Fix invalid read in gdImageCreateFromTiffPtr() ( CVE-2016-6911)

- Fix stack based buffer overflow when passing negative `rlen` as size to
  memcpy() (CVE-2016-8670)
- Fix possible overflow in gdImageWebpCtx (CVE-2016-7568)

gd-2.2.3-dynamicGetbuf-negative-rlen.patch

@@ -0,0 +1,26 @@
+From 53110871935244816bbb9d131da0bccff734bfe9 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Wed, 12 Oct 2016 11:15:32 +0200
+Subject: [PATCH] Avoid potentially dangerous signed to unsigned conversion
+
+We make sure to never pass a negative `rlen` as size to memcpy(). See
+also <https://bugs.php.net/bug.php?id=73280>.
+
+Patch provided by Emmanuel Law.
+---
+ src/gd_io_dp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/gd_io_dp.c b/src/gd_io_dp.c
+index 135eda3..228bfa5 100644
+--- a/src/gd_io_dp.c
++++ b/src/gd_io_dp.c
+@@ -276,7 +276,7 @@ static int dynamicGetbuf(gdIOCtxPtr ctx, void *buf, int len)
+ 	if(remain >= len) {
+ 		rlen = len;
+ 	} else {
+-		if(remain == 0) {
++		if(remain <= 0) {
+ 			/* 2.0.34: EOF is incorrect. We use 0 for
+ 			 * errors and EOF, just like fileGetbuf,
+ 			 * which is a simple fread() wrapper.

gd-2.2.3-overflow-in-gdImageWebpCtx.patch

@@ -0,0 +1,27 @@
+diff --git a/src/gd_webp.c b/src/gd_webp.c
+index fae3861..a7ed222 100644
+--- a/src/gd_webp.c
++++ b/src/gd_webp.c
+@@ -179,6 +179,22 @@ BGD_DECLARE(void) gdImageWebpCtx (gdImagePtr im, gdIOCtx * outfile, int quantiza
+ 	/* Conversion to Y,U,V buffer */
+ 	yuv_width = (width + 1) >> 1;
+ 	yuv_height = (height + 1) >> 1;
++
++	if (overflow2(width, height)) {
++		return;
++	}
++
++	if (overflow2(2, yuv_width)) {
++		return;
++	}
++
++	if (overflow2(2 * yuv_width, yuv_height)) {
++		return;
++	}
++
++	if (overflow2(width * height + 2 * yuv_width * yuv_height, 1)) {
++		return;
++	}
+ 	yuv_nbytes = width * height + 2 * yuv_width * yuv_height;
+ 
+ 	if ((Y = (unsigned char *)gdCalloc(yuv_nbytes, sizeof(unsigned char))) == NULL) {

gd.spec

@@ -5,7 +5,7 @@
 Summary:       A graphics library for quick creation of PNG or JPEG images
 Name:          gd
 Version:       2.1.1
-Release:       10%{?prever}%{?short}%{?dist}
+Release:       11%{?prever}%{?short}%{?dist}
 Group:         System Environment/Libraries
 License:       MIT
 URL:           http://libgd.bitbucket.org/
@@ -41,6 +41,14 @@ Patch8:        gd-2.2.3-CVE-2016-6161.patch
 # CVE-2016-6207
 # cherry-picked 0dd40 d3258 ff911 f60ec 7a28c commits from libgd master
 Patch9:        gd-2.2.3-CVE-2016-6207.patch
+# CVE-2016-7568
+Patch10:        gd-2.2.3-overflow-in-gdImageWebpCtx.patch
+# CVE-2016-8670
+Patch11:        gd-2.2.3-dynamicGetbuf-negative-rlen.patch
+# CVE-2016-6911
+# TODO - created by one of upstream maintainers, but not in upstream yet
+# https://github.com/libgd/libgd/pull/353
+Patch12:        gd-2.2.x-fix-invalid-read-in-gdImageCreateFromTiffPtr.patch
 
 
 BuildRequires: freetype-devel
@@ -107,6 +115,10 @@ files for gd, a graphics library for creating PNG and JPEG graphics.
 %patch7 -p1 -b .cve-2016-5766
 %patch8 -p1 -b .cve-2016-6161
 %patch9 -p1 -b .cve-2016-6207
+%patch10 -p1 -b .gdImageWebpCtx
+%patch11 -p1 -b .dynamicGetbuf
+# Patch5 adds some non-text files (.tiff)
+patch -p1 --binary < %{PATCH12}
 
 # Workaround for missing file
 cp %{SOURCE2} config/getver.pl
@@ -179,6 +191,12 @@ grep %{version} $RPM_BUILD_ROOT%{_libdir}/pkgconfig/gdlib.pc
 
 
 %changelog
+* Tue Dec 06 2016 Marek Skalický <mskalick@redhat.com> - 2.1.1-11
+- Fix invalid read in gdImageCreateFromTiffPtr() ( CVE-2016-6911)
+- Fix stack based buffer overflow when passing negative `rlen` as size to
+  memcpy() (CVE-2016-8670)
+- Fix possible overflow in gdImageWebpCtx (CVE-2016-7568)
+
 * Mon Sep 19 2016 Marek Skalický <mskalick@redhat.com> - 2.1.1-10
 - Fix CVE-2016-6207