Hello community, here is the log from the commit of package gd.5538 for openSUSE:13.2:Update checked in at 2016-08-31 16:17:34 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.2:Update/gd.5538 (Old) and /work/SRC/openSUSE:13.2:Update/.gd.5538.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "gd.5538" Changes: -------- New Changes file: --- /dev/null 2016-07-07 10:01:34.856033756 +0200 +++ /work/SRC/openSUSE:13.2:Update/.gd.5538.new/gd.changes 2016-08-31 16:17:35.000000000 +0200 @@ -0,0 +1,435 @@ +------------------------------------------------------------------- +Tue Aug 23 12:58:16 UTC 2016 - pgajdos@suse.com + +- security update: + * CVE-2016-6905 [bsc#995034] + + gd-CVE-2016-6905.patch + +------------------------------------------------------------------- +Mon Aug 8 10:47:51 UTC 2016 - pgajdos@suse.com + +- security update: + * CVE-2016-6214 [bsc#991436] + + gd-CVE-2016-6214.patch + * CVE-2016-6132 [bsc#987577] + + gd-CVE-2016-6132.patch + * CVE-2016-6128 [bsc#991710] + + gd-CVE-2016-6128.patch + * CVE-2016-6207 [bsc#991622] + + gd-CVE-2016-6207.patch + * CVE-2016-6161 [bsc#988032] + + gd-CVE-2016-6161.patch + +------------------------------------------------------------------- +Mon May 30 13:20:20 UTC 2016 - pgajdos@suse.com + +- security update: + * CVE-2016-5116 [bsc#982176] + + gd-CVE-2016-5116.patch + +------------------------------------------------------------------- +Tue Mar 24 14:04:11 UTC 2015 - pgajdos@suse.com + +- fixed CVE-2014-9709 [bnc#923945] + + gd-CVE-2014-9709.patch + +------------------------------------------------------------------- +Tue Aug 26 05:58:53 UTC 2014 - jengelh@inai.de + +- Resolve build failure with automake-1.14 + +------------------------------------------------------------------- +Fri Jun 27 12:05:59 UTC 2014 - meissner@suse.com + +- split out libgd3, so libgd2 could be installed in parallel. + +------------------------------------------------------------------- +Thu Apr 17 17:51:34 UTC 2014 - tchvatal@suse.com + +- Add tiff and vpx to the devel deps as it is in .pc file. + +------------------------------------------------------------------- +Thu Apr 10 07:08:18 UTC 2014 - pgajdos@suse.com + +- build against libtiff and libvpx + +------------------------------------------------------------------- +Fri Apr 4 12:21:22 UTC 2014 - pgajdos@suse.com + +- fixed NULL ptr deref in GD XPM decoder [bnc#868624] + * CVE-2014-2497.patch + +------------------------------------------------------------------- +Fri Dec 27 07:42:11 UTC 2013 - tchvatal@suse.com + +- Cleanup here&there to parallelize everything +- Remove bogus cmake dependency + +------------------------------------------------------------------- +Tue Dec 17 14:30:38 UTC 2013 - pgajdos@suse.com + +- updated to 2.1.0 +- removed warn.patch (not needed) +- removed ppc64.patch (upstreamed) +- removed gd-png_check_sig.patch (upstreamed) + +------------------------------------------------------------------- +Sun Feb 3 14:57:17 UTC 2013 - crrodriguez@opensuse.org + +- gd-autoconf.patch fix up compile file so gd can handle + large files on 32 bit + +------------------------------------------------------------------- +Sun Feb 5 16:31:39 UTC 2012 - jengelh@medozas.de + +- Remove redundant tags/sections +- Parallel build with %_smp_mflags +- Remove pointless INSTALL file from rpm package + (it's just the default autotools INSTALL blurb) + +------------------------------------------------------------------- +Wed Oct 5 12:05:47 UTC 2011 - uli@suse.com + +- cross-build fix: use libpng from sysroot + +------------------------------------------------------------------- +Sat Oct 1 05:39:10 UTC 2011 - coolo@suse.com + +- add libtool as buildrequire to make the spec file more reliable + +------------------------------------------------------------------- +Tue Jun 14 15:00:32 UTC 2011 - aj@suse.de + +- Devel package needs zlib-devel and libpng-devel. + +------------------------------------------------------------------- +Tue Apr 6 18:27:56 CEST 2010 - ro@suse.de + +- add baselibs.conf (for libpghoto2) + +------------------------------------------------------------------- +Sun Apr 4 18:39:19 CEST 2010 - ro@suse.de + +- replace png_check_sig by negated png_sig_cmp for libpng14 + +------------------------------------------------------------------- +Wed Nov 12 16:18:34 CET 2008 - crrodriguez@suse.de + +- QA Results: Regression on PPC64 only, detected by PHP test suite, + the system libgd part, fix by IBM + +------------------------------------------------------------------- +Mon Mar 10 01:43:39 CET 2008 - crrodriguez@suse.de + +- fix rpm version number, otherwise it wont upgrade later. + +------------------------------------------------------------------- +Fri Jan 18 15:51:13 CET 2008 - anosek@suse.cz + +- updated to version 2.0.36RC1 + * Fixed gdImageCopy with true color image, the transparent color was ignored + * Fixed support of PNG grayscale image with alpha channel + * Added Netware builds script + * ease the creation of regexp to match symbols/functions in the sources + * _gdCreateFromFile() can crash if gdImageCreate fails + * gdImageCreateFrom*Ptr() can crash if gdNewDynamicCtxEx() fails + * gdImageRectangle draws 1x1 rectangles as 1x3 rectangles + * Possible integer overflow in gdImageFill() + * Optimization for single pixel line not in correct order + * gdImageColorDeallocate can write outside buffer + * gdImageColorTransparent can write outside buffer + * gdImageWBMPCtx can crash when createwbmp fails + * Fixed decoding of the html entity ϑ + * Fixed configure script ignoring --with-png=DIR option +- dropped obsoleted security.patch + +------------------------------------------------------------------- +Thu Dec 20 04:22:14 CET 2007 - crrodriguez@suse.de + +- remove static libraries and "la" files +- devel package dependency cleanup + +------------------------------------------------------------------- +Mon Jul 9 09:09:51 CEST 2007 - anosek@suse.cz + +- updated to version 2.0.35 + * Fix valgrind error in gdImageFillTiled (Nuno Lopes) + * Add missing custom cmake macros (required for the tests suite) + * Avoid signature buffer copy in gd_gif_c (Nuno Lopes) + * Race condition in gdImageStringFTEx (Antony Dogval, Pierre + Scott MacVicar) + * Reading GIF images is not thread safe (static usage in private + functions) (Roman Nemecek, Nuno Lopes, Pierre) + * GIF Local palette is read twice + * GIF, Use local frame dimension when possible instead of the + logical screen size (Pierre) + * GIF, do not try to use the global colmap if it does not exist + (Nuno Lopes, Pierre) + * gdImageAALine draws axis lines with two pixels width (Pierre) + * gdImageArc CPU usage with large angles (Pierre) + * gdImageFilledRectangle regression fixed when used with reversed + edges (Pierre) + * Possible infinite loop in libgd/gd_png.c, flaw found by Xavier + Roche (Pierre) + * Fixed segfault when an invalid color index is present in a GIF + image data, reported by Elliot <wccode at gmail dot com> (Pierre) + * Possible integer overflow in gdImageCreateTrueColor (Pierre) + gdImageCreateXbm can crash if gdImageCreate fails (Pierre) +- dropped obsolete patches (png-loop-CVE-2007-2756.patch) + +------------------------------------------------------------------- +Tue May 29 17:16:32 CEST 2007 - nadvornik@suse.cz + +- fixed infinite loop on truncated png images + CVE-2007-2756 [#276525] + +------------------------------------------------------------------- +Thu May 3 17:54:51 CEST 2007 - prusnak@suse.cz + +- changed expat to libexpat-devel in Requires of devel subpackage + +------------------------------------------------------------------- +Tue Feb 20 11:47:45 CET 2007 - nadvornik@suse.cz + +- updated to 2.0.34: + * security fixes merged upstream + * various other bugfixes + ++++ 238 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:13.2:Update/.gd.5538.new/gd.changes New: ---- baselibs.conf gd-2.1.0-CVE-2014-2497.patch gd-CVE-2014-9709.patch gd-CVE-2016-5116.patch gd-CVE-2016-6128.patch gd-CVE-2016-6132.patch gd-CVE-2016-6161.patch gd-CVE-2016-6207.patch gd-CVE-2016-6214.patch gd-CVE-2016-6905.patch gd-aliasing.patch gd-autoconf.patch gd-config.patch gd-fontpath.patch gd-format.patch gd.changes gd.spec libgd-2.1.0.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gd.spec ++++++ # # spec file for package gd # # Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # %define prjname libgd %define lname libgd3 Name: gd Version: 2.1.0 Release: 0 Summary: A Drawing Library for Programs That Use PNG and JPEG Output License: MIT Group: System/Libraries Url: http://libgd.bitbucket.org/ Source: https://bitbucket.org/libgd/gd-libgd/downloads/libgd-%{version}.tar.xz Source1: baselibs.conf # to be upstreamed, gdlib-config --libs to return the same as pkg-config --libs gdlib Patch0: gd-config.patch # might be upstreamed, but could be suse specific also (/usr/share/fonts/Type1 font dir) Patch1: gd-fontpath.patch # could be upstreamed, but not in this form (need ac check for attribute format printf, etc.) Patch2: gd-format.patch # could be upstreamed Patch3: gd-aliasing.patch # could be upstreamed? Patch4: gd-autoconf.patch Patch5: gd-2.1.0-CVE-2014-2497.patch Patch6: gd-CVE-2014-9709.patch Patch7: gd-CVE-2016-5116.patch Patch8: gd-CVE-2016-6214.patch Patch9: gd-CVE-2016-6905.patch Patch10: gd-CVE-2016-6128.patch Patch11: gd-CVE-2016-6207.patch Patch12: gd-CVE-2016-6161.patch Patch13: gd-CVE-2016-6132.patch BuildRequires: fontconfig-devel BuildRequires: freetype2-devel BuildRequires: libjpeg-devel BuildRequires: libpng-devel BuildRequires: libtiff-devel BuildRequires: libtool BuildRequires: libvpx-devel BuildRequires: pkg-config BuildRequires: xorg-x11-libX11-devel BuildRequires: xorg-x11-libXau-devel BuildRequires: xorg-x11-libXdmcp-devel BuildRequires: xorg-x11-libXpm-devel Provides: gdlib = %{version} Obsoletes: gdlib < %{version} BuildRoot: %{_tmppath}/%{name}-%{version}-build %description Gd allows your code to quickly draw images complete with lines, arcs, text, and multiple colors. It supports cut and paste from other images and flood fills. It outputs PNG, JPEG, and WBMP (for wireless devices) and is supported by PHP. %package -n %lname Summary: A Drawing Library for Programs That Use PNG and JPEG Output Group: System/Libraries %description -n %lname Gd allows your code to quickly draw images complete with lines, arcs, text, and multiple colors. It supports cut and paste from other images and flood fills. It outputs PNG, JPEG, and WBMP (for wireless devices) and is supported by PHP. %package devel Summary: Drawing Library for Programs with PNG and JPEG Output Group: Development/Libraries/C and C++ Requires: %lname = %{version} Requires: glibc-devel Requires: libpng-devel Requires: libtiff-devel Requires: libvpx-devel Requires: zlib-devel %description devel gd allows code to quickly draw images complete with lines, arcs, text, multiple colors, cut and paste from other images, and flood fills. gd writes out the result as a PNG or JPEG file. This is particularly useful in World Wide Web applications, where PNG and JPEG are two of the formats accepted for inline images by most browsers. %prep %setup -q -n %{prjname}-%{version} %patch0 %patch1 %patch2 %patch3 %patch4 -p1 %patch5 %patch6 %patch7 -p1 %patch8 -p1 %patch9 -p1 %patch10 -p1 %patch11 -p1 %patch12 -p1 %patch13 -p1 %build autoreconf -fiv # without-x -- useless switch which just mangles cflags %configure \ --without-x \ --with-fontconfig \ --with-freetype \ --with-jpeg \ --with-png \ --with-xpm \ --disable-static \ --with-pic make %{?_smp_mflags} %check make check %{?_smp_mflags} %install make DESTDIR=%{buildroot} install %{?_smp_mflags} find %{buildroot} -type f -name "*.la" -delete -print %post -n %lname -p /sbin/ldconfig %postun -n %lname -p /sbin/ldconfig %files %defattr(-,root,root) %doc COPYING NEWS examples %{_bindir}/annotate %{_bindir}/bdftogd %{_bindir}/gd2copypal %{_bindir}/gd2togif %{_bindir}/gd2topng %{_bindir}/gdcmpgif %{_bindir}/gdparttopng %{_bindir}/gdtopng %{_bindir}/giftogd2 %{_bindir}/pngtogd %{_bindir}/pngtogd2 %{_bindir}/webpng %files -n %lname %defattr(-,root,root) %doc COPYING %{_libdir}/*.so.* %files devel %defattr(-,root,root) %doc COPYING %{_bindir}/gdlib-config %{_includedir}/* %{_libdir}/*.so %{_libdir}/pkgconfig/gdlib.pc %changelog ++++++ baselibs.conf ++++++ libgd3 ++++++ gd-2.1.0-CVE-2014-2497.patch ++++++ Description: Patch to fix PHP bug 66901. Author: Andres Mejia <mejiaa@amazon.com> Forwarded: no Index: src/gdxpm.c =================================================================== --- src/gdxpm.c.orig 2014-04-04 12:56:02.570160501 +0200 +++ src/gdxpm.c 2014-04-04 13:01:24.031976322 +0200 @@ -62,6 +62,14 @@ for(i = 0; i < number; i++) { char *c_color = image.colorTable[i].c_color; + if (!image.colorTable[i].c_color) + { + /* unsupported color key or color key not defined */ + gdImageDestroy(im); + gdFree(colors); + im = 0; + goto done; + } if(strcmp(c_color, "None") == 0) { colors[i] = gdImageGetTransparent(im); if(colors[i] == -1) colors[i] = gdImageColorAllocate(im, 0, 0, 0); ++++++ gd-CVE-2014-9709.patch ++++++

From 47eb44b2e90ca88a08dca9f9a1aa9041e9587f43 Mon Sep 17 00:00:00 2001 From: Remi Collet <fedora@famillecollet.com> Date: Sat, 13 Dec 2014 08:48:18 +0100 Subject: [PATCH] Fix possible buffer read overflow detected by -fsanitize=address, thanks to Jan Bee

--- src/gd_gif_in.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) Index: src/gd_gif_in.c =================================================================== --- src/gd_gif_in.c.orig 2013-06-25 11:58:23.000000000 +0200 +++ src/gd_gif_in.c 2015-03-24 15:02:44.776580918 +0100 @@ -75,8 +75,10 @@ #define STACK_SIZE ((1<<(MAX_LWZ_BITS))*2) +#define CSD_BUF_SIZE 280 + typedef struct { - unsigned char buf[280]; + unsigned char buf[CSD_BUF_SIZE]; int curbit; int lastbit; int done; @@ -408,9 +410,13 @@ scd->lastbit = (2 + count) * 8; } - ret = 0; - for (i = scd->curbit, j = 0; j < code_size; ++i, ++j) { - ret |= ((scd->buf[i / 8] & (1 << (i % 8))) != 0) << j; + if ((scd->curbit + code_size - 1) >= (CSD_BUF_SIZE * 8)) { + ret = -1; + } else { + ret = 0; + for (i = scd->curbit, j = 0; j < code_size; ++i, ++j) { + ret |= ((scd->buf[i / 8] & (1 << (i % 8))) != 0) << j; + } } scd->curbit += code_size; ++++++ gd-CVE-2016-5116.patch ++++++

From 4dc1a2d7931017d3625f2d7cff70a17ce58b53b4 Mon Sep 17 00:00:00 2001 From: Mike Frysinger <vapier@gentoo.org> Date: Sat, 14 May 2016 01:38:18 -0400 Subject: [PATCH] xbm: avoid stack overflow (read) with large names #211

We use the name passed in to printf into a local stack buffer which is limited to 4000 bytes. So given a large enough value, lots of stack data is leaked. Rewrite the code to do simple memory copies with most of the strings to avoid that issue, and only use stack buffer for small numbers of constant size. This closes #211. --- src/gd_xbm.c | 34 +++++++++++++++++++++++++++------- 1 file changed, 27 insertions(+), 7 deletions(-) diff --git a/src/gd_xbm.c b/src/gd_xbm.c index 74d839b..d28fdfc 100644 --- a/src/gd_xbm.c +++ b/src/gd_xbm.c @@ -180,7 +180,7 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromXbm(FILE * fd) /* {{{ gdCtxPrintf */ static void gdCtxPrintf(gdIOCtx * out, const char *format, ...) { - char buf[4096]; + char buf[1024]; int len; va_list args; @@ -191,6 +191,9 @@ static void gdCtxPrintf(gdIOCtx * out, const char *format, ...) } /* }}} */ +/* The compiler will optimize strlen(constant) to a constant number. */ +#define gdCtxPuts(out, s) out->putBuf(out, s, strlen(s)) + /* {{{ gdImageXbmCtx */ BGD_DECLARE(void) gdImageXbmCtx(gdImagePtr image, char* file_name, int fg, gdIOCtx * out) { @@ -215,9 +218,26 @@ BGD_DECLARE(void) gdImageXbmCtx(gdImagePtr image, char* file_name, int fg, gdIOC } } - gdCtxPrintf(out, "#define %s_width %d\n", name, gdImageSX(image)); - gdCtxPrintf(out, "#define %s_height %d\n", name, gdImageSY(image)); - gdCtxPrintf(out, "static unsigned char %s_bits[] = {\n ", name); + /* Since "name" comes from the user, run it through a direct puts. + * Trying to printf it into a local buffer means we'd need a large + * or dynamic buffer to hold it all. */ + + /* #define <name>_width 1234 */ + gdCtxPuts(out, "#define "); + gdCtxPuts(out, name); + gdCtxPuts(out, "_width "); + gdCtxPrintf(out, "%d\n", gdImageSX(image)); + + /* #define <name>_height 1234 */ + gdCtxPuts(out, "#define "); + gdCtxPuts(out, name); + gdCtxPuts(out, "_height "); + gdCtxPrintf(out, "%d\n", gdImageSY(image)); + + /* static unsigned char <name>_bits[] = {\n */ + gdCtxPuts(out, "static unsigned char "); + gdCtxPuts(out, name); + gdCtxPuts(out, "_bits[] = {\n "); free(name); @@ -234,9 +254,9 @@ BGD_DECLARE(void) gdImageXbmCtx(gdImagePtr image, char* file_name, int fg, gdIOC if ((b == 128) || (x == sx && y == sy)) { b = 1; if (p) { - gdCtxPrintf(out, ", "); + gdCtxPuts(out, ", "); if (!(p%12)) { - gdCtxPrintf(out, "\n "); + gdCtxPuts(out, "\n "); p = 12; } } @@ -248,6 +268,6 @@ BGD_DECLARE(void) gdImageXbmCtx(gdImagePtr image, char* file_name, int fg, gdIOC } } } - gdCtxPrintf(out, "};\n"); + gdCtxPuts(out, "};\n"); } /* }}} */ ++++++ gd-CVE-2016-6128.patch ++++++ --- a/src/gd_crop.c +++ b/src/gd_crop.c @@ -136,6 +136,10 @@ BGD_DECLARE(gdImagePtr) gdImageCropThreshold(gdImagePtr im, const unsigned int c return NULL; } + if (!gdImageTrueColor(im) && color >= gdImageColorsTotal(im)) { + return NULL; + } + /* TODO: Add gdImageGetRowPtr and works with ptr at the row level * for the true color and palette images * new formats will simply work with ptr ++++++ gd-CVE-2016-6132.patch ++++++

From 921e590565deb033acafcfa9063b4563200b14b5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org> Date: Tue, 12 Jul 2016 11:24:09 +0200 Subject: [PATCH] Fix #247, A read out-of-bands was found in the parsing of TGA files

--- src/gd_tga.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/src/gd_tga.c b/src/gd_tga.c index ef20f86..07f3c86 100644 --- a/src/gd_tga.c +++ b/src/gd_tga.c @@ -237,7 +237,10 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga ) return -1; } - gdGetBuf(conversion_buffer, image_block_size, ctx); + if (gdGetBuf(conversion_buffer, image_block_size, ctx) != image_block_size) { + gdFree(conversion_buffer); + return -1; + } while (buffer_caret < image_block_size) { tga->bitmap[buffer_caret] = (int) conversion_buffer[buffer_caret]; @@ -261,7 +264,11 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga ) return -1; } - gdGetBuf( conversion_buffer, image_block_size, ctx ); + if (gdGetBuf(conversion_buffer, image_block_size, ctx) != image_block_size) { + gdFree(conversion_buffer); + gdFree(decompression_buffer); + return -1; + } buffer_caret = 0; ++++++ gd-CVE-2016-6161.patch ++++++

From 82b80dcb70a7ca8986125ff412bceddafc896842 Mon Sep 17 00:00:00 2001 From: Mike Frysinger <vapier@gentoo.org> Date: Sat, 14 May 2016 02:13:15 -0400 Subject: [PATCH] gif: avoid out-of-bound reads of masks array #209

When given invalid inputs, we might be fed the EOF marker before it is actually the EOF. The gif logic assumes once it sees the EOF marker, there won't be any more data, so it leaves the cur_bits index possibly negative. So when we get more data, we underflow the masks array. Flag it so we don't try to output anything more. The image is invalid, so we shouldn't be truncating any valid inputs. This fixes #209. --- src/gd_gif_out.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/src/gd_gif_out.c b/src/gd_gif_out.c index 51ceb75..3099d49 100644 --- a/src/gd_gif_out.c +++ b/src/gd_gif_out.c @@ -1442,15 +1442,23 @@ static void compress(int init_bits, gdIOCtxPtr outfile, gdImagePtr im, GifCtx *c * code in turn. When the buffer fills up empty it and start over. */ -static unsigned long masks[] = { +static const unsigned long masks[] = { 0x0000, 0x0001, 0x0003, 0x0007, 0x000F, 0x001F, 0x003F, 0x007F, 0x00FF, 0x01FF, 0x03FF, 0x07FF, 0x0FFF, 0x1FFF, 0x3FFF, 0x7FFF, 0xFFFF }; +/* Arbitrary value to mark output is done. When we see EOFCode, then we don't + * expect to see any more data. If we do (e.g. corrupt image inputs), cur_bits + * might be negative, so flag it to return early. + */ +#define CUR_BITS_FINISHED -1000 + static void output(code_int code, GifCtx *ctx) { + if (ctx->cur_bits == CUR_BITS_FINISHED) + return; ctx->cur_accum &= masks[ctx->cur_bits]; if(ctx->cur_bits > 0) { @@ -1492,6 +1500,8 @@ static void output(code_int code, GifCtx *ctx) ctx->cur_accum >>= 8; ctx->cur_bits -= 8; } + /* Flag that it's done to prevent re-entry. */ + ctx->cur_bits = CUR_BITS_FINISHED; flush_char(ctx); } ++++++ gd-CVE-2016-6207.patch ++++++ Index: libgd-2.1.0/src/gd.c =================================================================== --- libgd-2.1.0.orig/src/gd.c 2013-06-25 11:58:23.000000000 +0200 +++ libgd-2.1.0/src/gd.c 2016-08-08 15:04:29.487691217 +0200 @@ -207,7 +207,7 @@ BGD_DECLARE(gdImagePtr) gdImageCreateTru return 0; } - if (overflow2(sizeof(int), sx)) { + if (overflow2(sizeof(int *), sx)) { return NULL; } Index: libgd-2.1.0/src/gd_interpolation.c =================================================================== --- libgd-2.1.0.orig/src/gd_interpolation.c 2013-06-25 11:58:23.000000000 +0200 +++ libgd-2.1.0/src/gd_interpolation.c 2016-08-08 15:05:50.725062244 +0200 @@ -901,6 +901,7 @@ static inline LineContribType * _gdContr { unsigned int u = 0; LineContribType *res; + int overflow_error = 0; res = (LineContribType *) gdMalloc(sizeof(LineContribType)); if (!res) { @@ -908,10 +909,31 @@ static inline LineContribType * _gdContr } res->WindowSize = windows_size; res->LineLength = line_length; + if (overflow2(line_length, sizeof(ContributionType))) { + gdFree(res); + return NULL; + } res->ContribRow = (ContributionType *) gdMalloc(line_length * sizeof(ContributionType)); - + if (res->ContribRow == NULL) { + gdFree(res); + return NULL; + } for (u = 0 ; u < line_length ; u++) { - res->ContribRow[u].Weights = (double *) gdMalloc(windows_size * sizeof(double)); + if (overflow2(windows_size, sizeof(double))) { + overflow_error = 1; + } else { + res->ContribRow[u].Weights = (double *) gdMalloc(windows_size * sizeof(double)); + } + if (overflow_error == 1 || res->ContribRow[u].Weights == NULL) { + unsigned int i; + u--; + for (i=0;i<=u;i++) { + gdFree(res->ContribRow[i].Weights); + } + gdFree(res->ContribRow); + gdFree(res); + return NULL; + } } return res; } @@ -944,7 +966,9 @@ static inline LineContribType *_gdContri windows_size = 2 * (int)ceil(width_d) + 1; res = _gdContributionsAlloc(line_size, windows_size); - + if (res == NULL) { + return NULL; + } for (u = 0; u < line_size; u++) { const double dCenter = (double)u / scale_d; /* get the significant edge points affecting the pixel */ ++++++ gd-CVE-2016-6214.patch ++++++ --- a/src/gd_tga.c +++ b/src/gd_tga.c @@ -99,7 +99,7 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromTgaCtx(gdIOCtx* ctx) if (tga->bits == TGA_BPP_24) { *tpix = gdTrueColor(tga->bitmap[bitmap_caret + 2], tga->bitmap[bitmap_caret + 1], tga->bitmap[bitmap_caret]); bitmap_caret += 3; - } else if (tga->bits == TGA_BPP_32 || tga->alphabits) { + } else if (tga->bits == TGA_BPP_32 && tga->alphabits) { register int a = tga->bitmap[bitmap_caret + 3]; *tpix = gdTrueColorAlpha(tga->bitmap[bitmap_caret + 2], tga->bitmap[bitmap_caret + 1], tga->bitmap[bitmap_caret], gdAlphaMax - (a >> 1)); @@ -159,16 +159,12 @@ int read_header_tga(gdIOCtx *ctx, oTga *tga) printf("wxh: %i %i\n", tga->width, tga->height); #endif - switch(tga->bits) { - case 8: - case 16: - case 24: - case 32: - break; - default: - gd_error("bps %i not supported", tga->bits); + if (!((tga->bits == TGA_BPP_24 && tga->alphabits == 0) + || (tga->bits == TGA_BPP_32 && tga->alphabits == 8))) + { + gd_error_ex(GD_WARNING, "gd-tga: %u bits per pixel with %u alpha bits not supported\n", + tga->bits, tga->alphabits); return -1; - break; } tga->ident = NULL; ++++++ gd-CVE-2016-6905.patch ++++++ 6aa343e6e195bf65fb47 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org> Date: Tue, 12 Jul 2016 14:20:16 +0200 Subject: [PATCH] bug #248, fix Out-Of-Bounds Read in read_image_tga --- src/gd_tga.c | 34 ++++++++++++++++++++++++++-------- 1 file changed, 26 insertions(+), 8 deletions(-) Index: libgd-2.1.0/src/gd_tga.c =================================================================== --- libgd-2.1.0.orig/src/gd_tga.c 2016-08-08 13:15:15.053952732 +0200 +++ libgd-2.1.0/src/gd_tga.c 2016-08-08 13:16:53.639592199 +0200 @@ -196,7 +196,6 @@ int read_image_tga( gdIOCtx *ctx, oTga * int buffer_caret = 0; int bitmap_caret = 0; int i = 0; - int j = 0; uint8_t encoded_pixels; if(overflow2(tga->width, tga->height)) { @@ -281,27 +280,36 @@ int read_image_tga( gdIOCtx *ctx, oTga * buffer_caret = 0; while( bitmap_caret < image_block_size ) { - + if ((decompression_buffer[buffer_caret] & TGA_RLE_FLAG) == TGA_RLE_FLAG) { - encoded_pixels = ( ( decompression_buffer[ buffer_caret ] & 127 ) + 1 ); + encoded_pixels = ( ( decompression_buffer[ buffer_caret ] & !TGA_RLE_FLAG ) + 1 ); buffer_caret++; + if ((bitmap_caret + (encoded_pixels * pixel_block_size)) >= image_block_size) { + gdFree( decompression_buffer ); + gdFree( conversion_buffer ); + return -1; + } + for (i = 0; i < encoded_pixels; i++) { - for (j = 0; j < pixel_block_size; j++, bitmap_caret++) { - tga->bitmap[ bitmap_caret ] = decompression_buffer[ buffer_caret + j ]; - } + memcpy(tga->bitmap + bitmap_caret, decompression_buffer + buffer_caret, pixel_block_size); + bitmap_caret += pixel_block_size; } buffer_caret += pixel_block_size; + } else { encoded_pixels = decompression_buffer[ buffer_caret ] + 1; buffer_caret++; - for (i = 0; i < encoded_pixels; i++) { - for( j = 0; j < pixel_block_size; j++, bitmap_caret++ ) { - tga->bitmap[ bitmap_caret ] = decompression_buffer[ buffer_caret + j ]; - } - buffer_caret += pixel_block_size; + if ((bitmap_caret + (encoded_pixels * pixel_block_size)) >= image_block_size) { + gdFree( decompression_buffer ); + gdFree( conversion_buffer ); + return -1; } + + memcpy(tga->bitmap + bitmap_caret, decompression_buffer + buffer_caret, encoded_pixels * pixel_block_size); + bitmap_caret += (encoded_pixels * pixel_block_size); + buffer_caret += (encoded_pixels * pixel_block_size); } } ++++++ gd-aliasing.patch ++++++ Index: src/fontwheeltest.c =================================================================== --- src/fontwheeltest.c.orig 2013-12-18 11:49:47.041577398 +0100 +++ src/fontwheeltest.c 2013-12-18 11:53:52.575496376 +0100 @@ -32,6 +32,8 @@ doerr (err, "------------------------------------------"); for (curang = 0.0; curang < 360.0; curang += angle) { + gdPoint points[4]; + curangrads = DEGTORAD(curang); x0 = x + cos (curangrads) * offset; y0 = y - sin (curangrads) * offset; @@ -47,7 +49,15 @@ if (cp) doerr (err, cp); - gdImagePolygon (im, (gdPointPtr)brect, 4, color); + points[0].x = brect[0]; + points[0].y = brect[1]; + points[1].x = brect[2]; + points[1].y = brect[3]; + points[2].x = brect[4]; + points[2].y = brect[5]; + points[3].x = brect[6]; + points[3].y = brect[7]; + gdImagePolygon (im, points, 4, color); } fclose (err); ++++++ gd-autoconf.patch ++++++ --- configure.ac | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) Index: libgd-2.1.0/configure.ac =================================================================== --- libgd-2.1.0.orig/configure.ac +++ libgd-2.1.0/configure.ac @@ -45,7 +45,7 @@ AC_SUBST(GDLIB_AGE) FEATURES="GD_GIF GD_GIFANIM GD_OPENPOLYGON" AC_SUBST(FEATURES) -AM_INIT_AUTOMAKE([foreign dist-bzip2 dist-xz -Wall -Werror]) +AM_INIT_AUTOMAKE([foreign dist-bzip2 dist-xz -Wall]) AC_CONFIG_HEADERS([src/config.h:src/config.hin]) dnl newer automake wants this, but we still want to work with older @@ -53,6 +53,9 @@ m4_ifndef([AM_PROG_AR],[m4_define([AM_PR AM_PROG_AR AC_PROG_CC_STDC +AC_USE_SYSTEM_EXTENSIONS +AC_SYS_LARGEFILE + AM_PROG_CC_C_O AC_PROG_INSTALL AC_PROG_LIBTOOL ++++++ gd-config.patch ++++++ Index: config/gdlib-config.in =================================================================== --- config/gdlib-config.in.orig 2013-06-25 11:58:23.000000000 +0200 +++ config/gdlib-config.in 2013-12-18 10:00:24.635577307 +0100 @@ -71,7 +71,7 @@ echo @LDFLAGS@ ;; --libs) - echo -lgd @LIBS@ @LIBICONV@ + echo -lgd ;; --cflags|--includes) echo -I@includedir@ ++++++ gd-fontpath.patch ++++++ Index: src/gdft.c =================================================================== --- src/gdft.c.orig 2013-06-25 11:58:23.000000000 +0200 +++ src/gdft.c 2013-12-18 11:44:06.915533057 +0100 @@ -74,7 +74,7 @@ # define DEFAULT_FONTPATH "/usr/share/fonts/truetype:/System/Library/Fonts:/Library/Fonts" # else /* default fontpath for unix systems - whatever happened to standards ! */ -# define DEFAULT_FONTPATH "/usr/X11R6/lib/X11/fonts/TrueType:/usr/X11R6/lib/X11/fonts/truetype:/usr/X11R6/lib/X11/fonts/TTF:/usr/share/fonts/TrueType:/usr/share/fonts/truetype:/usr/openwin/lib/X11/fonts/TrueType:/usr/X11R6/lib/X11/fonts/Type1:/usr/lib/X11/fonts/Type1:/usr/openwin/lib/X11/fonts/Type1" +# define DEFAULT_FONTPATH "/usr/X11R6/lib/X11/fonts/TrueType:/usr/X11R6/lib/X11/fonts/truetype:/usr/X11R6/lib/X11/fonts/TTF:/usr/share/fonts/TrueType:/usr/share/fonts/truetype:/usr/openwin/lib/X11/fonts/TrueType:/usr/X11R6/lib/X11/fonts/Type1:/usr/lib/X11/fonts/Type1:/usr/openwin/lib/X11/fonts/Type1:/usr/share/fonts/Type1" # endif #endif ++++++ gd-format.patch ++++++ Index: src/gd_errors.h =================================================================== --- src/gd_errors.h.orig 2013-06-25 11:58:23.000000000 +0200 +++ src/gd_errors.h 2013-12-18 11:47:26.605907096 +0100 @@ -40,7 +40,7 @@ #define GD_INFO LOG_INFO #define GD_DEBUG LOG_DEBUG -void gd_error(const char *format, ...); -void gd_error_ex(int priority, const char *format, ...); +void gd_error(const char *format, ...) __attribute__((format(printf, 1, 2))); +void gd_error_ex(int priority, const char *format, ...) __attribute__((format(printf, 2, 3))); #endif