From e2ae5b49bc1e9fecc5ae1375cf4cf7ce64e49631 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Skalick=C3=BD?= <mskalick@redhat.com>
Date: Tue, 6 Dec 2016 10:41:37 +0100
Subject: [PATCH] Fix invalid read in gdImageCreateFromTiffPtr() (
 CVE-2016-6911)

- Disable tests using freetype in Fedora 26 (freetype > 2.6)
---
 ...lid-read-in-gdImageCreateFromTiffPtr.patch | Bin 0 -> 10937 bytes
 gd.spec                                       |  19 +++++++++++++++++-
 2 files changed, 18 insertions(+), 1 deletion(-)
 create mode 100644 gd-2.2.x-fix-invalid-read-in-gdImageCreateFromTiffPtr.patch

diff --git a/gd-2.2.x-fix-invalid-read-in-gdImageCreateFromTiffPtr.patch b/gd-2.2.x-fix-invalid-read-in-gdImageCreateFromTiffPtr.patch
new file mode 100644
index 0000000000000000000000000000000000000000..78a80b447e3bcfd49d5712391ee870b6803198dd
GIT binary patch
literal 10937
zcmeHN-E-T<5r^|NA)53n>BlsE*s3!LD3TxuN}?#ms$^MmG*xVkB{!XEIxGkrNW>t(
z0YFPi?3p~}sn4BB`_}$D?Q8qo{~&LDYx>*6fubnM5^ar}htL*rxZB;^+x^|{-VL{t
zc(6iqoBbq6vv}C24^6ry+=n8WqxaoGS2ma0>%GB|>4`P{wv&k!Iv9y6*|ah0k!>}W
zs9~=(td(YyDwb_o`u?c<iEy(O+76B=h#om%;87wR4=>d7b_PyQY~no=+nD|!@cq3k
zG0M80q1jOk9cD1Ohk}&cI7vpstV&Mgk?V|7k)k;*T)$X&mAa#hqBy%y2cvA#L0^zN
z3WrIM>6q0!j+{Z@-Vs@M<QwHG9rgpaPhKq2=)H{GKFmXYoKQT<YO!DI#v`c5il-*+
zM3nVebte^7eM*#ElM{x*qr)KUlS7f{Ia%;XkT<NY4dXOd*a_2^@D|7+XyJ=Qj~|J|
z597m>`VJVfn7RVZ$b+~luP;}VCngI6sUk^4HcBE)X}G=#lMV)0W@}N{ZKqu}bsg>s
zqTckXNgVZqZjeDr-^uU=6Xo8ZgPrYdI*do5M`;#>A-U44I@1K~Wh_ESZ%MX%egYmw
zf?{8?--og8-?_CRL1C2HF6<;}TH%@cM=(e%XU=^e3Jl6w3hdnPbsaGJP7qRXzEB=Z
zvA_fNN06qNz7I5Zg^1v-VVq<zO81y{x{1>d2DBB{_MKz&!L+GxM}WiedKh$jo*5@S
zQ?J!(I;DwQ?|Gdd?s!AfrE@=zi5iPkk)KH>hV?}}1SY$sn7|1>{^*p6G)wEuTHpN8
zc_?<VWm7Xd$|j};FEyxgiumlVQrd!e3B*_UJY8O=k?+&TbPM3KsJ2GUrnLZzLgh<X
z?K7+kcKb@4&2u=H3(gk#L5LXPVq5fhS1h-%F;bCaK^&z<1$(*CB2NHLvZGek6|86w
zdx9F4wY0D>Y4UTdI5Uef)a-n@m1gJ5ZKUfShtXQC7i8qrr-0j?>d=G86Gvp*%U$1D
zG)>_-wh&!q62|@+89E?DXXLD}Q_Ws#R+p&4j~1aL%@E{VdK4ogsF1if%HXBMNV8<*
zW}F}HZDvO_?`B6F%%CxRQ*wqw5qY=sfNXdetgU&&D!to<C(ElkJ<&<8)aS9EImmIa
z5)_S)!4RGO92Vrb*$6@RScd3TAT^F?>)y6ZDk4b`$mi?W*tw28_35asR70{NshnKJ
zJc4qrXDA|Q`WcjE)&#FrOf+zUXjPZCXxUX8`^|1OtM=lAHJ)*%5?g_8lHm=d$)H!6
z6@xKK-Vg(YmC&JAN{Ef1l(~i8$J!r1E>aDxffgeOtKoj|sVHL+l~PHCYikuRPjti-
z^zdp}GN{A27q~eC)e2EOci<a}5OUcl(k3M~2w3sWL{CVBNKc=kIl=J$O|qE0Rw|X?
zOWU-}=E92f5l8Nb6Avm2laLlr17H=%zLJ{eNqUgW0*@K0^vNjAC=4D784L0xUM-08
z6bYdYrNLkrf(Xm^kVp;_##(|X4<#V>;MOgZ?j=Dlh@22rL{FuR6}s(2fe2|cKI|d+
znG7E08QYDpguC|+r1}_xNl(Uj-3(bglwk^}z&2<6RgrL_wR7E++jY``ll~}tHxL7N
zcx*_t8aZ;yWEi~lXuizco|8FLDLjb?$%^sT0-AEzRBp;Xbe$VfR8|`Yg8W^@lkS4w
z5KB$dZ2Gq4E}kDx6vwG>qWX9TwHDhPP53bxO?dyDQxnMQWS+oZEvio5y1{_s3G?(t
z(CcTwWH6|$rN_L|5&D}p@uo(lHPMrx%HWN_eCfz_MVhi1h+&$dghN>vBgVRM7>^Pf
zhy-xyaeT>~q=%ZNhvJtjq8yb#9}stl|0pd`3ym^J0@mC($^>Sp$uS2lR3O7dAaQY_
zhmhuk!@fh(Rig+sm+Zt=KuGGxG0I{YYFe#EwXqCKamcZzLd~qEDnNVZc4vEIXZOMV
zEw&4Tv{qsppDy8~xeo&`>sOV5xsqjTR<XBN^%}UaX^msp-CCt%#G>2}Xjdv~^D_a5
zHV_<vK#D_iJkC}}JVQDwYH=sz?R$)36;%;R#W0Lr957^IeW=_r-uyE3aQu+exue8*
z`@++hI@kGk&~rYYA6w(7{Cg|_+n5Oq>xh%8tYQ&dHVlSHxlDDkb0Wq<0>Ykmkc`A8
zziqJh3^p1#?&loULc*P?_glrgqs%5_VhS(~gCoQpg*6}~KWF67Q$a|bg!V<Y$HYc3
zs1ow2f_x2juTi5aWh4+^DJf7x-`RZ1$+yBA1L;M{Q2FEOUgl`{R5vrhv-(-`a!TMF
zbDpCm0Xytzo|Z(Hx>{0QtFJ31nJZ*yx!l`w{+Zn^vrqoTJ6T58wuP`-X|+$+YR?c|
z^RO7jhe(x-SA|rLipaCr6nPZuBENXN`w|4eAVRs$<yT3qMedbbibUd9auq$>q0{4i
zF%g~iA8c-J?e8<1RSrIh)H2uB=TGOYi%(SD`h{aEpIJ?RscE^Ux!myWrqw)MA79L!
z=eCQ-*%J-Uat)c|blTaL0i&~h@4?;MNL{--`v=Cx-rm;T+jOwCf3V-#-r3#Shv7I=
zc7lN&3}Au$CBJ-;cPRxyGz!C_?F|E+$`=~tj0~JvPg&+10zDFkvf!FLNEJ4-<i|9-
z!dq-Ex8-4??ukcrsni+MoF|^`V^uA-4-T*E>s<8fm5;=G2@)hu$c!g>QNj6uUrt?C
z<fp<SY2;TEPIQcfJ&2Rz{B9tv>J=^`$JZS(%0V1kkj#6D;|d=JJeKzjDH(w&%%Zy3
z#FSHaTG#;cIHFhXKG@wYn|g%{LA~-z)Ux3S2hBO$DfH(~cknV~CsR(InB=WUhu5I$
zwl1!Ca786J1}nl81$+m`53Ih!f+opTS%a`ItG-EYo{D!m7x=h}t9+(c_*!9N#<?@z
zP{-Lhp8ay-{0w_V;{4z$iF4U%L-)M9qro<=b4G|P22ac<lPjBPye<`E@_KNrK9|Bp
z<tJC9jL8oW<(lvdvc{Bw-z{pKNu#n+aGk^@zy+6{EUZf7dOR0W*b{{V9JrD4wFLqo
z-MmQ>MM_^BSOnMeD6P&KLTNswW$yQjU@*2$PR2N6aH;7y%Fw(&RIh3RaWw4Yi@@Pp
zw#J4k_~rU}CEF0V=VX1`kXV{SVK{+bHkQxFRv-H<G79c0%_ZG2YEGF1)W0|}31Xg~
z3h~hJaV=m~X@6_$*Bt~&woR!}lf`Eu3_&FO&vNW<9q>r*Yh@{L4P-@W6mpn^6+Wd;
zK|P@q(-el`x!E7a*#2y|*f-`?2aa5Y{3=Xw?i?q=ZjOmh^!42kX8^T0o?Bw1Fy#rI
z+D(NpEau78lR$CZ_w-Cq+;v?g9S93oO|9<C>7bZnA}2IuO4!+%*FN};rhWbG=adEh
z`!)YN`?;w9Eam^F=c@W$mF`8Y;#u{1R=(?6*LBT*U2?8#UEfqWFUn5WJ<oN^yQ+Vl
zci!jazp9>>(aoyItn`=7e_i93>2=xob?NcEa;Ej1et%y1FN(j=yLi5+d9Q1pX}zc4
zuWO!f<viU2Z)@6(m$e(3ru`IuH&pw3XupK^D|p_0L(^VX{Y>|oYQKcGUYQtp^Ttcs
zhv@th7=Cc$6)E)fCtv*K#}hO^Qf(Go^v|RH6Ggv{lKy8mUX{FSkn@geZ=?P52|30@
zyNos~1NF5v&~y6>(EkeU*U<jWA2sd1qR;6x?E^`D^8CJ*|HF#@^*6TI=l}lnfS=kw
z{=O@pfBy1Ietz!z@AC62<Kyqi_jlgh<EQr9wxq8QqO6`c10TQRz=60?Px)Ng!C!r$
zwXm?f)V3Y`7{{?}+wnxh_m@1e*zG!2(_U^0+v~O)X8NcnfBB%v?-`D5>ZcZ$9NW}S
z4X$!*Yd06%rdXW)*rw(<_t^Gb*#2{k_Lg5i0Uraa03Z8|!6*CBF2MIH+6DMtM*Cdw
z{Q+EK@PX)uQqW(eumXH6xB#C<C*XT+Mf<0O9}~QSuL6B<pgjxv_CQ~t5AxTc125`r
zmW$6c_!>)^=6Ra-)>|07DgZzJ%9t5|%a+$%Y%jK&4cBQ4z|d{m0?>0B{*vR{EvM@=
zT8)<33;Y~_Ghk2sSmzS#sh_J{1$(w7yyaG7cI>G+zA4y~NYXCFo~Hc=fp1j;^#x+D
R*?b1<T|M}XW8du1`yU^vP8a|H

literal 0
HcmV?d00001

diff --git a/gd.spec b/gd.spec
index 1b1c992..d7d725f 100644
--- a/gd.spec
+++ b/gd.spec
@@ -5,7 +5,7 @@
 Summary:       A graphics library for quick creation of PNG or JPEG images
 Name:          gd
 Version:       2.2.3
-Release:       4%{?prever}%{?short}%{?dist}
+Release:       5%{?prever}%{?short}%{?dist}
 Group:         System Environment/Libraries
 License:       MIT
 URL:           http://libgd.github.io/
@@ -21,6 +21,9 @@ Patch1:        gd-2.1.0-multilib.patch
 Patch2:        gd-2.2.3-tests.patch
 Patch3:        gd-2.2.3-overflow-in-gdImageWebpCtx.patch
 Patch4:        gd-2.2.3-dynamicGetbuf-negative-rlen.patch
+# TODO - created by one of upstream maintainers, but not in upstream yet
+# https://github.com/libgd/libgd/pull/353
+Patch5:        gd-2.2.x-fix-invalid-read-in-gdImageCreateFromTiffPtr.patch
 
 BuildRequires: freetype-devel
 BuildRequires: fontconfig-devel
@@ -82,6 +85,16 @@ files for gd, a graphics library for creating PNG and JPEG graphics.
 %patch2 -p1 -b .build
 %patch3 -p1 -b .gdImageWebpCtx
 %patch4 -p1 -b .dynamicGetbuf
+# Patch5 adds some non-text files (.tiff)
+patch -p1 --binary < %{PATCH5}
+
+%if 0%{?fedora} >= 26
+# TODO - tests using freetype 2.7 are failing
+# https://github.com/libgd/libgd/issues/302
+# https://github.com/libgd/libgd/issues/217
+sed -i -e "s|libgd_test_programs +=|libgd_freetype_test_program =|" tests/freetype/Makemodule.am
+sed -i -e "s|libgd_test_programs +=|libgd_freetype_test_program +=|" tests/gdimagestringft/Makemodule.am
+%endif
 
 : $(perl config/getver.pl)
 
@@ -156,6 +169,10 @@ grep %{version} $RPM_BUILD_ROOT%{_libdir}/pkgconfig/gdlib.pc
 
 
 %changelog
+* Tue Dec 06 2016 Marek Skalický <mskalick@redhat.com> - 2.2.3-5
+- Fix invalid read in gdImageCreateFromTiffPtr() ( CVE-2016-6911)
+- Disable tests using freetype in Fedora 26 (freetype > 2.6)
+
 * Mon Dec 05 2016 Marek Skalický <mskalick@redhat.com> - 2.2.3-4
 - Fix stack based buffer overflow when passing negative `rlen` as size to
   memcpy() (CVE-2016-8670)