Patch proposal for CVE-2017-6960 in Wheezy (/Jessie)

[Hugo Lefeuvre <hle@debian.org>]

Hi,

I have prepared a patch for apng2gif 1.5.

Testing did not reveal any problem, but I'm sure it can still be
improved.

Could anybody take a look at it ? 

Debdiff for wheezy is in attachment (a test package for wheezy is also
available here[0]).

This patch should also fix the issue in Jessie, but I did not test it.
I can build a test package if needed.

Cheers,
 Hugo

[0] https://people.debian.org/~hle/lts/apng2gif_1.5-1+deb7u1_amd64.changes

-- 
             Hugo Lefeuvre (hle)    |    www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E

diff -Nru apng2gif-1.5/debian/changelog apng2gif-1.5/debian/changelog
--- apng2gif-1.5/debian/changelog	2012-03-11 08:50:30.000000000 +0100
+++ apng2gif-1.5/debian/changelog	2017-05-25 13:49:46.000000000 +0200
@@ -1,3 +1,11 @@
+apng2gif (1.5-1+deb7u1) UNRELEASED; urgency=high
+
+  * Non-maintainer upload by the LTS Team.
+  * CVE-2017-6960: Integer overflow resulting in a heap-based
+    buffer over-read in the LoadAPNG function. 
+
+ -- Hugo Lefeuvre <hle@debian.org>  Thu, 25 May 2017 13:49:46 +0200
+
 apng2gif (1.5-1) unstable; urgency=low
 
   * New upstream release (Closes: #663412).
diff -Nru apng2gif-1.5/debian/patches/CVE-2017-6960.patch apng2gif-1.5/debian/patches/CVE-2017-6960.patch
--- apng2gif-1.5/debian/patches/CVE-2017-6960.patch	1970-01-01 01:00:00.000000000 +0100
+++ apng2gif-1.5/debian/patches/CVE-2017-6960.patch	2017-05-25 13:49:46.000000000 +0200
@@ -0,0 +1,48 @@
+Author: Hugo Lefeuvre <hle@debian.org>
+Subject: Fix integer overflow in the LoadAPNG function. 
+ The LoadAPNG function is affected by an integer overflow resulting in a
+ heap-based buffer over-read (CVE-2017-6960).
+ .
+ In this patch, we add a check before the memory allocation in order to prevent
+ from integer overflows. Thus, if passed image has too large width or height, we
+ exit cleanly with "Error: Image size unsupported".
+ .
+ The image is considered "invalid" if
+  (h > UINT_MAX/(4*(frames+1))) or
+  (w > UINT_MAX/(4*(frames+1))) or
+  w > UINT_MAX/(4*(frames+1)*h) or
+  h > UINT_MAX/(4*(frames+1)*w
+ .
+ This is because we want the function to abort if
+  w*h*4*(frames+1) > UINT_MAX
+  <=> w*h > UINT_MAX/(4*(frames+1)) (we assume that frames+1 always stays
+                                   positive)
+  <=> w > UINT_MAX/(4*(frames+1)*h) or h > UINT_MAX/(4*(frames+1)*w)
+ .
+ The (h > UINT_MAX/(4*(frames+1))) or (w > UINT_MAX/(4*(frames+1))) check
+ prevents from an integer overflow when calculating (4*(frames+1)*h and
+ (4*(frames+1)*w (not sufficient to fix the issue, however).
+Bug-Debian: http://bugs.debian.org/854367
+--- a/apng2gif.c	2017-05-25 16:26:22.972280904 +0200
++++ b/apng2gif.c	2017-05-25 16:28:19.544156335 +0200
+@@ -31,6 +31,7 @@
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <string.h>
++#include <limits.h>
+ #include "zlib.h"
+ 
+ #define PNG_DISPOSE_OP_NONE        0x00
+@@ -607,6 +608,12 @@
+      * operations will make it impossible, then we'll use RGBA version instead.
+      */
+ 
++    if((h > UINT_MAX/(4*(frames+1))) || (w > UINT_MAX/(4*(frames+1))) ||
++       (w > UINT_MAX/(4*(frames+1)*h)) || (h > UINT_MAX/(4*(frames+1)*w ))) {
++        printf("Error: Image size unsupported\n");
++        break;
++    }
++
+     outrow1 = w;          /* output coltype = input coltype */
+     outrow2 = w*4;        /* output coltype = RGBA          */
+     outimg1 = h*outrow1;
diff -Nru apng2gif-1.5/debian/patches/series apng2gif-1.5/debian/patches/series
--- apng2gif-1.5/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ apng2gif-1.5/debian/patches/series	2017-05-25 13:49:46.000000000 +0200
@@ -0,0 +1 @@
+CVE-2017-6960.patch

Attachment: signature.asc
Description: PGP signature