Hi, I have prepared a patch for apng2gif 1.5.
Testing did not reveal any problem, but I'm sure it can still be improved. Could anybody take a look at it ? Debdiff for wheezy is in attachment (a test package for wheezy is also available here[0]). This patch should also fix the issue in Jessie, but I did not test it. I can build a test package if needed. Cheers, Hugo [0] https://people.debian.org/~hle/lts/apng2gif_1.5-1+deb7u1_amd64.changes -- Hugo Lefeuvre (hle) | www.owl.eu.com 4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E
diff -Nru apng2gif-1.5/debian/changelog apng2gif-1.5/debian/changelog --- apng2gif-1.5/debian/changelog 2012-03-11 08:50:30.000000000 +0100 +++ apng2gif-1.5/debian/changelog 2017-05-25 13:49:46.000000000 +0200 @@ -1,3 +1,11 @@ +apng2gif (1.5-1+deb7u1) UNRELEASED; urgency=high + + * Non-maintainer upload by the LTS Team. + * CVE-2017-6960: Integer overflow resulting in a heap-based + buffer over-read in the LoadAPNG function. + + -- Hugo Lefeuvre <h...@debian.org> Thu, 25 May 2017 13:49:46 +0200 + apng2gif (1.5-1) unstable; urgency=low * New upstream release (Closes: #663412). diff -Nru apng2gif-1.5/debian/patches/CVE-2017-6960.patch apng2gif-1.5/debian/patches/CVE-2017-6960.patch --- apng2gif-1.5/debian/patches/CVE-2017-6960.patch 1970-01-01 01:00:00.000000000 +0100 +++ apng2gif-1.5/debian/patches/CVE-2017-6960.patch 2017-05-25 13:49:46.000000000 +0200 @@ -0,0 +1,48 @@ +Author: Hugo Lefeuvre <h...@debian.org> +Subject: Fix integer overflow in the LoadAPNG function. + The LoadAPNG function is affected by an integer overflow resulting in a + heap-based buffer over-read (CVE-2017-6960). + . + In this patch, we add a check before the memory allocation in order to prevent + from integer overflows. Thus, if passed image has too large width or height, we + exit cleanly with "Error: Image size unsupported". + . + The image is considered "invalid" if + (h > UINT_MAX/(4*(frames+1))) or + (w > UINT_MAX/(4*(frames+1))) or + w > UINT_MAX/(4*(frames+1)*h) or + h > UINT_MAX/(4*(frames+1)*w + . + This is because we want the function to abort if + w*h*4*(frames+1) > UINT_MAX + <=> w*h > UINT_MAX/(4*(frames+1)) (we assume that frames+1 always stays + positive) + <=> w > UINT_MAX/(4*(frames+1)*h) or h > UINT_MAX/(4*(frames+1)*w) + . + The (h > UINT_MAX/(4*(frames+1))) or (w > UINT_MAX/(4*(frames+1))) check + prevents from an integer overflow when calculating (4*(frames+1)*h and + (4*(frames+1)*w (not sufficient to fix the issue, however). +Bug-Debian: http://bugs.debian.org/854367 +--- a/apng2gif.c 2017-05-25 16:26:22.972280904 +0200 ++++ b/apng2gif.c 2017-05-25 16:28:19.544156335 +0200 +@@ -31,6 +31,7 @@ + #include <stdio.h> + #include <stdlib.h> + #include <string.h> ++#include <limits.h> + #include "zlib.h" + + #define PNG_DISPOSE_OP_NONE 0x00 +@@ -607,6 +608,12 @@ + * operations will make it impossible, then we'll use RGBA version instead. + */ + ++ if((h > UINT_MAX/(4*(frames+1))) || (w > UINT_MAX/(4*(frames+1))) || ++ (w > UINT_MAX/(4*(frames+1)*h)) || (h > UINT_MAX/(4*(frames+1)*w ))) { ++ printf("Error: Image size unsupported\n"); ++ break; ++ } ++ + outrow1 = w; /* output coltype = input coltype */ + outrow2 = w*4; /* output coltype = RGBA */ + outimg1 = h*outrow1; diff -Nru apng2gif-1.5/debian/patches/series apng2gif-1.5/debian/patches/series --- apng2gif-1.5/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ apng2gif-1.5/debian/patches/series 2017-05-25 13:49:46.000000000 +0200 @@ -0,0 +1 @@ +CVE-2017-6960.patch
signature.asc
Description: PGP signature
