commit gd.5538 for openSUSE:13.2:Update
Hello community,
here is the log from the commit of package gd.5538 for openSUSE:13.2:Update checked in at 2016-08-31 16:17:34
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:13.2:Update/gd.5538 (Old)
and /work/SRC/openSUSE:13.2:Update/.gd.5538.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gd.5538"
Changes:
--------
New Changes file:
--- /dev/null 2016-07-07 10:01:34.856033756 +0200
+++ /work/SRC/openSUSE:13.2:Update/.gd.5538.new/gd.changes 2016-08-31 16:17:35.000000000 +0200
@@ -0,0 +1,435 @@
+-------------------------------------------------------------------
+Tue Aug 23 12:58:16 UTC 2016 - pgajdos@suse.com
+
+- security update:
+ * CVE-2016-6905 [bsc#995034]
+ + gd-CVE-2016-6905.patch
+
+-------------------------------------------------------------------
+Mon Aug 8 10:47:51 UTC 2016 - pgajdos@suse.com
+
+- security update:
+ * CVE-2016-6214 [bsc#991436]
+ + gd-CVE-2016-6214.patch
+ * CVE-2016-6132 [bsc#987577]
+ + gd-CVE-2016-6132.patch
+ * CVE-2016-6128 [bsc#991710]
+ + gd-CVE-2016-6128.patch
+ * CVE-2016-6207 [bsc#991622]
+ + gd-CVE-2016-6207.patch
+ * CVE-2016-6161 [bsc#988032]
+ + gd-CVE-2016-6161.patch
+
+-------------------------------------------------------------------
+Mon May 30 13:20:20 UTC 2016 - pgajdos@suse.com
+
+- security update:
+ * CVE-2016-5116 [bsc#982176]
+ + gd-CVE-2016-5116.patch
+
+-------------------------------------------------------------------
+Tue Mar 24 14:04:11 UTC 2015 - pgajdos@suse.com
+
+- fixed CVE-2014-9709 [bnc#923945]
+ + gd-CVE-2014-9709.patch
+
+-------------------------------------------------------------------
+Tue Aug 26 05:58:53 UTC 2014 - jengelh@inai.de
+
+- Resolve build failure with automake-1.14
+
+-------------------------------------------------------------------
+Fri Jun 27 12:05:59 UTC 2014 - meissner@suse.com
+
+- split out libgd3, so libgd2 could be installed in parallel.
+
+-------------------------------------------------------------------
+Thu Apr 17 17:51:34 UTC 2014 - tchvatal@suse.com
+
+- Add tiff and vpx to the devel deps as it is in .pc file.
+
+-------------------------------------------------------------------
+Thu Apr 10 07:08:18 UTC 2014 - pgajdos@suse.com
+
+- build against libtiff and libvpx
+
+-------------------------------------------------------------------
+Fri Apr 4 12:21:22 UTC 2014 - pgajdos@suse.com
+
+- fixed NULL ptr deref in GD XPM decoder [bnc#868624]
+ * CVE-2014-2497.patch
+
+-------------------------------------------------------------------
+Fri Dec 27 07:42:11 UTC 2013 - tchvatal@suse.com
+
+- Cleanup here&there to parallelize everything
+- Remove bogus cmake dependency
+
+-------------------------------------------------------------------
+Tue Dec 17 14:30:38 UTC 2013 - pgajdos@suse.com
+
+- updated to 2.1.0
+- removed warn.patch (not needed)
+- removed ppc64.patch (upstreamed)
+- removed gd-png_check_sig.patch (upstreamed)
+
+-------------------------------------------------------------------
+Sun Feb 3 14:57:17 UTC 2013 - crrodriguez@opensuse.org
+
+- gd-autoconf.patch fix up compile file so gd can handle
+ large files on 32 bit
+
+-------------------------------------------------------------------
+Sun Feb 5 16:31:39 UTC 2012 - jengelh@medozas.de
+
+- Remove redundant tags/sections
+- Parallel build with %_smp_mflags
+- Remove pointless INSTALL file from rpm package
+ (it's just the default autotools INSTALL blurb)
+
+-------------------------------------------------------------------
+Wed Oct 5 12:05:47 UTC 2011 - uli@suse.com
+
+- cross-build fix: use libpng from sysroot
+
+-------------------------------------------------------------------
+Sat Oct 1 05:39:10 UTC 2011 - coolo@suse.com
+
+- add libtool as buildrequire to make the spec file more reliable
+
+-------------------------------------------------------------------
+Tue Jun 14 15:00:32 UTC 2011 - aj@suse.de
+
+- Devel package needs zlib-devel and libpng-devel.
+
+-------------------------------------------------------------------
+Tue Apr 6 18:27:56 CEST 2010 - ro@suse.de
+
+- add baselibs.conf (for libpghoto2)
+
+-------------------------------------------------------------------
+Sun Apr 4 18:39:19 CEST 2010 - ro@suse.de
+
+- replace png_check_sig by negated png_sig_cmp for libpng14
+
+-------------------------------------------------------------------
+Wed Nov 12 16:18:34 CET 2008 - crrodriguez@suse.de
+
+- QA Results: Regression on PPC64 only, detected by PHP test suite,
+ the system libgd part, fix by IBM
+
+-------------------------------------------------------------------
+Mon Mar 10 01:43:39 CET 2008 - crrodriguez@suse.de
+
+- fix rpm version number, otherwise it wont upgrade later.
+
+-------------------------------------------------------------------
+Fri Jan 18 15:51:13 CET 2008 - anosek@suse.cz
+
+- updated to version 2.0.36RC1
+ * Fixed gdImageCopy with true color image, the transparent color was ignored
+ * Fixed support of PNG grayscale image with alpha channel
+ * Added Netware builds script
+ * ease the creation of regexp to match symbols/functions in the sources
+ * _gdCreateFromFile() can crash if gdImageCreate fails
+ * gdImageCreateFrom*Ptr() can crash if gdNewDynamicCtxEx() fails
+ * gdImageRectangle draws 1x1 rectangles as 1x3 rectangles
+ * Possible integer overflow in gdImageFill()
+ * Optimization for single pixel line not in correct order
+ * gdImageColorDeallocate can write outside buffer
+ * gdImageColorTransparent can write outside buffer
+ * gdImageWBMPCtx can crash when createwbmp fails
+ * Fixed decoding of the html entity ϑ
+ * Fixed configure script ignoring --with-png=DIR option
+- dropped obsoleted security.patch
+
+-------------------------------------------------------------------
+Thu Dec 20 04:22:14 CET 2007 - crrodriguez@suse.de
+
+- remove static libraries and "la" files
+- devel package dependency cleanup
+
+-------------------------------------------------------------------
+Mon Jul 9 09:09:51 CEST 2007 - anosek@suse.cz
+
+- updated to version 2.0.35
+ * Fix valgrind error in gdImageFillTiled (Nuno Lopes)
+ * Add missing custom cmake macros (required for the tests suite)
+ * Avoid signature buffer copy in gd_gif_c (Nuno Lopes)
+ * Race condition in gdImageStringFTEx (Antony Dogval, Pierre
+ Scott MacVicar)
+ * Reading GIF images is not thread safe (static usage in private
+ functions) (Roman Nemecek, Nuno Lopes, Pierre)
+ * GIF Local palette is read twice
+ * GIF, Use local frame dimension when possible instead of the
+ logical screen size (Pierre)
+ * GIF, do not try to use the global colmap if it does not exist
+ (Nuno Lopes, Pierre)
+ * gdImageAALine draws axis lines with two pixels width (Pierre)
+ * gdImageArc CPU usage with large angles (Pierre)
+ * gdImageFilledRectangle regression fixed when used with reversed
+ edges (Pierre)
+ * Possible infinite loop in libgd/gd_png.c, flaw found by Xavier
+ Roche (Pierre)
+ * Fixed segfault when an invalid color index is present in a GIF
+ image data, reported by Elliot <wccode at gmail dot com> (Pierre)
+ * Possible integer overflow in gdImageCreateTrueColor (Pierre)
+ gdImageCreateXbm can crash if gdImageCreate fails (Pierre)
+- dropped obsolete patches (png-loop-CVE-2007-2756.patch)
+
+-------------------------------------------------------------------
+Tue May 29 17:16:32 CEST 2007 - nadvornik@suse.cz
+
+- fixed infinite loop on truncated png images
+ CVE-2007-2756 [#276525]
+
+-------------------------------------------------------------------
+Thu May 3 17:54:51 CEST 2007 - prusnak@suse.cz
+
+- changed expat to libexpat-devel in Requires of devel subpackage
+
+-------------------------------------------------------------------
+Tue Feb 20 11:47:45 CET 2007 - nadvornik@suse.cz
+
+- updated to 2.0.34:
+ * security fixes merged upstream
+ * various other bugfixes
+
++++ 238 more lines (skipped)
++++ between /dev/null
++++ and /work/SRC/openSUSE:13.2:Update/.gd.5538.new/gd.changes
New:
----
baselibs.conf
gd-2.1.0-CVE-2014-2497.patch
gd-CVE-2014-9709.patch
gd-CVE-2016-5116.patch
gd-CVE-2016-6128.patch
gd-CVE-2016-6132.patch
gd-CVE-2016-6161.patch
gd-CVE-2016-6207.patch
gd-CVE-2016-6214.patch
gd-CVE-2016-6905.patch
gd-aliasing.patch
gd-autoconf.patch
gd-config.patch
gd-fontpath.patch
gd-format.patch
gd.changes
gd.spec
libgd-2.1.0.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ gd.spec ++++++
#
# spec file for package gd
#
# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
%define prjname libgd
%define lname libgd3
Name: gd
Version: 2.1.0
Release: 0
Summary: A Drawing Library for Programs That Use PNG and JPEG Output
License: MIT
Group: System/Libraries
Url: http://libgd.bitbucket.org/
Source: https://bitbucket.org/libgd/gd-libgd/downloads/libgd-%{version}.tar.xz
Source1: baselibs.conf
# to be upstreamed, gdlib-config --libs to return the same as pkg-config --libs gdlib
Patch0: gd-config.patch
# might be upstreamed, but could be suse specific also (/usr/share/fonts/Type1 font dir)
Patch1: gd-fontpath.patch
# could be upstreamed, but not in this form (need ac check for attribute format printf, etc.)
Patch2: gd-format.patch
# could be upstreamed
Patch3: gd-aliasing.patch
# could be upstreamed?
Patch4: gd-autoconf.patch
Patch5: gd-2.1.0-CVE-2014-2497.patch
Patch6: gd-CVE-2014-9709.patch
Patch7: gd-CVE-2016-5116.patch
Patch8: gd-CVE-2016-6214.patch
Patch9: gd-CVE-2016-6905.patch
Patch10: gd-CVE-2016-6128.patch
Patch11: gd-CVE-2016-6207.patch
Patch12: gd-CVE-2016-6161.patch
Patch13: gd-CVE-2016-6132.patch
BuildRequires: fontconfig-devel
BuildRequires: freetype2-devel
BuildRequires: libjpeg-devel
BuildRequires: libpng-devel
BuildRequires: libtiff-devel
BuildRequires: libtool
BuildRequires: libvpx-devel
BuildRequires: pkg-config
BuildRequires: xorg-x11-libX11-devel
BuildRequires: xorg-x11-libXau-devel
BuildRequires: xorg-x11-libXdmcp-devel
BuildRequires: xorg-x11-libXpm-devel
Provides: gdlib = %{version}
Obsoletes: gdlib < %{version}
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
Gd allows your code to quickly draw images complete with lines, arcs,
text, and multiple colors. It supports cut and paste from other images
and flood fills. It outputs PNG, JPEG, and WBMP (for wireless devices)
and is supported by PHP.
%package -n %lname
Summary: A Drawing Library for Programs That Use PNG and JPEG Output
Group: System/Libraries
%description -n %lname
Gd allows your code to quickly draw images complete with lines, arcs,
text, and multiple colors. It supports cut and paste from other images
and flood fills. It outputs PNG, JPEG, and WBMP (for wireless devices)
and is supported by PHP.
%package devel
Summary: Drawing Library for Programs with PNG and JPEG Output
Group: Development/Libraries/C and C++
Requires: %lname = %{version}
Requires: glibc-devel
Requires: libpng-devel
Requires: libtiff-devel
Requires: libvpx-devel
Requires: zlib-devel
%description devel
gd allows code to quickly draw images complete with lines, arcs, text,
multiple colors, cut and paste from other images, and flood fills. gd
writes out the result as a PNG or JPEG file. This is particularly
useful in World Wide Web applications, where PNG and JPEG are two of
the formats accepted for inline images by most browsers.
%prep
%setup -q -n %{prjname}-%{version}
%patch0
%patch1
%patch2
%patch3
%patch4 -p1
%patch5
%patch6
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
%patch12 -p1
%patch13 -p1
%build
autoreconf -fiv
# without-x -- useless switch which just mangles cflags
%configure \
--without-x \
--with-fontconfig \
--with-freetype \
--with-jpeg \
--with-png \
--with-xpm \
--disable-static \
--with-pic
make %{?_smp_mflags}
%check
make check %{?_smp_mflags}
%install
make DESTDIR=%{buildroot} install %{?_smp_mflags}
find %{buildroot} -type f -name "*.la" -delete -print
%post -n %lname -p /sbin/ldconfig
%postun -n %lname -p /sbin/ldconfig
%files
%defattr(-,root,root)
%doc COPYING NEWS examples
%{_bindir}/annotate
%{_bindir}/bdftogd
%{_bindir}/gd2copypal
%{_bindir}/gd2togif
%{_bindir}/gd2topng
%{_bindir}/gdcmpgif
%{_bindir}/gdparttopng
%{_bindir}/gdtopng
%{_bindir}/giftogd2
%{_bindir}/pngtogd
%{_bindir}/pngtogd2
%{_bindir}/webpng
%files -n %lname
%defattr(-,root,root)
%doc COPYING
%{_libdir}/*.so.*
%files devel
%defattr(-,root,root)
%doc COPYING
%{_bindir}/gdlib-config
%{_includedir}/*
%{_libdir}/*.so
%{_libdir}/pkgconfig/gdlib.pc
%changelog
++++++ baselibs.conf ++++++
libgd3
++++++ gd-2.1.0-CVE-2014-2497.patch ++++++
Description: Patch to fix PHP bug 66901.
Author: Andres Mejia
From 47eb44b2e90ca88a08dca9f9a1aa9041e9587f43 Mon Sep 17 00:00:00 2001 From: Remi Collet
Date: Sat, 13 Dec 2014 08:48:18 +0100 Subject: [PATCH] Fix possible buffer read overflow detected by -fsanitize=address, thanks to Jan Bee
--- src/gd_gif_in.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) Index: src/gd_gif_in.c =================================================================== --- src/gd_gif_in.c.orig 2013-06-25 11:58:23.000000000 +0200 +++ src/gd_gif_in.c 2015-03-24 15:02:44.776580918 +0100 @@ -75,8 +75,10 @@ #define STACK_SIZE ((1<<(MAX_LWZ_BITS))*2) +#define CSD_BUF_SIZE 280 + typedef struct { - unsigned char buf[280]; + unsigned char buf[CSD_BUF_SIZE]; int curbit; int lastbit; int done; @@ -408,9 +410,13 @@ scd->lastbit = (2 + count) * 8; } - ret = 0; - for (i = scd->curbit, j = 0; j < code_size; ++i, ++j) { - ret |= ((scd->buf[i / 8] & (1 << (i % 8))) != 0) << j; + if ((scd->curbit + code_size - 1) >= (CSD_BUF_SIZE * 8)) { + ret = -1; + } else { + ret = 0; + for (i = scd->curbit, j = 0; j < code_size; ++i, ++j) { + ret |= ((scd->buf[i / 8] & (1 << (i % 8))) != 0) << j; + } } scd->curbit += code_size; ++++++ gd-CVE-2016-5116.patch ++++++
From 4dc1a2d7931017d3625f2d7cff70a17ce58b53b4 Mon Sep 17 00:00:00 2001 From: Mike Frysinger
Date: Sat, 14 May 2016 01:38:18 -0400 Subject: [PATCH] xbm: avoid stack overflow (read) with large names #211
We use the name passed in to printf into a local stack buffer which is limited to 4000 bytes. So given a large enough value, lots of stack data is leaked. Rewrite the code to do simple memory copies with most of the strings to avoid that issue, and only use stack buffer for small numbers of constant size. This closes #211. --- src/gd_xbm.c | 34 +++++++++++++++++++++++++++------- 1 file changed, 27 insertions(+), 7 deletions(-) diff --git a/src/gd_xbm.c b/src/gd_xbm.c index 74d839b..d28fdfc 100644 --- a/src/gd_xbm.c +++ b/src/gd_xbm.c @@ -180,7 +180,7 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromXbm(FILE * fd) /* {{{ gdCtxPrintf */ static void gdCtxPrintf(gdIOCtx * out, const char *format, ...) { - char buf[4096]; + char buf[1024]; int len; va_list args; @@ -191,6 +191,9 @@ static void gdCtxPrintf(gdIOCtx * out, const char *format, ...) } /* }}} */ +/* The compiler will optimize strlen(constant) to a constant number. */ +#define gdCtxPuts(out, s) out->putBuf(out, s, strlen(s)) + /* {{{ gdImageXbmCtx */ BGD_DECLARE(void) gdImageXbmCtx(gdImagePtr image, char* file_name, int fg, gdIOCtx * out) { @@ -215,9 +218,26 @@ BGD_DECLARE(void) gdImageXbmCtx(gdImagePtr image, char* file_name, int fg, gdIOC } } - gdCtxPrintf(out, "#define %s_width %d\n", name, gdImageSX(image)); - gdCtxPrintf(out, "#define %s_height %d\n", name, gdImageSY(image)); - gdCtxPrintf(out, "static unsigned char %s_bits[] = {\n ", name); + /* Since "name" comes from the user, run it through a direct puts. + * Trying to printf it into a local buffer means we'd need a large + * or dynamic buffer to hold it all. */ + + /* #define <name>_width 1234 */ + gdCtxPuts(out, "#define "); + gdCtxPuts(out, name); + gdCtxPuts(out, "_width "); + gdCtxPrintf(out, "%d\n", gdImageSX(image)); + + /* #define <name>_height 1234 */ + gdCtxPuts(out, "#define "); + gdCtxPuts(out, name); + gdCtxPuts(out, "_height "); + gdCtxPrintf(out, "%d\n", gdImageSY(image)); + + /* static unsigned char <name>_bits[] = {\n */ + gdCtxPuts(out, "static unsigned char "); + gdCtxPuts(out, name); + gdCtxPuts(out, "_bits[] = {\n "); free(name); @@ -234,9 +254,9 @@ BGD_DECLARE(void) gdImageXbmCtx(gdImagePtr image, char* file_name, int fg, gdIOC if ((b == 128) || (x == sx && y == sy)) { b = 1; if (p) { - gdCtxPrintf(out, ", "); + gdCtxPuts(out, ", "); if (!(p%12)) { - gdCtxPrintf(out, "\n "); + gdCtxPuts(out, "\n "); p = 12; } } @@ -248,6 +268,6 @@ BGD_DECLARE(void) gdImageXbmCtx(gdImagePtr image, char* file_name, int fg, gdIOC } } } - gdCtxPrintf(out, "};\n"); + gdCtxPuts(out, "};\n"); } /* }}} */ ++++++ gd-CVE-2016-6128.patch ++++++ --- a/src/gd_crop.c +++ b/src/gd_crop.c @@ -136,6 +136,10 @@ BGD_DECLARE(gdImagePtr) gdImageCropThreshold(gdImagePtr im, const unsigned int c return NULL; } + if (!gdImageTrueColor(im) && color >= gdImageColorsTotal(im)) { + return NULL; + } + /* TODO: Add gdImageGetRowPtr and works with ptr at the row level * for the true color and palette images * new formats will simply work with ptr ++++++ gd-CVE-2016-6132.patch ++++++
From 921e590565deb033acafcfa9063b4563200b14b5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?=
Date: Tue, 12 Jul 2016 11:24:09 +0200 Subject: [PATCH] Fix #247, A read out-of-bands was found in the parsing of TGA files
--- src/gd_tga.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/src/gd_tga.c b/src/gd_tga.c index ef20f86..07f3c86 100644 --- a/src/gd_tga.c +++ b/src/gd_tga.c @@ -237,7 +237,10 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga ) return -1; } - gdGetBuf(conversion_buffer, image_block_size, ctx); + if (gdGetBuf(conversion_buffer, image_block_size, ctx) != image_block_size) { + gdFree(conversion_buffer); + return -1; + } while (buffer_caret < image_block_size) { tga->bitmap[buffer_caret] = (int) conversion_buffer[buffer_caret]; @@ -261,7 +264,11 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga ) return -1; } - gdGetBuf( conversion_buffer, image_block_size, ctx ); + if (gdGetBuf(conversion_buffer, image_block_size, ctx) != image_block_size) { + gdFree(conversion_buffer); + gdFree(decompression_buffer); + return -1; + } buffer_caret = 0; ++++++ gd-CVE-2016-6161.patch ++++++
From 82b80dcb70a7ca8986125ff412bceddafc896842 Mon Sep 17 00:00:00 2001 From: Mike Frysinger
Date: Sat, 14 May 2016 02:13:15 -0400 Subject: [PATCH] gif: avoid out-of-bound reads of masks array #209
When given invalid inputs, we might be fed the EOF marker before it is
actually the EOF. The gif logic assumes once it sees the EOF marker,
there won't be any more data, so it leaves the cur_bits index possibly
negative. So when we get more data, we underflow the masks array.
Flag it so we don't try to output anything more. The image is invalid,
so we shouldn't be truncating any valid inputs.
This fixes #209.
---
src/gd_gif_out.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/src/gd_gif_out.c b/src/gd_gif_out.c
index 51ceb75..3099d49 100644
--- a/src/gd_gif_out.c
+++ b/src/gd_gif_out.c
@@ -1442,15 +1442,23 @@ static void compress(int init_bits, gdIOCtxPtr outfile, gdImagePtr im, GifCtx *c
* code in turn. When the buffer fills up empty it and start over.
*/
-static unsigned long masks[] = {
+static const unsigned long masks[] = {
0x0000, 0x0001, 0x0003, 0x0007, 0x000F,
0x001F, 0x003F, 0x007F, 0x00FF,
0x01FF, 0x03FF, 0x07FF, 0x0FFF,
0x1FFF, 0x3FFF, 0x7FFF, 0xFFFF
};
+/* Arbitrary value to mark output is done. When we see EOFCode, then we don't
+ * expect to see any more data. If we do (e.g. corrupt image inputs), cur_bits
+ * might be negative, so flag it to return early.
+ */
+#define CUR_BITS_FINISHED -1000
+
static void output(code_int code, GifCtx *ctx)
{
+ if (ctx->cur_bits == CUR_BITS_FINISHED)
+ return;
ctx->cur_accum &= masks[ctx->cur_bits];
if(ctx->cur_bits > 0) {
@@ -1492,6 +1500,8 @@ static void output(code_int code, GifCtx *ctx)
ctx->cur_accum >>= 8;
ctx->cur_bits -= 8;
}
+ /* Flag that it's done to prevent re-entry. */
+ ctx->cur_bits = CUR_BITS_FINISHED;
flush_char(ctx);
}
++++++ gd-CVE-2016-6207.patch ++++++
Index: libgd-2.1.0/src/gd.c
===================================================================
--- libgd-2.1.0.orig/src/gd.c 2013-06-25 11:58:23.000000000 +0200
+++ libgd-2.1.0/src/gd.c 2016-08-08 15:04:29.487691217 +0200
@@ -207,7 +207,7 @@ BGD_DECLARE(gdImagePtr) gdImageCreateTru
return 0;
}
- if (overflow2(sizeof(int), sx)) {
+ if (overflow2(sizeof(int *), sx)) {
return NULL;
}
Index: libgd-2.1.0/src/gd_interpolation.c
===================================================================
--- libgd-2.1.0.orig/src/gd_interpolation.c 2013-06-25 11:58:23.000000000 +0200
+++ libgd-2.1.0/src/gd_interpolation.c 2016-08-08 15:05:50.725062244 +0200
@@ -901,6 +901,7 @@ static inline LineContribType * _gdContr
{
unsigned int u = 0;
LineContribType *res;
+ int overflow_error = 0;
res = (LineContribType *) gdMalloc(sizeof(LineContribType));
if (!res) {
@@ -908,10 +909,31 @@ static inline LineContribType * _gdContr
}
res->WindowSize = windows_size;
res->LineLength = line_length;
+ if (overflow2(line_length, sizeof(ContributionType))) {
+ gdFree(res);
+ return NULL;
+ }
res->ContribRow = (ContributionType *) gdMalloc(line_length * sizeof(ContributionType));
-
+ if (res->ContribRow == NULL) {
+ gdFree(res);
+ return NULL;
+ }
for (u = 0 ; u < line_length ; u++) {
- res->ContribRow[u].Weights = (double *) gdMalloc(windows_size * sizeof(double));
+ if (overflow2(windows_size, sizeof(double))) {
+ overflow_error = 1;
+ } else {
+ res->ContribRow[u].Weights = (double *) gdMalloc(windows_size * sizeof(double));
+ }
+ if (overflow_error == 1 || res->ContribRow[u].Weights == NULL) {
+ unsigned int i;
+ u--;
+ for (i=0;i<=u;i++) {
+ gdFree(res->ContribRow[i].Weights);
+ }
+ gdFree(res->ContribRow);
+ gdFree(res);
+ return NULL;
+ }
}
return res;
}
@@ -944,7 +966,9 @@ static inline LineContribType *_gdContri
windows_size = 2 * (int)ceil(width_d) + 1;
res = _gdContributionsAlloc(line_size, windows_size);
-
+ if (res == NULL) {
+ return NULL;
+ }
for (u = 0; u < line_size; u++) {
const double dCenter = (double)u / scale_d;
/* get the significant edge points affecting the pixel */
++++++ gd-CVE-2016-6214.patch ++++++
--- a/src/gd_tga.c
+++ b/src/gd_tga.c
@@ -99,7 +99,7 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromTgaCtx(gdIOCtx* ctx)
if (tga->bits == TGA_BPP_24) {
*tpix = gdTrueColor(tga->bitmap[bitmap_caret + 2], tga->bitmap[bitmap_caret + 1], tga->bitmap[bitmap_caret]);
bitmap_caret += 3;
- } else if (tga->bits == TGA_BPP_32 || tga->alphabits) {
+ } else if (tga->bits == TGA_BPP_32 && tga->alphabits) {
register int a = tga->bitmap[bitmap_caret + 3];
*tpix = gdTrueColorAlpha(tga->bitmap[bitmap_caret + 2], tga->bitmap[bitmap_caret + 1], tga->bitmap[bitmap_caret], gdAlphaMax - (a >> 1));
@@ -159,16 +159,12 @@ int read_header_tga(gdIOCtx *ctx, oTga *tga)
printf("wxh: %i %i\n", tga->width, tga->height);
#endif
- switch(tga->bits) {
- case 8:
- case 16:
- case 24:
- case 32:
- break;
- default:
- gd_error("bps %i not supported", tga->bits);
+ if (!((tga->bits == TGA_BPP_24 && tga->alphabits == 0)
+ || (tga->bits == TGA_BPP_32 && tga->alphabits == 8)))
+ {
+ gd_error_ex(GD_WARNING, "gd-tga: %u bits per pixel with %u alpha bits not supported\n",
+ tga->bits, tga->alphabits);
return -1;
- break;
}
tga->ident = NULL;
++++++ gd-CVE-2016-6905.patch ++++++
6aa343e6e195bf65fb47 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?=
participants (1)
-
root@hilbert.suse.de