[packages/gd] - rel 4; fixes from debian

arekm arekm at pld-linux.org
Tue Jan 22 09:27:20 CET 2019 

commit f510b224888ba3be504580f4e74237fc3774e578
Author: Arkadiusz Miśkiewicz <arekm at maven.pl>
Date:   Tue Jan 22 09:27:08 2019 +0100

    - rel 4; fixes from debian

 ...Fix-OOB-read-due-to-crafted-GD-GD2-images.patch | Bin 0 -> 4595 bytes
 0005-Fix-tiff_invalid_read-check.patch             |  23 ++++++
 ...ential-infinite-loop-in-gdImageCreateFrom.patch |  53 ++++++++++++++
 bmp-check-return-value-in-gdImageBmpPtr.patch      |  79 +++++++++++++++++++++
 gd.spec                                            |  10 ++-
 5 files changed, 164 insertions(+), 1 deletion(-)
---
diff --git a/gd.spec b/gd.spec
index 7469fc8..017fae1 100644
--- a/gd.spec
+++ b/gd.spec
@@ -15,7 +15,7 @@ Summary(pl.UTF-8):	Biblioteka do tworzenia grafiki w formacie PNG, JPEG
 Summary(pt_BR.UTF-8):	Biblioteca para manipulação de imagens
 Name:		gd
 Version:	2.2.5
-Release:	3
+Release:	4
 License:	BSD-like
 Group:		Libraries
 #Source0Download: https://github.com/libgd/libgd/releases
@@ -24,6 +24,10 @@ Source0:	https://github.com/libgd/libgd/releases/download/%{name}-%{version}/lib
 Patch0:		%{name}-fontpath.patch
 Patch2:		%{name}-loop.patch
 Patch3:		%{name}-liq.patch
+Patch4:		0004-Fix-OOB-read-due-to-crafted-GD-GD2-images.patch
+Patch5:		0005-Fix-tiff_invalid_read-check.patch
+Patch6:		bmp-check-return-value-in-gdImageBmpPtr.patch
+Patch7:		Fix-420-Potential-infinite-loop-in-gdImageCreateFrom.patch
 URL:		https://libgd.github.io/
 BuildRequires:	autoconf >= 2.54
 BuildRequires:	automake
@@ -162,6 +166,10 @@ para uso pelos programas que usam a libgd.
 %patch0 -p1
 %patch2 -p1
 %patch3 -p1
+%patch4 -p1
+%patch5 -p1
+%patch6 -p1
+%patch7 -p1
 
 # hack to avoid inclusion of -s in --ldflags
 %{__sed} -i -e 's, at LDFLAGS@,,g' config/gdlib-config.in
diff --git a/0004-Fix-OOB-read-due-to-crafted-GD-GD2-images.patch b/0004-Fix-OOB-read-due-to-crafted-GD-GD2-images.patch
new file mode 100644
index 0000000..2e1f417
Binary files /dev/null and b/0004-Fix-OOB-read-due-to-crafted-GD-GD2-images.patch differ
diff --git a/0005-Fix-tiff_invalid_read-check.patch b/0005-Fix-tiff_invalid_read-check.patch
new file mode 100644
index 0000000..5f69f9d
--- /dev/null
+++ b/0005-Fix-tiff_invalid_read-check.patch
@@ -0,0 +1,23 @@
+From: "Christoph M. Becker" <cmbecker69 at gmx.de>
+Date: Wed, 18 Jan 2017 21:06:29 +0100
+Subject: Fix tiff_invalid_read check
+
+---
+ src/gd_io_dp.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/gd_io_dp.c b/src/gd_io_dp.c
+index 25c0980..934204d 100755
+--- a/src/gd_io_dp.c
++++ b/src/gd_io_dp.c
+@@ -299,6 +299,10 @@ static int dynamicGetbuf(gdIOCtxPtr ctx, void *buf, int len)
+ 		return 0;
+ 	}
+ 
++	if (rlen < 0) {
++		return 0;
++	}
++
+ 	memcpy(buf, (void *) ((char *)dp->data + dp->pos), rlen);
+ 	dp->pos += rlen;
+ 
diff --git a/Fix-420-Potential-infinite-loop-in-gdImageCreateFrom.patch b/Fix-420-Potential-infinite-loop-in-gdImageCreateFrom.patch
new file mode 100644
index 0000000..a90689a
--- /dev/null
+++ b/Fix-420-Potential-infinite-loop-in-gdImageCreateFrom.patch
@@ -0,0 +1,53 @@
+From: "Christoph M. Becker" <cmbecker69 at gmx.de>
+Date: Wed, 29 Nov 2017 19:37:38 +0100
+Subject: Fix #420: Potential infinite loop in gdImageCreateFromGifCtx
+origin: https://github.com/libgd/libgd/commit/a11f47475e6443b7f32d21f2271f28f417e2ac04
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-5711
+Bug-Debian: https://bugs.debian.org/887485
+Bug: https://github.com/libgd/libgd/issues/420
+
+Due to a signedness confusion in `GetCode_` a corrupt GIF file can
+trigger an infinite loop.  Furthermore we make sure that a GIF without
+any palette entries is treated as invalid *after* open palette entries
+have been removed.
+
+CVE-2018-5711
+
+See also https://bugs.php.net/bug.php?id=75571.
+---
+
+--- a/src/gd_gif_in.c
++++ b/src/gd_gif_in.c
+@@ -335,11 +335,6 @@ terminated:
+ 		return 0;
+ 	}
+ 
+-	if(!im->colorsTotal) {
+-		gdImageDestroy(im);
+-		return 0;
+-	}
+-
+ 	/* Check for open colors at the end, so
+ 	 * we can reduce colorsTotal and ultimately
+ 	 * BitsPerPixel */
+@@ -351,6 +346,11 @@ terminated:
+ 		}
+ 	}
+ 
++	if(!im->colorsTotal) {
++		gdImageDestroy(im);
++		return 0;
++	}
++
+ 	return im;
+ }
+ 
+@@ -447,7 +447,7 @@ static int
+ GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_size, int flag, int *ZeroDataBlockP)
+ {
+ 	int i, j, ret;
+-	unsigned char count;
++	int count;
+ 
+ 	if(flag) {
+ 		scd->curbit = 0;
diff --git a/bmp-check-return-value-in-gdImageBmpPtr.patch b/bmp-check-return-value-in-gdImageBmpPtr.patch
new file mode 100644
index 0000000..f0e3a52
--- /dev/null
+++ b/bmp-check-return-value-in-gdImageBmpPtr.patch
@@ -0,0 +1,79 @@
+From: Mike Frysinger <vapier at gentoo.org>
+Date: Sat, 14 Jul 2018 13:54:08 -0400
+Subject: bmp: check return value in gdImageBmpPtr
+Origin: https://github.com/libgd/libgd/commit/ac16bdf2d41724b5a65255d4c28fb0ec46bc42f5
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-1000222
+Bug-Debian: https://bugs.debian.org/906886
+Bug: https://github.com/libgd/libgd/issues/447
+
+Closes #447.
+---
+ src/gd_bmp.c | 17 ++++++++++++++---
+ 1 file changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/src/gd_bmp.c b/src/gd_bmp.c
+index bde0b9d3abbd..78f40d9a475e 100644
+--- a/src/gd_bmp.c
++++ b/src/gd_bmp.c
+@@ -47,6 +47,8 @@ static int bmp_read_4bit(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info, bmp
+ static int bmp_read_8bit(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info, bmp_hdr_t *header);
+ static int bmp_read_rle(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info);
+ 
++static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression);
++
+ #define BMP_DEBUG(s)
+ 
+ static int gdBMPPutWord(gdIOCtx *out, int w)
+@@ -87,8 +89,10 @@ BGD_DECLARE(void *) gdImageBmpPtr(gdImagePtr im, int *size, int compression)
+ 	void *rv;
+ 	gdIOCtx *out = gdNewDynamicCtx(2048, NULL);
+ 	if (out == NULL) return NULL;
+-	gdImageBmpCtx(im, out, compression);
+-	rv = gdDPExtractData(out, size);
++	if (!_gdImageBmpCtx(im, out, compression))
++		rv = gdDPExtractData(out, size);
++	else
++		rv = NULL;
+ 	out->gd_free(out);
+ 	return rv;
+ }
+@@ -141,6 +145,11 @@ BGD_DECLARE(void) gdImageBmp(gdImagePtr im, FILE *outFile, int compression)
+ 		compression - whether to apply RLE or not.
+ */
+ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
++{
++	_gdImageBmpCtx(im, out, compression);
++}
++
++static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
+ {
+ 	int bitmap_size = 0, info_size, total_size, padding;
+ 	int i, row, xpos, pixel;
+@@ -148,6 +157,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
+ 	unsigned char *uncompressed_row = NULL, *uncompressed_row_start = NULL;
+ 	FILE *tmpfile_for_compression = NULL;
+ 	gdIOCtxPtr out_original = NULL;
++	int ret = 1;
+ 
+ 	/* No compression if its true colour or we don't support seek */
+ 	if (im->trueColor) {
+@@ -325,6 +335,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
+ 		out_original = NULL;
+ 	}
+ 
++	ret = 0;
+ cleanup:
+ 	if (tmpfile_for_compression) {
+ #ifdef _WIN32
+@@ -338,7 +349,7 @@ cleanup:
+ 	if (out_original) {
+ 		out_original->gd_free(out_original);
+ 	}
+-	return;
++	return ret;
+ }
+ 
+ static int compress_row(unsigned char *row, int length)
+-- 
+2.19.1
+
================================================================

---- gitweb:

http://git.pld-linux.org/gitweb.cgi/packages/gd.git/commitdiff/f510b224888ba3be504580f4e74237fc3774e578

More information about the pld-cvs-commit mailing list