Fix CVE-2018-5711 - Potential infinite loop in gdImageCreateFromGifCtx

fix double-free in gdImagePngPtr(). CVE-2017-6362
fix buffer over-read into uninitialized memory. CVE-2017-7890

(cherry picked from commit 49b4f7faf0)

.gitignore

@@ -8,3 +8,4 @@ gd-2.0.35.tar.bz2
 /libgd-2.2.2.tar.xz
 /libgd-2.2.3.tar.xz
 /libgd-2.2.4.tar.xz
+/libgd-2.2.5.tar.xz

gd-2.2.3-tests.patch

@@ -1,42 +0,0 @@
-From 2b3dd57a6ccb2940f2e9119ae04e14362e2a1f61 Mon Sep 17 00:00:00 2001
-From: Remi Collet <fedora@famillecollet.com>
-Date: Fri, 22 Jul 2016 08:14:12 +0200
-Subject: [PATCH] Fix gd2/gd2_read.c:8:6: error: 'error' may be used
- uninitialized in this function [-Werror=maybe-uninitialized]
-
-Also report about any error, not only the last one.
----
- tests/gd2/gd2_read.c | 6 +-----
- 1 file changed, 1 insertion(+), 5 deletions(-)
-
-diff --git a/tests/gd2/gd2_read.c b/tests/gd2/gd2_read.c
-index 94fe069..8ce8bd1 100644
---- a/tests/gd2/gd2_read.c
-+++ b/tests/gd2/gd2_read.c
-@@ -5,7 +5,7 @@
- 
- int main(int argc, char *argv[])
- {
--	int error, i = 0;
-+	int error = 0, i = 0;
- 	gdImagePtr im, exp;
- 	FILE *fp;
- 	char *path[] = {
-@@ -40,8 +40,6 @@ int main(int argc, char *argv[])
- 				gdTestErrorMsg("image %s differs from expected result\n", path[i]);
- 				gdImageDestroy(im);
- 				error = 1;
--			} else {
--				error = 0;
- 			}
- 			if (exp) {
- 				gdImageDestroy(exp);
-@@ -52,8 +50,6 @@ int main(int argc, char *argv[])
- 				gdTestErrorMsg("image %s should have failed to be loaded\n", path[i]);
- 				gdImageDestroy(im);
- 				error = 1;
--			} else {
--				error = 0;
- 			}
- 		}
- 		i++;

gd-2.2.4-upstream.patch

@@ -1,50 +0,0 @@
-From c9b601a658a79e6ea2aad29fbf60ca6e24ccef1e Mon Sep 17 00:00:00 2001
-From: "Christoph M. Becker" <cmbecker69@gmx.de>
-Date: Wed, 18 Jan 2017 13:59:02 +0100
-Subject: [PATCH] Fix build issue regarding INT_MAX
-
-For portability gd_gd2.c needs to include <limits.h>.
----
- src/gd_gd2.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/src/gd_gd2.c b/src/gd_gd2.c
-index c2904ca..049c4c5 100644
---- a/src/gd_gd2.c
-+++ b/src/gd_gd2.c
-@@ -74,6 +74,7 @@
- 
- /* 2.0.29: no more errno.h, makes windows happy */
- #include <math.h>
-+#include <limits.h>
- #include <string.h>
- #include "gd.h"
- #include "gd_errors.h"
-
-
-From 55ac28a293eaa8c531870c8bb8ecc04b333975f4 Mon Sep 17 00:00:00 2001
-From: "Christoph M. Becker" <cmbecker69@gmx.de>
-Date: Thu, 19 Jan 2017 01:02:58 +0100
-Subject: [PATCH] Fix #357: 2.2.4: Segfault in test suite.
-
-We make sure to never pass a negative `int` as argument to a `size_t`
-parameter.
----
- src/gd_io_dp.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/src/gd_io_dp.c b/src/gd_io_dp.c
-index eda2eeb..cb38794 100644
---- a/src/gd_io_dp.c
-+++ b/src/gd_io_dp.c
-@@ -292,6 +292,10 @@ static int dynamicGetbuf(gdIOCtxPtr ctx, void *buf, int len)
- 		rlen = dp->realSize - dp->pos;
- 	}
- 
-+	if (rlen < 0) {
-+		return 0;
-+	}
-+
- 	memcpy(buf, (void *) ((char *)dp->data + dp->pos), rlen);
- 	dp->pos += rlen;
- 

gd-2.2.5-upstream.patch

@@ -0,0 +1,62 @@
+From a11f47475e6443b7f32d21f2271f28f417e2ac04 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Wed, 29 Nov 2017 19:37:38 +0100
+Subject: [PATCH] Fix #420: Potential infinite loop in gdImageCreateFromGifCtx
+
+Due to a signedness confusion in `GetCode_` a corrupt GIF file can
+trigger an infinite loop.  Furthermore we make sure that a GIF without
+any palette entries is treated as invalid *after* open palette entries
+have been removed.
+
+CVE-2018-5711
+
+See also https://bugs.php.net/bug.php?id=75571.
+---
+ src/gd_gif_in.c             |  12 ++++++------
+ tests/gif/.gitignore        |   1 +
+ tests/gif/CMakeLists.txt    |   1 +
+ tests/gif/Makemodule.am     |   2 ++
+ tests/gif/php_bug_75571.c   |  28 ++++++++++++++++++++++++++++
+ tests/gif/php_bug_75571.gif | Bin 0 -> 1731 bytes
+ 6 files changed, 38 insertions(+), 6 deletions(-)
+ create mode 100644 tests/gif/php_bug_75571.c
+ create mode 100644 tests/gif/php_bug_75571.gif
+
+diff --git a/src/gd_gif_in.c b/src/gd_gif_in.c
+index daf26e79..0a8bd717 100644
+--- a/src/gd_gif_in.c
++++ b/src/gd_gif_in.c
+@@ -335,11 +335,6 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromGifCtx(gdIOCtxPtr fd)
+ 		return 0;
+ 	}
+ 
+-	if(!im->colorsTotal) {
+-		gdImageDestroy(im);
+-		return 0;
+-	}
+-
+ 	/* Check for open colors at the end, so
+ 	 * we can reduce colorsTotal and ultimately
+ 	 * BitsPerPixel */
+@@ -351,6 +346,11 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromGifCtx(gdIOCtxPtr fd)
+ 		}
+ 	}
+ 
++	if(!im->colorsTotal) {
++		gdImageDestroy(im);
++		return 0;
++	}
++
+ 	return im;
+ }
+ 
+@@ -447,7 +447,7 @@ static int
+ GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_size, int flag, int *ZeroDataBlockP)
+ {
+ 	int i, j, ret;
+-	unsigned char count;
++	int count;
+ 
+ 	if(flag) {
+ 		scd->curbit = 0;
+ 

gd.spec

@@ -1,11 +1,7 @@
-#global prever    rc2
-#global commit    725ba9de4005144d137d2a7a70f760068fc3d306
-#global short     %(c=%{commit}; echo ${c:0:7})
-
 Summary:       A graphics library for quick creation of PNG or JPEG images
 Name:          gd
-Version:       2.2.4
-Release:       3%{?prever}%{?short}%{?dist}
+Version:       2.2.5
+Release:       2%{?prever}%{?short}%{?dist}
 Group:         System Environment/Libraries
 License:       MIT
 URL:           http://libgd.github.io/
@@ -18,8 +14,8 @@ Source0:       https://github.com/libgd/libgd/releases/download/gd-%{version}/li
 %endif
 
 Patch1:        gd-2.1.0-multilib.patch
-Patch2:        gd-2.2.3-tests.patch
-Patch3:        gd-2.2.4-upstream.patch
+# CVE-2018-5711 - https://github.com/libgd/libgd/commit/a11f47475e6443b7f32d21f2271f28f417e2ac04
+Patch2:        gd-2.2.5-upstream.patch
 
 BuildRequires: freetype-devel
 BuildRequires: fontconfig-devel
@@ -80,16 +76,7 @@ files for gd, a graphics library for creating PNG and JPEG graphics.
 %prep
 %setup -q -n libgd-%{version}%{?prever:-%{prever}}
 %patch1 -p1 -b .mlib
-%patch2 -p1 -b .build
-%patch3 -p1 -b .upstream
-
-%if 0%{?fedora} >= 26
-# TODO - tests using freetype 2.7 are failing
-# https://github.com/libgd/libgd/issues/302
-# https://github.com/libgd/libgd/issues/217
-sed -i -e "s|libgd_test_programs +=|libgd_freetype_test_program =|" tests/freetype/Makemodule.am
-sed -i -e "s|libgd_test_programs +=|libgd_freetype_test_program +=|" tests/gdimagestringft/Makemodule.am
-%endif
+%patch2 -p1 -b .upstream
 
 : $(perl config/getver.pl)
 
@@ -138,11 +125,6 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libgd.a
 # See https://github.com/libgd/libgd/issues/359
 XFAIL_TESTS="gdimagegrayscale/basic $XFAIL_TESTS"
 %endif
-%if 0%{?fedora} >= 26
-# See https://github.com/libgd/libgd/issues/363
-XFAIL_TESTS="freetype/bug00132 $XFAIL_TESTS"
-XFAIL_TESTS="gdimagestringft/gdimagestringft_bbox $XFAIL_TESTS"
-%endif
 
 export XFAIL_TESTS
 
@@ -175,6 +157,14 @@ grep %{version} $RPM_BUILD_ROOT%{_libdir}/pkgconfig/gdlib.pc
 
 
 %changelog
+* Mon Mar 26 2018 Marek Skalický <mskalick@redhat.com> - 2.2.5-2
+- Fix CVE-2018-5711 - Potential infinite loop in gdImageCreateFromGifCtx
+
+* Wed Aug 30 2017 Remi Collet <remi@fedoraproject.org> - 2.2.5-1
+- Update to 2.2.5
+- fix double-free in gdImagePngPtr(). CVE-2017-6362
+- fix buffer over-read into uninitialized memory. CVE-2017-7890
+
 * Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.4-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
 

sources

@@ -1 +1 @@
-SHA512 (libgd-2.2.4.tar.xz) = 07903f322c4f6ab392508b0f60c38ca133699111ea92995dc6cd9379210d598bcb24a46c19657884d9e252f8663d0ee8c89c600e3a382a5ae598198c190f39b5
+SHA512 (libgd-2.2.5.tar.xz) = 946675b0a9dbecdee3dda927d496a35d6b5b071d3252a82cd649db0d959a82fcc65ce067ec34d07eed0e0497cd92cc0d93803609a4854f42d284e950764044d0