Fix invalid read in gdImageCreateFromTiffPtr() ( CVE-2016-6911)

- Fix stack based buffer overflow when passing negative `rlen` as size to
  memcpy() (CVE-2016-8670)
- Fix possible overflow in gdImageWebpCtx (CVE-2016-7568)

gd-2.1.1-CVE-2015-8874.patch

@@ -0,0 +1,31 @@
+From 4d29684fd4ddbd6bb4dbde805f0fdaa84b0f66f2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
+Date: Fri, 20 May 2016 09:39:38 +0200
+Subject: [PATCH] CVE-2015-8874
+
+---
+ src/gd.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/src/gd.c b/src/gd.c
+index 300dfce..0603247 100644
+--- a/src/gd.c
++++ b/src/gd.c
+@@ -1938,6 +1938,17 @@ BGD_DECLARE(void) gdImageFillToBorder (gdImagePtr im, int x, int y, int border,
+ 	restoreAlphaBleding = im->alphaBlendingFlag;
+ 	im->alphaBlendingFlag = 0;
+ 
++	if (x >= im->sx) {
++		x = im->sx - 1;
++	} else if (x < 0) {
++		x = 0;
++	}
++	if (y >= im->sy) {
++		y = im->sy - 1;
++	} else if (y < 0) {
++		y = 0;
++	}
++	
+ 	for (i = x; (i >= 0); i--) {
+ 		if (gdImageGetPixel (im, i, y) == border) {
+ 			break;

gd-2.1.1-CVE-2016-5766.patch

@@ -0,0 +1,37 @@
+Backported for 2.1, without binary patch, from:
+
+
+From 78d83ac76c16d269b538a7cef4120a5fb5177b6d Mon Sep 17 00:00:00 2001
+From: Pierre Joye <pierre.php@gmail.com>
+Date: Tue, 28 Jun 2016 16:23:42 +0700
+Subject: [PATCH] fix php bug 72339 (CVE-2016-5766), Integer Overflow in
+ _gd2GetHeader() resulting in heap overflow
+
+---
+ src/gd_gd2.c                    |   5 ++++-
+ tests/gd2/CMakeLists.txt        |   1 +
+ tests/gd2/Makemodule.am         |   6 ++++--
+ tests/gd2/php_bug_72339.c       |  21 +++++++++++++++++++++
+ tests/gd2/php_bug_72339_exp.gd2 | Bin 0 -> 67108882 bytes
+ 5 files changed, 30 insertions(+), 3 deletions(-)
+ create mode 100644 tests/gd2/php_bug_72339.c
+ create mode 100644 tests/gd2/php_bug_72339_exp.gd2
+
+diff --git a/src/gd_gd2.c b/src/gd_gd2.c
+index fd1e0c9..bdbbecf 100644
+--- a/src/gd_gd2.c
++++ b/src/gd_gd2.c
+@@ -154,8 +154,11 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy,
+ 		nc = (*ncx) * (*ncy);
+ 		GD2_DBG (printf ("Reading %d chunk index entries\n", nc));
+ 		sidx = sizeof (t_chunk_info) * nc;
++		if (overflow2(sidx, nc)) {
++			goto fail1;
++		}
+ 		cidx = gdCalloc (sidx, 1);
+-		if (!cidx) {
++		if (cidx == NULL) {
+ 			goto fail1;
+ 		}
+ 		for (i = 0; i < nc; i++) {
+

gd-2.1.1-gdImagreScaleTwoPass-leak.patch

@@ -0,0 +1,27 @@
+From 4751b606fa38edc456d627140898a7ec679fcc24 Mon Sep 17 00:00:00 2001
+From: Vladimir Mitrovic <vladimir.x.mitrovic@gmail.com>
+Date: Wed, 5 Aug 2015 03:01:06 +0200
+Subject: [PATCH] gdImageScaleTwoPass memory leak fix
+
+Fixing memory leak in gdImageScaleTwoPass, as reported by @cmb69 and
+confirmed by @vapier.  This bug actually bit me in production and I'm
+very thankful that it was reported with an easy fix.
+
+Fixes #173.
+---
+ src/gd_interpolation.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/gd_interpolation.c b/src/gd_interpolation.c
+index fcc11e6..f00c946 100644
+--- a/src/gd_interpolation.c
++++ b/src/gd_interpolation.c
+@@ -1087,7 +1087,7 @@ gdImageScaleTwoPass(const gdImagePtr src, const unsigned int new_width,
+     }/* if */
+ 
+     if (src != tmp_im) {
+-        gdFree(tmp_im);
++        gdImageDestroy(tmp_im);
+     }/* if */
+ 
+ 	return dst;

gd-2.1.1-xbm-large-names-overflow.patch

@@ -0,0 +1,89 @@
+From 4dc1a2d7931017d3625f2d7cff70a17ce58b53b4 Mon Sep 17 00:00:00 2001
+From: Mike Frysinger <vapier@gentoo.org>
+Date: Sat, 14 May 2016 01:38:18 -0400
+Subject: [PATCH] xbm: avoid stack overflow (read) with large names #211
+
+We use the name passed in to printf into a local stack buffer which is
+limited to 4000 bytes.  So given a large enough value, lots of stack
+data is leaked.  Rewrite the code to do simple memory copies with most
+of the strings to avoid that issue, and only use stack buffer for small
+numbers of constant size.
+
+This closes #211.
+---
+ src/gd_xbm.c | 34 +++++++++++++++++++++++++++-------
+ 1 file changed, 27 insertions(+), 7 deletions(-)
+
+diff --git a/src/gd_xbm.c b/src/gd_xbm.c
+index 74d839b..d28fdfc 100644
+--- a/src/gd_xbm.c
++++ b/src/gd_xbm.c
+@@ -180,7 +180,7 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromXbm(FILE * fd)
+ /* {{{ gdCtxPrintf */
+ static void gdCtxPrintf(gdIOCtx * out, const char *format, ...)
+ {
+-	char buf[4096];
++	char buf[1024];
+ 	int len;
+ 	va_list args;
+ 
+@@ -191,6 +191,9 @@ static void gdCtxPrintf(gdIOCtx * out, const char *format, ...)
+ }
+ /* }}} */
+ 
++/* The compiler will optimize strlen(constant) to a constant number. */
++#define gdCtxPuts(out, s) out->putBuf(out, s, strlen(s))
++
+ /* {{{ gdImageXbmCtx */
+ BGD_DECLARE(void) gdImageXbmCtx(gdImagePtr image, char* file_name, int fg, gdIOCtx * out)
+ {
+@@ -215,9 +218,26 @@ BGD_DECLARE(void) gdImageXbmCtx(gdImagePtr image, char* file_name, int fg, gdIOC
+ 		}
+ 	}
+ 
+-	gdCtxPrintf(out, "#define %s_width %d\n", name, gdImageSX(image));
+-	gdCtxPrintf(out, "#define %s_height %d\n", name, gdImageSY(image));
+-	gdCtxPrintf(out, "static unsigned char %s_bits[] = {\n  ", name);
++	/* Since "name" comes from the user, run it through a direct puts.
++	 * Trying to printf it into a local buffer means we'd need a large
++	 * or dynamic buffer to hold it all. */
++
++	/* #define <name>_width 1234 */
++	gdCtxPuts(out, "#define ");
++	gdCtxPuts(out, name);
++	gdCtxPuts(out, "_width ");
++	gdCtxPrintf(out, "%d\n", gdImageSX(image));
++
++	/* #define <name>_height 1234 */
++	gdCtxPuts(out, "#define ");
++	gdCtxPuts(out, name);
++	gdCtxPuts(out, "_height ");
++	gdCtxPrintf(out, "%d\n", gdImageSY(image));
++
++	/* static unsigned char <name>_bits[] = {\n */
++	gdCtxPuts(out, "static unsigned char ");
++	gdCtxPuts(out, name);
++	gdCtxPuts(out, "_bits[] = {\n  ");
+ 
+ 	free(name);
+ 
+@@ -234,9 +254,9 @@ BGD_DECLARE(void) gdImageXbmCtx(gdImagePtr image, char* file_name, int fg, gdIOC
+ 			if ((b == 128) || (x == sx && y == sy)) {
+ 				b = 1;
+ 				if (p) {
+-					gdCtxPrintf(out, ", ");
++					gdCtxPuts(out, ", ");
+ 					if (!(p%12)) {
+-						gdCtxPrintf(out, "\n  ");
++						gdCtxPuts(out, "\n  ");
+ 						p = 12;
+ 					}
+ 				}
+@@ -248,6 +268,6 @@ BGD_DECLARE(void) gdImageXbmCtx(gdImagePtr image, char* file_name, int fg, gdIOC
+ 			}
+ 		}
+ 	}
+-	gdCtxPrintf(out, "};\n");
++	gdCtxPuts(out, "};\n");
+ }
+ /* }}} */

gd-2.2.3-CVE-2016-6161.patch

@@ -0,0 +1,119 @@
+From 82b80dcb70a7ca8986125ff412bceddafc896842 Mon Sep 17 00:00:00 2001
+From: Mike Frysinger <vapier@gentoo.org>
+Date: Sat, 14 May 2016 02:13:15 -0400
+Subject: [PATCH] gif: avoid out-of-bound reads of masks array #209
+
+When given invalid inputs, we might be fed the EOF marker before it is
+actually the EOF.  The gif logic assumes once it sees the EOF marker,
+there won't be any more data, so it leaves the cur_bits index possibly
+negative.  So when we get more data, we underflow the masks array.
+
+Flag it so we don't try to output anything more.  The image is invalid,
+so we shouldn't be truncating any valid inputs.
+
+This fixes #209.
+---
+ src/gd_gif_out.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+ 
+From 315dbfb0e75895e3ba84f649c491956e75f1106c Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Tue, 19 Jul 2016 10:43:55 +0200
+Subject: [PATCH] Add test case for issue #209
+
+---
+ tests/gif/.gitignore     |   1 +
+ tests/gif/CMakeLists.txt |   1 +
+ tests/gif/Makemodule.am  |   4 +++-
+ tests/gif/bug00209.c     |  29 +++++++++++++++++++++++++++++
+ tests/gif/bug00209.gd2   | Bin 0 -> 1050 bytes
+ 5 files changed, 34 insertions(+), 1 deletion(-)
+ create mode 100644 tests/gif/bug00209.c
+ create mode 100644 tests/gif/bug00209.gd2
+
+diff --git a/src/gd_gif_out.c b/src/gd_gif_out.c
+index 51ceb75..3099d49 100644
+--- a/src/gd_gif_out.c
++++ b/src/gd_gif_out.c
+@@ -1442,15 +1442,23 @@ static void compress(int init_bits, gdIOCtxPtr outfile, gdImagePtr im, GifCtx *c
+  * code in turn.  When the buffer fills up empty it and start over.
+  */
+ 
+-static unsigned long masks[] = {
++static const unsigned long masks[] = {
+ 	0x0000, 0x0001, 0x0003, 0x0007, 0x000F,
+ 	0x001F, 0x003F, 0x007F, 0x00FF,
+ 	0x01FF, 0x03FF, 0x07FF, 0x0FFF,
+ 	0x1FFF, 0x3FFF, 0x7FFF, 0xFFFF
+ };
+ 
++/* Arbitrary value to mark output is done.  When we see EOFCode, then we don't
++ * expect to see any more data.  If we do (e.g. corrupt image inputs), cur_bits
++ * might be negative, so flag it to return early.
++ */
++#define CUR_BITS_FINISHED -1000
++
+ static void output(code_int code, GifCtx *ctx)
+ {
++	if (ctx->cur_bits == CUR_BITS_FINISHED)
++		return;
+ 	ctx->cur_accum &= masks[ctx->cur_bits];
+ 
+ 	if(ctx->cur_bits > 0) {
+@@ -1492,6 +1500,8 @@ static void output(code_int code, GifCtx *ctx)
+ 			ctx->cur_accum >>= 8;
+ 			ctx->cur_bits -= 8;
+ 		}
++		/* Flag that it's done to prevent re-entry. */
++		ctx->cur_bits = CUR_BITS_FINISHED;
+ 
+ 		flush_char(ctx);
+ 	}
+
+diff --git a/tests/gif/CMakeLists.txt b/tests/gif/CMakeLists.txt
+index 92010c3..d26b1fe 100644
+--- a/tests/gif/CMakeLists.txt
++++ b/tests/gif/CMakeLists.txt
+@@ -7,6 +7,7 @@ LIST(APPEND TESTS_FILES
+ 	bug00060
+ 	bug00066
+ 	bug00181
++	bug00209
+ 	bug00227
+ )
+ 
+diff --git a/tests/gif/bug00209.c b/tests/gif/bug00209.c
+new file mode 100644
+index 0000000..6eafc32
+--- /dev/null
++++ b/tests/gif/bug00209.c
+@@ -0,0 +1,29 @@
++/* Test case for  <https://github.com/libgd/libgd/issues/209>. */
++
++#include "gd.h"
++#include "gdtest.h"
++
++int main()
++{
++    gdImagePtr im;
++    FILE *fp;
++
++    /* printf("start\n"); */
++
++    fp = gdTestFileOpen("gif/bug00209.gd2");
++    gdTestAssert(fp != NULL);
++    im = gdImageCreateFromGd2(fp);
++    gdTestAssert(im != NULL);
++    fclose(fp);
++    /* printf("loaded\n"); */
++
++    fp = gdTestTempFp();
++    gdTestAssert(fp != NULL);
++    gdImageGif(im, fp);
++    fclose(fp);
++    /* printf("saved\n"); */
++
++    gdImageDestroy(im);
++
++    return gdNumFailures();
++}

gd-2.2.3-CVE-2016-6207.patch

@@ -0,0 +1,108 @@
+diff --git a/src/gd_interpolation.c b/src/gd_interpolation.c
+index a829d4f..ed2b743 100644
+--- a/src/gd_interpolation.c
++++ b/src/gd_interpolation.c
+@@ -888,6 +888,7 @@ static inline LineContribType * _gdContributionsAlloc(unsigned int line_length,
+ {
+ 	unsigned int u = 0;
+ 	LineContribType *res;
++	int overflow_error = 0;
+ 
+ 	res = (LineContribType *) gdMalloc(sizeof(LineContribType));
+ 	if (!res) {
+@@ -895,10 +896,31 @@ static inline LineContribType * _gdContributionsAlloc(unsigned int line_length,
+ 	}
+ 	res->WindowSize = windows_size;
+ 	res->LineLength = line_length;
++	if (overflow2(line_length, sizeof(ContributionType))) {
++		gdFree(res);
++		return NULL;
++	}
+ 	res->ContribRow = (ContributionType *) gdMalloc(line_length * sizeof(ContributionType));
+-
++	if (res->ContribRow == NULL) {
++		gdFree(res);
++		return NULL;
++	}
+ 	for (u = 0 ; u < line_length ; u++) {
+-		res->ContribRow[u].Weights = (double *) gdMalloc(windows_size * sizeof(double));
++		if (overflow2(windows_size, sizeof(double))) {
++			overflow_error = 1;
++		} else {
++			res->ContribRow[u].Weights = (double *) gdMalloc(windows_size * sizeof(double));
++		}
++		if (overflow_error == 1 || res->ContribRow[u].Weights == NULL) {
++			unsigned int i;
++			u--;
++			for (i=0;i<=u;i++) {
++				gdFree(res->ContribRow[i].Weights);
++			}
++			gdFree(res->ContribRow);
++			gdFree(res);
++			return NULL;
++		}
+ 	}
+ 	return res;
+ }
+@@ -931,7 +953,9 @@ static inline LineContribType *_gdContributionsCalc(unsigned int line_size, unsi
+ 
+ 	windows_size = 2 * (int)ceil(width_d) + 1;
+ 	res = _gdContributionsAlloc(line_size, windows_size);
+-
++	if (res == NULL) {
++		return NULL;
++	}
+ 	for (u = 0; u < line_size; u++) {
+ 		const double dCenter = (double)u / scale_d;
+ 		/* get the significant edge points affecting the pixel */
+@@ -1036,7 +1060,6 @@ _gdScalePass(const gdImagePtr pSrc, const unsigned int src_len,
+         _gdScaleOneAxis(pSrc, pDst, dst_len, line_ndx, contrib, axis);
+ 	}
+ 	_gdContributionsFree (contrib);
+-
+     return 1;
+ }/* _gdScalePass*/
+ 
+@@ -1049,6 +1072,7 @@ gdImageScaleTwoPass(const gdImagePtr src, const unsigned int new_width,
+     const unsigned int src_height = src->sy;
+ 	gdImagePtr tmp_im = NULL;;
+ 	gdImagePtr dst = NULL;
++	int scale_pass_res;
+ 
+     /* First, handle the trivial case. */
+     if (src_width == new_width && src_height == new_height) {
+@@ -1070,7 +1094,11 @@ gdImageScaleTwoPass(const gdImagePtr src, const unsigned int new_width,
+         }
+         gdImageSetInterpolationMethod(tmp_im, src->interpolation_id);
+ 
+-        _gdScalePass(src, src_width, tmp_im, new_width, src_height, HORIZONTAL);
++		scale_pass_res = _gdScalePass(src, src_width, tmp_im, new_width, src_height, HORIZONTAL);
++		if (scale_pass_res != 1) {
++			gdImageDestroy(tmp_im);
++			return NULL;
++		}
+     }/* if .. else*/
+ 
+     /* If vertical sizes match, we're done. */
+@@ -1083,11 +1111,18 @@ gdImageScaleTwoPass(const gdImagePtr src, const unsigned int new_width,
+ 	dst = gdImageCreateTrueColor(new_width, new_height);
+ 	if (dst != NULL) {
+         gdImageSetInterpolationMethod(dst, src->interpolation_id);
+-        _gdScalePass(tmp_im, src_height, dst, new_height, new_width, VERTICAL);
++        scale_pass_res = _gdScalePass(tmp_im, src_height, dst, new_height, new_width, VERTICAL);
++		if (scale_pass_res != 1) {
++			gdImageDestroy(dst);
++			if (src != tmp_im && tmp_im != NULL) {
++				gdImageDestroy(tmp_im);
++			}
++			return NULL;
++	   }
+     }/* if */
+ 
+-    if (src != tmp_im) {
+-        gdFree(tmp_im);
++	if (tmp_im != NULL && src != tmp_im) {
++        gdImageDestroy(tmp_im);
+     }/* if */
+ 
+ 	return dst;

gd-2.2.3-dynamicGetbuf-negative-rlen.patch

@@ -0,0 +1,26 @@
+From 53110871935244816bbb9d131da0bccff734bfe9 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Wed, 12 Oct 2016 11:15:32 +0200
+Subject: [PATCH] Avoid potentially dangerous signed to unsigned conversion
+
+We make sure to never pass a negative `rlen` as size to memcpy(). See
+also <https://bugs.php.net/bug.php?id=73280>.
+
+Patch provided by Emmanuel Law.
+---
+ src/gd_io_dp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/gd_io_dp.c b/src/gd_io_dp.c
+index 135eda3..228bfa5 100644
+--- a/src/gd_io_dp.c
++++ b/src/gd_io_dp.c
+@@ -276,7 +276,7 @@ static int dynamicGetbuf(gdIOCtxPtr ctx, void *buf, int len)
+ 	if(remain >= len) {
+ 		rlen = len;
+ 	} else {
+-		if(remain == 0) {
++		if(remain <= 0) {
+ 			/* 2.0.34: EOF is incorrect. We use 0 for
+ 			 * errors and EOF, just like fileGetbuf,
+ 			 * which is a simple fread() wrapper.

gd-2.2.3-overflow-in-gdImageWebpCtx.patch

@@ -0,0 +1,27 @@
+diff --git a/src/gd_webp.c b/src/gd_webp.c
+index fae3861..a7ed222 100644
+--- a/src/gd_webp.c
++++ b/src/gd_webp.c
+@@ -179,6 +179,22 @@ BGD_DECLARE(void) gdImageWebpCtx (gdImagePtr im, gdIOCtx * outfile, int quantiza
+ 	/* Conversion to Y,U,V buffer */
+ 	yuv_width = (width + 1) >> 1;
+ 	yuv_height = (height + 1) >> 1;
++
++	if (overflow2(width, height)) {
++		return;
++	}
++
++	if (overflow2(2, yuv_width)) {
++		return;
++	}
++
++	if (overflow2(2 * yuv_width, yuv_height)) {
++		return;
++	}
++
++	if (overflow2(width * height + 2 * yuv_width * yuv_height, 1)) {
++		return;
++	}
+ 	yuv_nbytes = width * height + 2 * yuv_width * yuv_height;
+ 
+ 	if ((Y = (unsigned char *)gdCalloc(yuv_nbytes, sizeof(unsigned char))) == NULL) {

gd-heap-overflow.patch

@@ -0,0 +1,59 @@
+diff --git a/src/gd_gd2.c b/src/gd_gd2.c
+index 6f28461..a50b33d 100644
+--- a/src/gd_gd2.c
++++ b/src/gd_gd2.c
+@@ -165,6 +165,8 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy,
+ 			if (gdGetInt (&cidx[i].size, in) != 1) {
+ 				goto fail2;
+ 			};
++			if (cidx[i].offset < 0 || cidx[i].size < 0)
++				goto fail2;
+ 		};
+ 		*chunkIdx = cidx;
+ 	};
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index ed2c35b..b582266 100644
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -129,7 +129,8 @@ endif
+ 
+ if HAVE_LIBZ
+ check_PROGRAMS += \
+-	gd2/gd2_null
++	gd2/gd2_null \
++	gd2/gd2_read_corrupt
+ endif
+ 
+ if HAVE_LIBPNG
+diff --git a/tests/gd2/gd2_read_corrupt.c b/tests/gd2/gd2_read_corrupt.c
+new file mode 100644
+index 0000000..11f6a67
+--- /dev/null
++++ b/tests/gd2/gd2_read_corrupt.c
+@@ -0,0 +1,25 @@
++/* Just try to read the invalid gd2 image & not crash. */
++#include "gd.h"
++#include <stdio.h>
++#include <stdlib.h>
++#include "gdtest.h"
++
++int main()
++{
++	gdImagePtr im;
++	FILE *fp;
++	char path[1024];
++
++	/* Read the corrupt image. */
++	sprintf(path, "%s/gd2/invalid_neg_size.gd2", GDTEST_TOP_DIR);
++	fp = fopen(path, "rb");
++	if (!fp) {
++		printf("failed, cannot open file\n");
++		return 1;
++	}
++	im = gdImageCreateFromGd2(fp);
++	fclose(fp);
++
++	/* Should have failed & rejected it. */
++	return im == NULL ? 0 : 1;
++}
+

gd.spec

@@ -5,7 +5,7 @@
 Summary:       A graphics library for quick creation of PNG or JPEG images
 Name:          gd
 Version:       2.1.1
-Release:       4%{?prever}%{?short}%{?dist}
+Release:       11%{?prever}%{?short}%{?dist}
 Group:         System Environment/Libraries
 License:       MIT
 URL:           http://libgd.bitbucket.org/
@@ -18,9 +18,38 @@ Source0:       https://bitbucket.org/libgd/gd-libgd/downloads/libgd-%{version}%{
 %endif
 # Missing in official archive, need for autoreconf
 Source2:       getver.pl
+# Test data for CVE-2016-3074 test
+Source3:       invalid_neg_size.gd2
+# Test data for CVE-2016-6161 test
+Source4:       bug00209.gd2
 
 Patch1:        gd-2.1.0-multilib.patch
 Patch2:        gd-2.1.1-libvpx.patch
+# CVE-2016-3074
+Patch3:        gd-heap-overflow.patch
+# CVE-2015-8877
+# (included in patch gd-2.2.3-CVE-2016-6207.patch)
+#Patch4:        gd-2.1.1-gdImagreScaleTwoPass-leak.patch
+# CVE-2016-5116
+Patch5:        gd-2.1.1-xbm-large-names-overflow.patch
+# CVE-2015-8874
+Patch6:        gd-2.1.1-CVE-2015-8874.patch
+# CVE-2016-5766
+Patch7:        gd-2.1.1-CVE-2016-5766.patch
+# CVE-2016-6161
+Patch8:        gd-2.2.3-CVE-2016-6161.patch
+# CVE-2016-6207
+# cherry-picked 0dd40 d3258 ff911 f60ec 7a28c commits from libgd master
+Patch9:        gd-2.2.3-CVE-2016-6207.patch
+# CVE-2016-7568
+Patch10:        gd-2.2.3-overflow-in-gdImageWebpCtx.patch
+# CVE-2016-8670
+Patch11:        gd-2.2.3-dynamicGetbuf-negative-rlen.patch
+# CVE-2016-6911
+# TODO - created by one of upstream maintainers, but not in upstream yet
+# https://github.com/libgd/libgd/pull/353
+Patch12:        gd-2.2.x-fix-invalid-read-in-gdImageCreateFromTiffPtr.patch
+
 
 BuildRequires: freetype-devel
 BuildRequires: fontconfig-devel
@@ -79,10 +108,22 @@ files for gd, a graphics library for creating PNG and JPEG graphics.
 %setup -q -n libgd-%{version}%{?prever:-%{prever}}
 %patch1 -p1 -b .mlib
 %patch2 -p1 -b .vpx
+%patch3 -p1
+#%patch4 -p1 -b .image-scale
+%patch5 -p1 -b .xbm-overflow
+%patch6 -p1 -b .cve-2015-8874
+%patch7 -p1 -b .cve-2016-5766
+%patch8 -p1 -b .cve-2016-6161
+%patch9 -p1 -b .cve-2016-6207
+%patch10 -p1 -b .gdImageWebpCtx
+%patch11 -p1 -b .dynamicGetbuf
+# Patch5 adds some non-text files (.tiff)
+patch -p1 --binary < %{PATCH12}
 
 # Workaround for missing file
 cp %{SOURCE2} config/getver.pl
 
+
 : $(perl config/getver.pl)
 
 : regenerate autotool stuff
@@ -117,6 +158,9 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libgd.a
 
 
 %check
+cp %SOURCE3 tests/gd2/
+cp %SOURCE4 tests/gif/
+
 : Upstream test suite
 make check
 
@@ -147,6 +191,31 @@ grep %{version} $RPM_BUILD_ROOT%{_libdir}/pkgconfig/gdlib.pc
 
 
 %changelog
+* Tue Dec 06 2016 Marek Skalický <mskalick@redhat.com> - 2.1.1-11
+- Fix invalid read in gdImageCreateFromTiffPtr() ( CVE-2016-6911)
+- Fix stack based buffer overflow when passing negative `rlen` as size to
+  memcpy() (CVE-2016-8670)
+- Fix possible overflow in gdImageWebpCtx (CVE-2016-7568)
+
+* Mon Sep 19 2016 Marek Skalický <mskalick@redhat.com> - 2.1.1-10
+- Fix CVE-2016-6207
+
+* Mon Sep 19 2016 Marek Skalický <mskalick@redhat.com> - 2.1.1-9
+- Fix out of bounds read when encoding gif from malformed input with gd2togif
+  (CVE-2016-6161)
+
+* Tue Jun 28 2016 Remi Collet <remi@fedoraproject.org> - 2.1.1-8
+- fix integer Overflow in _gd2GetHeader() (CVE-2016-5766)
+
+* Fri Jun 24 2016 Remi Collet <remi@fedoraproject.org> - 2.1.1-7
+- fix for stack overflow with gdImageFillToBorder (CVE-2015-8874)
+
+* Tue May 31 2016 Marek Skalicky <mskalick@redhat.com> - 2.1.1-6
+- Backported fixes of two memory leaks (CVE-2015-8877, CVE-2016-5116)
+
+* Thu Apr 28 2016 Marek Skalicky <mskalick@redhat.com> - 2.1.1-5
+- Fixed heap overflow (CVE-2016-3074)
+
 * Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.1.1-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild