colors array.
+
+Fix the issue by checking if value of each pixel is within bounds of
+given color table. If the value is out of color table, print error
+message and exit.
+
+Fixes: #159
+
+Upstream-Status: Backport [https://sourceforge.net/p/giflib/code/ci/5b74cdd9c1285514eaa4675347ba3eea81d32c65/]
+Signed-off-by: nikhil r <nikhil.r@kpit.com>
+---
+ gif2rgb.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/gif2rgb.c b/gif2rgb.c
+index 8d7c0ff..d9a469f 100644
+--- a/gif2rgb.c
++++ b/gif2rgb.c
+@@ -294,6 +294,11 @@ static void DumpScreen2RGB(char *FileName, int OneFileFlag,
+             GifRow = ScreenBuffer[i];
+             GifQprintf("\b\b\b\b%-4d", ScreenHeight - i);
+             for (j = 0, BufferP = Buffer; j < ScreenWidth; j++) {
++                /* Check if color is within color palete */
++                if (GifRow[j] >= ColorMap->ColorCount)
++                {
++                   GIF_EXIT(GifErrorString(D_GIF_ERR_IMAGE_DEFECT));
++                }
+                 ColorMapEntry = &ColorMap->Colors[GifRow[j]];
+                 *BufferP++ = ColorMapEntry->Red;
+                 *BufferP++ = ColorMapEntry->Green;
+-- 
+2.25.1
diff --git a/meta-oe/recipes-devtools/giflib/giflib_5.2.1.bb b/meta-oe/recipes-devtools/giflib/giflib_5.2.1.bb
index 79afe9a70..011ca1ffb 100644
--- a/meta-oe/recipes-devtools/giflib/giflib_5.2.1.bb
+++ b/meta-oe/recipes-devtools/giflib/giflib_5.2.1.bb
@@ -7,7 +7,9 @@ CVE_PRODUCT = "giflib_project:giflib"
 
 DEPENDS = "xmlto-native"
 
-SRC_URI = "${SOURCEFORGE_MIRROR}/giflib/${BP}.tar.gz"
+SRC_URI = "${SOURCEFORGE_MIRROR}/giflib/${BP}.tar.gz \
+           file://CVE-2022-28506.patch"
+
 SRC_URI[sha256sum] = "31da5562f44c5f15d63340a09a4fd62b48c45620cd302f77a6d9acf0077879bd"
 
 do_install() {
-- 
2.25.1

                 reply	other threads:[~2024-04-17  5:55 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

find likely ancestor, descendant, or conflicting patches for this message:
dfblob:79afe9a7 dfblob:221e1081 dfblob:011ca1ff
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240417055523.237264-1-nikhil.r@kpit.com \
    --to=nikhilar2410@gmail.com \
    --cc=nikhil.r@kpit.com \
    --cc=openembedded-devel@lists.openembedded.org \
    --cc=ranjitsinh.rathod@kpit.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).