Fix invalid read in gdImageCreateFromTiffPtr() ( CVE-2016-6911)

- Fix stack based buffer overflow when passing negative `rlen` as size to
  memcpy() (CVE-2016-8670)
- Fix possible overflow in gdImageWebpCtx (CVE-2016-7568)

.gitignore

@@ -4,8 +4,3 @@ gd-2.0.35.tar.bz2
 /libgd-2.1.0-725ba9de4005144d137d2a7a70f760068fc3d306.tgz
 /libgd-2.1.0.tar.xz
 /libgd-2.1.1.tar.xz
-/libgd-2.2.1.tar.xz
-/libgd-2.2.2.tar.xz
-/libgd-2.2.3.tar.xz
-/libgd-2.2.4.tar.xz
-/libgd-2.2.5.tar.xz

gd-2.1.1-CVE-2015-8874.patch

@@ -0,0 +1,31 @@
+From 4d29684fd4ddbd6bb4dbde805f0fdaa84b0f66f2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
+Date: Fri, 20 May 2016 09:39:38 +0200
+Subject: [PATCH] CVE-2015-8874
+
+---
+ src/gd.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/src/gd.c b/src/gd.c
+index 300dfce..0603247 100644
+--- a/src/gd.c
++++ b/src/gd.c
+@@ -1938,6 +1938,17 @@ BGD_DECLARE(void) gdImageFillToBorder (gdImagePtr im, int x, int y, int border,
+ 	restoreAlphaBleding = im->alphaBlendingFlag;
+ 	im->alphaBlendingFlag = 0;
+ 
++	if (x >= im->sx) {
++		x = im->sx - 1;
++	} else if (x < 0) {
++		x = 0;
++	}
++	if (y >= im->sy) {
++		y = im->sy - 1;
++	} else if (y < 0) {
++		y = 0;
++	}
++	
+ 	for (i = x; (i >= 0); i--) {
+ 		if (gdImageGetPixel (im, i, y) == border) {
+ 			break;

gd-2.1.1-CVE-2016-5766.patch

@@ -0,0 +1,37 @@
+Backported for 2.1, without binary patch, from:
+
+
+From 78d83ac76c16d269b538a7cef4120a5fb5177b6d Mon Sep 17 00:00:00 2001
+From: Pierre Joye <pierre.php@gmail.com>
+Date: Tue, 28 Jun 2016 16:23:42 +0700
+Subject: [PATCH] fix php bug 72339 (CVE-2016-5766), Integer Overflow in
+ _gd2GetHeader() resulting in heap overflow
+
+---
+ src/gd_gd2.c                    |   5 ++++-
+ tests/gd2/CMakeLists.txt        |   1 +
+ tests/gd2/Makemodule.am         |   6 ++++--
+ tests/gd2/php_bug_72339.c       |  21 +++++++++++++++++++++
+ tests/gd2/php_bug_72339_exp.gd2 | Bin 0 -> 67108882 bytes
+ 5 files changed, 30 insertions(+), 3 deletions(-)
+ create mode 100644 tests/gd2/php_bug_72339.c
+ create mode 100644 tests/gd2/php_bug_72339_exp.gd2
+
+diff --git a/src/gd_gd2.c b/src/gd_gd2.c
+index fd1e0c9..bdbbecf 100644
+--- a/src/gd_gd2.c
++++ b/src/gd_gd2.c
+@@ -154,8 +154,11 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy,
+ 		nc = (*ncx) * (*ncy);
+ 		GD2_DBG (printf ("Reading %d chunk index entries\n", nc));
+ 		sidx = sizeof (t_chunk_info) * nc;
++		if (overflow2(sidx, nc)) {
++			goto fail1;
++		}
+ 		cidx = gdCalloc (sidx, 1);
+-		if (!cidx) {
++		if (cidx == NULL) {
+ 			goto fail1;
+ 		}
+ 		for (i = 0; i < nc; i++) {
+

gd-2.1.1-gdImagreScaleTwoPass-leak.patch

@@ -0,0 +1,27 @@
+From 4751b606fa38edc456d627140898a7ec679fcc24 Mon Sep 17 00:00:00 2001
+From: Vladimir Mitrovic <vladimir.x.mitrovic@gmail.com>
+Date: Wed, 5 Aug 2015 03:01:06 +0200
+Subject: [PATCH] gdImageScaleTwoPass memory leak fix
+
+Fixing memory leak in gdImageScaleTwoPass, as reported by @cmb69 and
+confirmed by @vapier.  This bug actually bit me in production and I'm
+very thankful that it was reported with an easy fix.
+
+Fixes #173.
+---
+ src/gd_interpolation.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/gd_interpolation.c b/src/gd_interpolation.c
+index fcc11e6..f00c946 100644
+--- a/src/gd_interpolation.c
++++ b/src/gd_interpolation.c
+@@ -1087,7 +1087,7 @@ gdImageScaleTwoPass(const gdImagePtr src, const unsigned int new_width,
+     }/* if */
+ 
+     if (src != tmp_im) {
+-        gdFree(tmp_im);
++        gdImageDestroy(tmp_im);
+     }/* if */
+ 
+ 	return dst;

gd-2.1.1-libvpx.patch

@@ -0,0 +1,37 @@
+From d41eb72cd4545c394578332e5c102dee69e02ee8 Mon Sep 17 00:00:00 2001
+From: Remi Collet <fedora@famillecollet.com>
+Date: Tue, 7 Apr 2015 13:11:03 +0200
+Subject: [PATCH] Fix build with latest libvpx 1.4.0
+
+These new constants exist at least since 1.0.0
+Compatibility ones have been droped in 1.4.0
+---
+ src/webpimg.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/src/webpimg.c b/src/webpimg.c
+index cf73d64..e49fcc6 100644
+--- a/src/webpimg.c
++++ b/src/webpimg.c
+@@ -711,14 +711,14 @@ static WebPResult VPXEncode(const uint8* Y,
+     codec_ctl(&enc, VP8E_SET_STATIC_THRESHOLD, 0);
+     codec_ctl(&enc, VP8E_SET_TOKEN_PARTITIONS, 2);
+ 
+-    vpx_img_wrap(&img, IMG_FMT_I420,
++    vpx_img_wrap(&img, VPX_IMG_FMT_I420,
+                  y_width, y_height, 16, (uint8*)(Y));
+-    img.planes[PLANE_Y] = (uint8*)(Y);
+-    img.planes[PLANE_U] = (uint8*)(U);
+-    img.planes[PLANE_V] = (uint8*)(V);
+-    img.stride[PLANE_Y] = y_stride;
+-    img.stride[PLANE_U] = uv_stride;
+-    img.stride[PLANE_V] = uv_stride;
++    img.planes[VPX_PLANE_Y] = (uint8*)(Y);
++    img.planes[VPX_PLANE_U] = (uint8*)(U);
++    img.planes[VPX_PLANE_V] = (uint8*)(V);
++    img.stride[VPX_PLANE_Y] = y_stride;
++    img.stride[VPX_PLANE_U] = uv_stride;
++    img.stride[VPX_PLANE_V] = uv_stride;
+ 
+     res = vpx_codec_encode(&enc, &img, 0, 1, 0, VPX_DL_BEST_QUALITY);
+ 

gd-2.1.1-xbm-large-names-overflow.patch

@@ -0,0 +1,89 @@
+From 4dc1a2d7931017d3625f2d7cff70a17ce58b53b4 Mon Sep 17 00:00:00 2001
+From: Mike Frysinger <vapier@gentoo.org>
+Date: Sat, 14 May 2016 01:38:18 -0400
+Subject: [PATCH] xbm: avoid stack overflow (read) with large names #211
+
+We use the name passed in to printf into a local stack buffer which is
+limited to 4000 bytes.  So given a large enough value, lots of stack
+data is leaked.  Rewrite the code to do simple memory copies with most
+of the strings to avoid that issue, and only use stack buffer for small
+numbers of constant size.
+
+This closes #211.
+---
+ src/gd_xbm.c | 34 +++++++++++++++++++++++++++-------
+ 1 file changed, 27 insertions(+), 7 deletions(-)
+
+diff --git a/src/gd_xbm.c b/src/gd_xbm.c
+index 74d839b..d28fdfc 100644
+--- a/src/gd_xbm.c
++++ b/src/gd_xbm.c
+@@ -180,7 +180,7 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromXbm(FILE * fd)
+ /* {{{ gdCtxPrintf */
+ static void gdCtxPrintf(gdIOCtx * out, const char *format, ...)
+ {
+-	char buf[4096];
++	char buf[1024];
+ 	int len;
+ 	va_list args;
+ 
+@@ -191,6 +191,9 @@ static void gdCtxPrintf(gdIOCtx * out, const char *format, ...)
+ }
+ /* }}} */
+ 
++/* The compiler will optimize strlen(constant) to a constant number. */
++#define gdCtxPuts(out, s) out->putBuf(out, s, strlen(s))
++
+ /* {{{ gdImageXbmCtx */
+ BGD_DECLARE(void) gdImageXbmCtx(gdImagePtr image, char* file_name, int fg, gdIOCtx * out)
+ {
+@@ -215,9 +218,26 @@ BGD_DECLARE(void) gdImageXbmCtx(gdImagePtr image, char* file_name, int fg, gdIOC
+ 		}
+ 	}
+ 
+-	gdCtxPrintf(out, "#define %s_width %d\n", name, gdImageSX(image));
+-	gdCtxPrintf(out, "#define %s_height %d\n", name, gdImageSY(image));
+-	gdCtxPrintf(out, "static unsigned char %s_bits[] = {\n  ", name);
++	/* Since "name" comes from the user, run it through a direct puts.
++	 * Trying to printf it into a local buffer means we'd need a large
++	 * or dynamic buffer to hold it all. */
++
++	/* #define <name>_width 1234 */
++	gdCtxPuts(out, "#define ");
++	gdCtxPuts(out, name);
++	gdCtxPuts(out, "_width ");
++	gdCtxPrintf(out, "%d\n", gdImageSX(image));
++
++	/* #define <name>_height 1234 */
++	gdCtxPuts(out, "#define ");
++	gdCtxPuts(out, name);
++	gdCtxPuts(out, "_height ");
++	gdCtxPrintf(out, "%d\n", gdImageSY(image));
++
++	/* static unsigned char <name>_bits[] = {\n */
++	gdCtxPuts(out, "static unsigned char ");
++	gdCtxPuts(out, name);
++	gdCtxPuts(out, "_bits[] = {\n  ");
+ 
+ 	free(name);
+ 
+@@ -234,9 +254,9 @@ BGD_DECLARE(void) gdImageXbmCtx(gdImagePtr image, char* file_name, int fg, gdIOC
+ 			if ((b == 128) || (x == sx && y == sy)) {
+ 				b = 1;
+ 				if (p) {
+-					gdCtxPrintf(out, ", ");
++					gdCtxPuts(out, ", ");
+ 					if (!(p%12)) {
+-						gdCtxPrintf(out, "\n  ");
++						gdCtxPuts(out, "\n  ");
+ 						p = 12;
+ 					}
+ 				}
+@@ -248,6 +268,6 @@ BGD_DECLARE(void) gdImageXbmCtx(gdImagePtr image, char* file_name, int fg, gdIOC
+ 			}
+ 		}
+ 	}
+-	gdCtxPrintf(out, "};\n");
++	gdCtxPuts(out, "};\n");
+ }
+ /* }}} */

gd-2.2.3-CVE-2016-6161.patch

@@ -0,0 +1,119 @@
+From 82b80dcb70a7ca8986125ff412bceddafc896842 Mon Sep 17 00:00:00 2001
+From: Mike Frysinger <vapier@gentoo.org>
+Date: Sat, 14 May 2016 02:13:15 -0400
+Subject: [PATCH] gif: avoid out-of-bound reads of masks array #209
+
+When given invalid inputs, we might be fed the EOF marker before it is
+actually the EOF.  The gif logic assumes once it sees the EOF marker,
+there won't be any more data, so it leaves the cur_bits index possibly
+negative.  So when we get more data, we underflow the masks array.
+
+Flag it so we don't try to output anything more.  The image is invalid,
+so we shouldn't be truncating any valid inputs.
+
+This fixes #209.
+---
+ src/gd_gif_out.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+ 
+From 315dbfb0e75895e3ba84f649c491956e75f1106c Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Tue, 19 Jul 2016 10:43:55 +0200
+Subject: [PATCH] Add test case for issue #209
+
+---
+ tests/gif/.gitignore     |   1 +
+ tests/gif/CMakeLists.txt |   1 +
+ tests/gif/Makemodule.am  |   4 +++-
+ tests/gif/bug00209.c     |  29 +++++++++++++++++++++++++++++
+ tests/gif/bug00209.gd2   | Bin 0 -> 1050 bytes
+ 5 files changed, 34 insertions(+), 1 deletion(-)
+ create mode 100644 tests/gif/bug00209.c
+ create mode 100644 tests/gif/bug00209.gd2
+
+diff --git a/src/gd_gif_out.c b/src/gd_gif_out.c
+index 51ceb75..3099d49 100644
+--- a/src/gd_gif_out.c
++++ b/src/gd_gif_out.c
+@@ -1442,15 +1442,23 @@ static void compress(int init_bits, gdIOCtxPtr outfile, gdImagePtr im, GifCtx *c
+  * code in turn.  When the buffer fills up empty it and start over.
+  */
+ 
+-static unsigned long masks[] = {
++static const unsigned long masks[] = {
+ 	0x0000, 0x0001, 0x0003, 0x0007, 0x000F,
+ 	0x001F, 0x003F, 0x007F, 0x00FF,
+ 	0x01FF, 0x03FF, 0x07FF, 0x0FFF,
+ 	0x1FFF, 0x3FFF, 0x7FFF, 0xFFFF
+ };
+ 
++/* Arbitrary value to mark output is done.  When we see EOFCode, then we don't
++ * expect to see any more data.  If we do (e.g. corrupt image inputs), cur_bits
++ * might be negative, so flag it to return early.
++ */
++#define CUR_BITS_FINISHED -1000
++
+ static void output(code_int code, GifCtx *ctx)
+ {
++	if (ctx->cur_bits == CUR_BITS_FINISHED)
++		return;
+ 	ctx->cur_accum &= masks[ctx->cur_bits];
+ 
+ 	if(ctx->cur_bits > 0) {
+@@ -1492,6 +1500,8 @@ static void output(code_int code, GifCtx *ctx)
+ 			ctx->cur_accum >>= 8;
+ 			ctx->cur_bits -= 8;
+ 		}
++		/* Flag that it's done to prevent re-entry. */
++		ctx->cur_bits = CUR_BITS_FINISHED;
+ 
+ 		flush_char(ctx);
+ 	}
+
+diff --git a/tests/gif/CMakeLists.txt b/tests/gif/CMakeLists.txt
+index 92010c3..d26b1fe 100644
+--- a/tests/gif/CMakeLists.txt
++++ b/tests/gif/CMakeLists.txt
+@@ -7,6 +7,7 @@ LIST(APPEND TESTS_FILES
+ 	bug00060
+ 	bug00066
+ 	bug00181
++	bug00209
+ 	bug00227
+ )
+ 
+diff --git a/tests/gif/bug00209.c b/tests/gif/bug00209.c
+new file mode 100644
+index 0000000..6eafc32
+--- /dev/null
++++ b/tests/gif/bug00209.c
+@@ -0,0 +1,29 @@
++/* Test case for  <https://github.com/libgd/libgd/issues/209>. */
++
++#include "gd.h"
++#include "gdtest.h"
++
++int main()
++{
++    gdImagePtr im;
++    FILE *fp;
++
++    /* printf("start\n"); */
++
++    fp = gdTestFileOpen("gif/bug00209.gd2");
++    gdTestAssert(fp != NULL);
++    im = gdImageCreateFromGd2(fp);
++    gdTestAssert(im != NULL);
++    fclose(fp);
++    /* printf("loaded\n"); */
++
++    fp = gdTestTempFp();
++    gdTestAssert(fp != NULL);
++    gdImageGif(im, fp);
++    fclose(fp);
++    /* printf("saved\n"); */
++
++    gdImageDestroy(im);
++
++    return gdNumFailures();
++}

gd-2.2.3-CVE-2016-6207.patch

@@ -0,0 +1,108 @@
+diff --git a/src/gd_interpolation.c b/src/gd_interpolation.c
+index a829d4f..ed2b743 100644
+--- a/src/gd_interpolation.c
++++ b/src/gd_interpolation.c
+@@ -888,6 +888,7 @@ static inline LineContribType * _gdContributionsAlloc(unsigned int line_length,
+ {
+ 	unsigned int u = 0;
+ 	LineContribType *res;
++	int overflow_error = 0;
+ 
+ 	res = (LineContribType *) gdMalloc(sizeof(LineContribType));
+ 	if (!res) {
+@@ -895,10 +896,31 @@ static inline LineContribType * _gdContributionsAlloc(unsigned int line_length,
+ 	}
+ 	res->WindowSize = windows_size;
+ 	res->LineLength = line_length;
++	if (overflow2(line_length, sizeof(ContributionType))) {
++		gdFree(res);
++		return NULL;
++	}
+ 	res->ContribRow = (ContributionType *) gdMalloc(line_length * sizeof(ContributionType));
+-
++	if (res->ContribRow == NULL) {
++		gdFree(res);
++		return NULL;
++	}
+ 	for (u = 0 ; u < line_length ; u++) {
+-		res->ContribRow[u].Weights = (double *) gdMalloc(windows_size * sizeof(double));
++		if (overflow2(windows_size, sizeof(double))) {
++			overflow_error = 1;
++		} else {
++			res->ContribRow[u].Weights = (double *) gdMalloc(windows_size * sizeof(double));
++		}
++		if (overflow_error == 1 || res->ContribRow[u].Weights == NULL) {
++			unsigned int i;
++			u--;
++			for (i=0;i<=u;i++) {
++				gdFree(res->ContribRow[i].Weights);
++			}
++			gdFree(res->ContribRow);
++			gdFree(res);
++			return NULL;
++		}
+ 	}
+ 	return res;
+ }
+@@ -931,7 +953,9 @@ static inline LineContribType *_gdContributionsCalc(unsigned int line_size, unsi
+ 
+ 	windows_size = 2 * (int)ceil(width_d) + 1;
+ 	res = _gdContributionsAlloc(line_size, windows_size);
+-
++	if (res == NULL) {
++		return NULL;
++	}
+ 	for (u = 0; u < line_size; u++) {
+ 		const double dCenter = (double)u / scale_d;
+ 		/* get the significant edge points affecting the pixel */
+@@ -1036,7 +1060,6 @@ _gdScalePass(const gdImagePtr pSrc, const unsigned int src_len,
+         _gdScaleOneAxis(pSrc, pDst, dst_len, line_ndx, contrib, axis);
+ 	}
+ 	_gdContributionsFree (contrib);
+-
+     return 1;
+ }/* _gdScalePass*/
+ 
+@@ -1049,6 +1072,7 @@ gdImageScaleTwoPass(const gdImagePtr src, const unsigned int new_width,
+     const unsigned int src_height = src->sy;
+ 	gdImagePtr tmp_im = NULL;;
+ 	gdImagePtr dst = NULL;
++	int scale_pass_res;
+ 
+     /* First, handle the trivial case. */
+     if (src_width == new_width && src_height == new_height) {
+@@ -1070,7 +1094,11 @@ gdImageScaleTwoPass(const gdImagePtr src, const unsigned int new_width,
+         }
+         gdImageSetInterpolationMethod(tmp_im, src->interpolation_id);
+ 
+-        _gdScalePass(src, src_width, tmp_im, new_width, src_height, HORIZONTAL);
++		scale_pass_res = _gdScalePass(src, src_width, tmp_im, new_width, src_height, HORIZONTAL);
++		if (scale_pass_res != 1) {
++			gdImageDestroy(tmp_im);
++			return NULL;
++		}
+     }/* if .. else*/
+ 
+     /* If vertical sizes match, we're done. */
+@@ -1083,11 +1111,18 @@ gdImageScaleTwoPass(const gdImagePtr src, const unsigned int new_width,
+ 	dst = gdImageCreateTrueColor(new_width, new_height);
+ 	if (dst != NULL) {
+         gdImageSetInterpolationMethod(dst, src->interpolation_id);
+-        _gdScalePass(tmp_im, src_height, dst, new_height, new_width, VERTICAL);
++        scale_pass_res = _gdScalePass(tmp_im, src_height, dst, new_height, new_width, VERTICAL);
++		if (scale_pass_res != 1) {
++			gdImageDestroy(dst);
++			if (src != tmp_im && tmp_im != NULL) {
++				gdImageDestroy(tmp_im);
++			}
++			return NULL;
++	   }
+     }/* if */
+ 
+-    if (src != tmp_im) {
+-        gdFree(tmp_im);
++	if (tmp_im != NULL && src != tmp_im) {
++        gdImageDestroy(tmp_im);
+     }/* if */
+ 
+ 	return dst;

gd-2.2.3-dynamicGetbuf-negative-rlen.patch

@@ -0,0 +1,26 @@
+From 53110871935244816bbb9d131da0bccff734bfe9 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Wed, 12 Oct 2016 11:15:32 +0200
+Subject: [PATCH] Avoid potentially dangerous signed to unsigned conversion
+
+We make sure to never pass a negative `rlen` as size to memcpy(). See
+also <https://bugs.php.net/bug.php?id=73280>.
+
+Patch provided by Emmanuel Law.
+---
+ src/gd_io_dp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/gd_io_dp.c b/src/gd_io_dp.c
+index 135eda3..228bfa5 100644
+--- a/src/gd_io_dp.c
++++ b/src/gd_io_dp.c
+@@ -276,7 +276,7 @@ static int dynamicGetbuf(gdIOCtxPtr ctx, void *buf, int len)
+ 	if(remain >= len) {
+ 		rlen = len;
+ 	} else {
+-		if(remain == 0) {
++		if(remain <= 0) {
+ 			/* 2.0.34: EOF is incorrect. We use 0 for
+ 			 * errors and EOF, just like fileGetbuf,
+ 			 * which is a simple fread() wrapper.

gd-2.2.3-overflow-in-gdImageWebpCtx.patch

@@ -0,0 +1,27 @@
+diff --git a/src/gd_webp.c b/src/gd_webp.c
+index fae3861..a7ed222 100644
+--- a/src/gd_webp.c
++++ b/src/gd_webp.c
+@@ -179,6 +179,22 @@ BGD_DECLARE(void) gdImageWebpCtx (gdImagePtr im, gdIOCtx * outfile, int quantiza
+ 	/* Conversion to Y,U,V buffer */
+ 	yuv_width = (width + 1) >> 1;
+ 	yuv_height = (height + 1) >> 1;
++
++	if (overflow2(width, height)) {
++		return;
++	}
++
++	if (overflow2(2, yuv_width)) {
++		return;
++	}
++
++	if (overflow2(2 * yuv_width, yuv_height)) {
++		return;
++	}
++
++	if (overflow2(width * height + 2 * yuv_width * yuv_height, 1)) {
++		return;
++	}
+ 	yuv_nbytes = width * height + 2 * yuv_width * yuv_height;
+ 
+ 	if ((Y = (unsigned char *)gdCalloc(yuv_nbytes, sizeof(unsigned char))) == NULL) {

gd-2.2.5-gdImageBmpPtr-double-free.patch

@@ -1,73 +0,0 @@
-From ac16bdf2d41724b5a65255d4c28fb0ec46bc42f5 Mon Sep 17 00:00:00 2001
-From: Mike Frysinger <vapier@gentoo.org>
-Date: Sat, 14 Jul 2018 13:54:08 -0400
-Subject: [PATCH] bmp: check return value in gdImageBmpPtr
-
-Closes #447.
----
- src/gd_bmp.c | 17 ++++++++++++++---
- 1 file changed, 14 insertions(+), 3 deletions(-)
-
-diff --git a/src/gd_bmp.c b/src/gd_bmp.c
-index bde0b9d3..78f40d9a 100644
---- a/src/gd_bmp.c
-+++ b/src/gd_bmp.c
-@@ -47,6 +47,8 @@ static int bmp_read_4bit(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info, bmp
- static int bmp_read_8bit(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info, bmp_hdr_t *header);
- static int bmp_read_rle(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info);
- 
-+static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression);
-+
- #define BMP_DEBUG(s)
- 
- static int gdBMPPutWord(gdIOCtx *out, int w)
-@@ -87,8 +89,10 @@ BGD_DECLARE(void *) gdImageBmpPtr(gdImagePtr im, int *size, int compression)
- 	void *rv;
- 	gdIOCtx *out = gdNewDynamicCtx(2048, NULL);
- 	if (out == NULL) return NULL;
--	gdImageBmpCtx(im, out, compression);
--	rv = gdDPExtractData(out, size);
-+	if (!_gdImageBmpCtx(im, out, compression))
-+		rv = gdDPExtractData(out, size);
-+	else
-+		rv = NULL;
- 	out->gd_free(out);
- 	return rv;
- }
-@@ -141,6 +145,11 @@ BGD_DECLARE(void) gdImageBmp(gdImagePtr im, FILE *outFile, int compression)
- 		compression - whether to apply RLE or not.
- */
- BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
-+{
-+	_gdImageBmpCtx(im, out, compression);
-+}
-+
-+static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
- {
- 	int bitmap_size = 0, info_size, total_size, padding;
- 	int i, row, xpos, pixel;
-@@ -148,6 +157,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
- 	unsigned char *uncompressed_row = NULL, *uncompressed_row_start = NULL;
- 	FILE *tmpfile_for_compression = NULL;
- 	gdIOCtxPtr out_original = NULL;
-+	int ret = 1;
- 
- 	/* No compression if its true colour or we don't support seek */
- 	if (im->trueColor) {
-@@ -325,6 +335,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
- 		out_original = NULL;
- 	}
- 
-+	ret = 0;
- cleanup:
- 	if (tmpfile_for_compression) {
- #ifdef _WIN32
-@@ -338,7 +349,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
- 	if (out_original) {
- 		out_original->gd_free(out_original);
- 	}
--	return;
-+	return ret;
- }
- 
- static int compress_row(unsigned char *row, int length)

gd-2.2.5-heap-based-buffer-overflow.patch

@@ -1,28 +0,0 @@
-From 98b2e94e62d873acbcc6d968f1f97af9749fe021 Mon Sep 17 00:00:00 2001
-From: Ondrej Dubaj <odubaj@redhat.com>
-Date: Tue, 4 Jun 2019 10:54:45 +0200
-Subject: [PATCH] heap based buffer overflow in
- gd_color_match.c:gdImageColorMatch() in libgd as used in imagecolormatch()
-
----
- src/gd_color_match.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/gd_color_match.c b/src/gd_color_match.c
-index f0842b6..a94a841 100755
---- a/src/gd_color_match.c
-+++ b/src/gd_color_match.c
-@@ -31,8 +31,8 @@ BGD_DECLARE(int) gdImageColorMatch (gdImagePtr im1, gdImagePtr im2)
- 		return -4; /* At least 1 color must be allocated */
- 	}
- 
--	buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * im2->colorsTotal);
--	memset (buf, 0, sizeof(unsigned long) * 5 * im2->colorsTotal );
-+	buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * gdMaxColors);
-+	memset (buf, 0, sizeof(unsigned long) * 5 * gdMaxColors );
- 
- 	for (x=0; x < im1->sx; x++) {
- 		for( y=0; y<im1->sy; y++ ) {
--- 
-2.17.1
-

gd-2.2.5-potential-double-free.patch

@@ -1,283 +0,0 @@
-From 4d9d8368d08c3a2be3ea4193b9314fffeddace52 Mon Sep 17 00:00:00 2001
-From: Ondrej Dubaj <odubaj@redhat.com>
-Date: Tue, 4 Jun 2019 13:38:41 +0200
-Subject: [PATCH] Potential double-free in gdImage*Ptr()
-
-Whenever `gdImage*Ptr()` calls `gdImage*Ctx()` and the latter fails, we
-must not call `gdDPExtractData()`; otherwise a double-free would
-happen.  Since `gdImage*Ctx()` are void functions, and we can't change
-that for BC reasons, we're introducing static helpers which are used
-internally.
-
-We're adding a regression test for `gdImageJpegPtr()`, but not for
-`gdImageGifPtr()` and `gdImageWbmpPtr()` since we don't know how to
-trigger failure of the respective `gdImage*Ctx()` calls.
-
-This potential security issue has been reported by Solmaz Salimi (aka.
-Rooney).
----
- src/gd_gif_out.c                  | 19 +++++++++++++++----
- src/gd_jpeg.c                     | 20 ++++++++++++++++----
- src/gd_wbmp.c                     | 21 ++++++++++++++++++---
- tests/jpeg/CMakeLists.txt         |  1 +
- tests/jpeg/Makemodule.am          |  3 ++-
- tests/jpeg/jpeg_ptr_double_free.c | 31 +++++++++++++++++++++++++++++++
- 6 files changed, 83 insertions(+), 12 deletions(-)
- create mode 100644 tests/jpeg/jpeg_ptr_double_free.c
-
-diff --git a/src/gd_gif_out.c b/src/gd_gif_out.c
-index 6fe707d..4a05c09 100755
---- a/src/gd_gif_out.c
-+++ b/src/gd_gif_out.c
-@@ -99,7 +99,7 @@ static void char_init(GifCtx *ctx);
- static void char_out(int c, GifCtx *ctx);
- static void flush_char(GifCtx *ctx);
- 
--
-+static int _gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out);
- 
- 
- /*
-@@ -131,8 +131,11 @@ BGD_DECLARE(void *) gdImageGifPtr(gdImagePtr im, int *size)
- 	void *rv;
- 	gdIOCtx *out = gdNewDynamicCtx(2048, NULL);
- 	if (out == NULL) return NULL;
--	gdImageGifCtx(im, out);
--	rv = gdDPExtractData(out, size);
-+	if (!_gdImageGifCtx(im, out)) {
-+        rv = gdDPExtractData(out, size);
-+    } else {
-+        rv = NULL;
-+    }
- 	out->gd_free(out);
- 	return rv;
- }
-@@ -220,6 +223,12 @@ BGD_DECLARE(void) gdImageGif(gdImagePtr im, FILE *outFile)
- 
- */
- BGD_DECLARE(void) gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out)
-+{
-+    _gdImageGifCtx(im, out);
-+}
-+
-+/* returns 0 on success, 1 on failure */
-+static int _gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out)
- {
- 	gdImagePtr pim = 0, tim = im;
- 	int interlace, BitsPerPixel;
-@@ -231,7 +240,7 @@ BGD_DECLARE(void) gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out)
- 		based temporary image. */
- 		pim = gdImageCreatePaletteFromTrueColor(im, 1, 256);
- 		if(!pim) {
--			return;
-+			return 1;
- 		}
- 		tim = pim;
- 	}
-@@ -247,6 +256,8 @@ BGD_DECLARE(void) gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out)
- 		/* Destroy palette based temporary image. */
- 		gdImageDestroy(	pim);
- 	}
-+
-+    return 0;
- }
- 
- 
-diff --git a/src/gd_jpeg.c b/src/gd_jpeg.c
-index 271ef46..bd8fc27 100755
---- a/src/gd_jpeg.c
-+++ b/src/gd_jpeg.c
-@@ -123,6 +123,8 @@ static void fatal_jpeg_error(j_common_ptr cinfo)
- 	exit(99);
- }
- 
-+static int _gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality);
-+
- /*
-  * Write IM to OUTFILE as a JFIF-formatted JPEG image, using quality
-  * QUALITY.  If QUALITY is in the range 0-100, increasing values
-@@ -237,8 +239,11 @@ BGD_DECLARE(void *) gdImageJpegPtr(gdImagePtr im, int *size, int quality)
- 	void *rv;
- 	gdIOCtx *out = gdNewDynamicCtx(2048, NULL);
- 	if (out == NULL) return NULL;
--	gdImageJpegCtx(im, out, quality);
--	rv = gdDPExtractData(out, size);
-+	if (!_gdImageJpegCtx(im, out, quality)) {
-+		rv = gdDPExtractData(out, size);
-+	} else {
-+		rv = NULL;
-+	}
- 	out->gd_free(out);
- 	return rv;
- }
-@@ -259,6 +264,12 @@ void jpeg_gdIOCtx_dest(j_compress_ptr cinfo, gdIOCtx *outfile);
- 
- */
- BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality)
-+{
-+	_gdImageJpegCtx(im, outfile, quality);
-+}
-+
-+/* returns 0 on success, 1 on failure */
-+static int _gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality)
- {
- 	struct jpeg_compress_struct cinfo;
- 	struct jpeg_error_mgr jerr;
-@@ -293,7 +304,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality)
- 		if(row) {
- 			gdFree(row);
- 		}
--		return;
-+		return 1;
- 	}
- 
- 	cinfo.err->emit_message = jpeg_emit_message;
-@@ -334,7 +345,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality)
- 	if(row == 0) {
- 		gd_error("gd-jpeg: error: unable to allocate JPEG row structure: gdCalloc returns NULL\n");
- 		jpeg_destroy_compress(&cinfo);
--		return;
-+		return 1;
- 	}
- 
- 	rowptr[0] = row;
-@@ -411,6 +422,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality)
- 	jpeg_finish_compress(&cinfo);
- 	jpeg_destroy_compress(&cinfo);
- 	gdFree(row);
-+	return 0;
- }
- 
- 
-diff --git a/src/gd_wbmp.c b/src/gd_wbmp.c
-index 0028273..341ff6e 100755
---- a/src/gd_wbmp.c
-+++ b/src/gd_wbmp.c
-@@ -88,6 +88,8 @@ int gd_getin(void *in)
- 	return (gdGetC((gdIOCtx *)in));
- }
- 
-+static int _gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out);
-+
- /*
- 	Function: gdImageWBMPCtx
- 
-@@ -100,6 +102,12 @@ int gd_getin(void *in)
- 		out   - the stream where to write
- */
- BGD_DECLARE(void) gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out)
-+{
-+	_gdImageWBMPCtx(image, fg, out);
-+}
-+
-+/* returns 0 on success, 1 on failure */
-+static int _gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out)
- {
- 	int x, y, pos;
- 	Wbmp *wbmp;
-@@ -107,7 +115,7 @@ BGD_DECLARE(void) gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out)
- 	/* create the WBMP */
- 	if((wbmp = createwbmp(gdImageSX(image), gdImageSY(image), WBMP_WHITE)) == NULL) {
- 		gd_error("Could not create WBMP\n");
--		return;
-+		return 1;
- 	}
- 
- 	/* fill up the WBMP structure */
-@@ -123,11 +131,15 @@ BGD_DECLARE(void) gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out)
- 
- 	/* write the WBMP to a gd file descriptor */
- 	if(writewbmp(wbmp, &gd_putout, out)) {
-+		freewbmp(wbmp);
- 		gd_error("Could not save WBMP\n");
-+		return 1;
- 	}
- 
- 	/* des submitted this bugfix: gdFree the memory. */
- 	freewbmp(wbmp);
-+
-+	return 0;
- }
- 
- /*
-@@ -271,8 +283,11 @@ BGD_DECLARE(void *) gdImageWBMPPtr(gdImagePtr im, int *size, int fg)
- 	void *rv;
- 	gdIOCtx *out = gdNewDynamicCtx(2048, NULL);
- 	if (out == NULL) return NULL;
--	gdImageWBMPCtx(im, fg, out);
--	rv = gdDPExtractData(out, size);
-+	if (!_gdImageWBMPCtx(im, fg, out)) {
-+		rv = gdDPExtractData(out, size);
-+	} else {
-+		rv = NULL;
-+	}
- 	out->gd_free(out);
- 	return rv;
- }
-diff --git a/tests/jpeg/CMakeLists.txt b/tests/jpeg/CMakeLists.txt
-index 19964b0..a8d8162 100755
---- a/tests/jpeg/CMakeLists.txt
-+++ b/tests/jpeg/CMakeLists.txt
-@@ -2,6 +2,7 @@ IF(JPEG_FOUND)
- LIST(APPEND TESTS_FILES
- 	jpeg_empty_file
- 	jpeg_im2im
-+	jpeg_ptr_double_free
- 	jpeg_null
- )
- 
-diff --git a/tests/jpeg/Makemodule.am b/tests/jpeg/Makemodule.am
-index 7e5d317..b89e169 100755
---- a/tests/jpeg/Makemodule.am
-+++ b/tests/jpeg/Makemodule.am
-@@ -2,7 +2,8 @@ if HAVE_LIBJPEG
- libgd_test_programs += \
- 	jpeg/jpeg_empty_file \
- 	jpeg/jpeg_im2im \
--	jpeg/jpeg_null
-+	jpeg/jpeg_null \
-+	jpeg/jpeg_ptr_double_free
- 
- if HAVE_LIBPNG
- libgd_test_programs += \
-diff --git a/tests/jpeg/jpeg_ptr_double_free.c b/tests/jpeg/jpeg_ptr_double_free.c
-new file mode 100644
-index 0000000..c80aeb6
---- /dev/null
-+++ b/tests/jpeg/jpeg_ptr_double_free.c
-@@ -0,0 +1,31 @@
-+/**
-+ * Test that failure to convert to JPEG returns NULL
-+ *
-+ * We are creating an image, set its width to zero, and pass this image to
-+ * `gdImageJpegPtr()` which is supposed to fail, and as such should return NULL.
-+ *
-+ * See also <https://github.com/libgd/libgd/issues/381>
-+ */
-+
-+
-+#include "gd.h"
-+#include "gdtest.h"
-+
-+
-+int main()
-+{
-+    gdImagePtr src, dst;
-+    int size;
-+
-+    src = gdImageCreateTrueColor(1, 10);
-+    gdTestAssert(src != NULL);
-+
-+    src->sx = 0; /* this hack forces gdImageJpegPtr() to fail */
-+
-+    dst = gdImageJpegPtr(src, &size, 0);
-+    gdTestAssert(dst == NULL);
-+
-+    gdImageDestroy(src);
-+
-+    return gdNumFailures();
-+}
-\ No newline at end of file
--- 
-2.17.1
-

gd-2.2.5-upstream.patch

@@ -1,62 +0,0 @@
-From a11f47475e6443b7f32d21f2271f28f417e2ac04 Mon Sep 17 00:00:00 2001
-From: "Christoph M. Becker" <cmbecker69@gmx.de>
-Date: Wed, 29 Nov 2017 19:37:38 +0100
-Subject: [PATCH] Fix #420: Potential infinite loop in gdImageCreateFromGifCtx
-
-Due to a signedness confusion in `GetCode_` a corrupt GIF file can
-trigger an infinite loop.  Furthermore we make sure that a GIF without
-any palette entries is treated as invalid *after* open palette entries
-have been removed.
-
-CVE-2018-5711
-
-See also https://bugs.php.net/bug.php?id=75571.
----
- src/gd_gif_in.c             |  12 ++++++------
- tests/gif/.gitignore        |   1 +
- tests/gif/CMakeLists.txt    |   1 +
- tests/gif/Makemodule.am     |   2 ++
- tests/gif/php_bug_75571.c   |  28 ++++++++++++++++++++++++++++
- tests/gif/php_bug_75571.gif | Bin 0 -> 1731 bytes
- 6 files changed, 38 insertions(+), 6 deletions(-)
- create mode 100644 tests/gif/php_bug_75571.c
- create mode 100644 tests/gif/php_bug_75571.gif
-
-diff --git a/src/gd_gif_in.c b/src/gd_gif_in.c
-index daf26e79..0a8bd717 100644
---- a/src/gd_gif_in.c
-+++ b/src/gd_gif_in.c
-@@ -335,11 +335,6 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromGifCtx(gdIOCtxPtr fd)
- 		return 0;
- 	}
- 
--	if(!im->colorsTotal) {
--		gdImageDestroy(im);
--		return 0;
--	}
--
- 	/* Check for open colors at the end, so
- 	 * we can reduce colorsTotal and ultimately
- 	 * BitsPerPixel */
-@@ -351,6 +346,11 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromGifCtx(gdIOCtxPtr fd)
- 		}
- 	}
- 
-+	if(!im->colorsTotal) {
-+		gdImageDestroy(im);
-+		return 0;
-+	}
-+
- 	return im;
- }
- 
-@@ -447,7 +447,7 @@ static int
- GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_size, int flag, int *ZeroDataBlockP)
- {
- 	int i, j, ret;
--	unsigned char count;
-+	int count;
- 
- 	if(flag) {
- 		scd->curbit = 0;
- 

gd-heap-overflow.patch

@@ -0,0 +1,59 @@
+diff --git a/src/gd_gd2.c b/src/gd_gd2.c
+index 6f28461..a50b33d 100644
+--- a/src/gd_gd2.c
++++ b/src/gd_gd2.c
+@@ -165,6 +165,8 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy,
+ 			if (gdGetInt (&cidx[i].size, in) != 1) {
+ 				goto fail2;
+ 			};
++			if (cidx[i].offset < 0 || cidx[i].size < 0)
++				goto fail2;
+ 		};
+ 		*chunkIdx = cidx;
+ 	};
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index ed2c35b..b582266 100644
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -129,7 +129,8 @@ endif
+ 
+ if HAVE_LIBZ
+ check_PROGRAMS += \
+-	gd2/gd2_null
++	gd2/gd2_null \
++	gd2/gd2_read_corrupt
+ endif
+ 
+ if HAVE_LIBPNG
+diff --git a/tests/gd2/gd2_read_corrupt.c b/tests/gd2/gd2_read_corrupt.c
+new file mode 100644
+index 0000000..11f6a67
+--- /dev/null
++++ b/tests/gd2/gd2_read_corrupt.c
+@@ -0,0 +1,25 @@
++/* Just try to read the invalid gd2 image & not crash. */
++#include "gd.h"
++#include <stdio.h>
++#include <stdlib.h>
++#include "gdtest.h"
++
++int main()
++{
++	gdImagePtr im;
++	FILE *fp;
++	char path[1024];
++
++	/* Read the corrupt image. */
++	sprintf(path, "%s/gd2/invalid_neg_size.gd2", GDTEST_TOP_DIR);
++	fp = fopen(path, "rb");
++	if (!fp) {
++		printf("failed, cannot open file\n");
++		return 1;
++	}
++	im = gdImageCreateFromGd2(fp);
++	fclose(fp);
++
++	/* Should have failed & rejected it. */
++	return im == NULL ? 0 : 1;
++}
+

gd.spec

@@ -1,34 +1,55 @@
-# requested by https://bugzilla.redhat.com/1468338
-# this break gdimagefile/gdnametest:
-#   gdimagefile/gdnametest.c:122: 255 pixels different on /tmp/gdtest.CrpdIb/img.gif
-#   gdimagefile/gdnametest.c:122: 255 pixels different on /tmp/gdtest.CrpdIb/img.GIF
-#   FAIL gdimagefile/gdnametest (exit status: 2)
-%global  with_liq   0
-
+#global prever    rc2
+#global commit    725ba9de4005144d137d2a7a70f760068fc3d306
+#global short     %(c=%{commit}; echo ${c:0:7})
 
 Summary:       A graphics library for quick creation of PNG or JPEG images
 Name:          gd
-Version:       2.2.5
-Release:       10%{?prever}%{?short}%{?dist}
+Version:       2.1.1
+Release:       11%{?prever}%{?short}%{?dist}
+Group:         System Environment/Libraries
 License:       MIT
-URL:           http://libgd.github.io/
+URL:           http://libgd.bitbucket.org/
 %if 0%{?commit:1}
-# git clone https://github.com/libgd/libgd.git; cd gd-libgd
-# git archive  --format=tgz --output=libgd-%{version}-%{commit}.tgz --prefix=libgd-%{version}/  master
+# git clone git@bitbucket.org:libgd/gd-libgd.git; cd gd-libgd
+# git archive  --format=tgz --output=libgd-2.1.0-$(git rev-parse master).tgz --prefix=libgd-2.1.0/  master
 Source0:       libgd-%{version}-%{commit}.tgz
 %else
-Source0:       https://github.com/libgd/libgd/releases/download/gd-%{version}/libgd-%{version}.tar.xz
+Source0:       https://bitbucket.org/libgd/gd-libgd/downloads/libgd-%{version}%{?prever:-%{prever}}.tar.xz
 %endif
+# Missing in official archive, need for autoreconf
+Source2:       getver.pl
+# Test data for CVE-2016-3074 test
+Source3:       invalid_neg_size.gd2
+# Test data for CVE-2016-6161 test
+Source4:       bug00209.gd2
 
 Patch1:        gd-2.1.0-multilib.patch
-# CVE-2018-5711 - https://github.com/libgd/libgd/commit/a11f47475e6443b7f32d21f2271f28f417e2ac04
-Patch2:        gd-2.2.5-upstream.patch
-# CVE-2018-1000222 - https://github.com/libgd/libgd/commit/ac16bdf2d41724b5a65255d4c28fb0ec46bc42f5
-Patch3:        gd-2.2.5-gdImageBmpPtr-double-free.patch
-# CVE-2019-6977
-Patch4:        gd-2.2.5-heap-based-buffer-overflow.patch
-# CVE-2019-6978
-Patch5:        gd-2.2.5-potential-double-free.patch
+Patch2:        gd-2.1.1-libvpx.patch
+# CVE-2016-3074
+Patch3:        gd-heap-overflow.patch
+# CVE-2015-8877
+# (included in patch gd-2.2.3-CVE-2016-6207.patch)
+#Patch4:        gd-2.1.1-gdImagreScaleTwoPass-leak.patch
+# CVE-2016-5116
+Patch5:        gd-2.1.1-xbm-large-names-overflow.patch
+# CVE-2015-8874
+Patch6:        gd-2.1.1-CVE-2015-8874.patch
+# CVE-2016-5766
+Patch7:        gd-2.1.1-CVE-2016-5766.patch
+# CVE-2016-6161
+Patch8:        gd-2.2.3-CVE-2016-6161.patch
+# CVE-2016-6207
+# cherry-picked 0dd40 d3258 ff911 f60ec 7a28c commits from libgd master
+Patch9:        gd-2.2.3-CVE-2016-6207.patch
+# CVE-2016-7568
+Patch10:        gd-2.2.3-overflow-in-gdImageWebpCtx.patch
+# CVE-2016-8670
+Patch11:        gd-2.2.3-dynamicGetbuf-negative-rlen.patch
+# CVE-2016-6911
+# TODO - created by one of upstream maintainers, but not in upstream yet
+# https://github.com/libgd/libgd/pull/353
+Patch12:        gd-2.2.x-fix-invalid-read-in-gdImageCreateFromTiffPtr.patch
+
 
 BuildRequires: freetype-devel
 BuildRequires: fontconfig-devel
@@ -36,20 +57,13 @@ BuildRequires: gettext-devel
 BuildRequires: libjpeg-devel
 BuildRequires: libpng-devel
 BuildRequires: libtiff-devel
-BuildRequires: libwebp-devel
-%if %{with_liq}
-BuildRequires: libimagequant-devel
-%endif
+BuildRequires: libvpx-devel
 BuildRequires: libX11-devel
 BuildRequires: libXpm-devel
 BuildRequires: zlib-devel
 BuildRequires: pkgconfig
 BuildRequires: libtool
-BuildRequires: perl-interpreter
-BuildRequires: perl-generators
-# for fontconfig/basic test
-BuildRequires: liberation-sans-fonts
-BuildRequires: libimagequant-devel
+BuildRequires: perl
 
 
 %description
@@ -64,6 +78,7 @@ browsers. Note that gd is not a paint program.
 %package progs
 Requires:       %{name}%{?_isa} = %{version}-%{release}
 Summary:        Utility programs that use libgd
+Group:          Applications/Multimedia
 
 %description progs
 The gd-progs package includes utility programs supplied with gd, a
@@ -72,17 +87,17 @@ graphics library for creating PNG and JPEG images.
 
 %package devel
 Summary:  The development libraries and header files for gd
+Group:    Development/Libraries
 Requires: %{name}%{?_isa} = %{version}-%{release}
 Requires: freetype-devel%{?_isa}
 Requires: fontconfig-devel%{?_isa}
 Requires: libjpeg-devel%{?_isa}
 Requires: libpng-devel%{?_isa}
 Requires: libtiff-devel%{?_isa}
-Requires: libwebp-devel%{?_isa}
+Requires: libvpx-devel%{?_isa}
 Requires: libX11-devel%{?_isa}
 Requires: libXpm-devel%{?_isa}
 Requires: zlib-devel%{?_isa}
-Requires: libimagequant-devel%{?_isa}
 
 %description devel
 The gd-devel package contains the development libraries and header
@@ -92,10 +107,22 @@ files for gd, a graphics library for creating PNG and JPEG graphics.
 %prep
 %setup -q -n libgd-%{version}%{?prever:-%{prever}}
 %patch1 -p1 -b .mlib
-%patch2 -p1 -b .upstream
-%patch3 -p1 -b .gdImageBmpPtr-free
-%patch4 -p1
-%patch5 -p1
+%patch2 -p1 -b .vpx
+%patch3 -p1
+#%patch4 -p1 -b .image-scale
+%patch5 -p1 -b .xbm-overflow
+%patch6 -p1 -b .cve-2015-8874
+%patch7 -p1 -b .cve-2016-5766
+%patch8 -p1 -b .cve-2016-6161
+%patch9 -p1 -b .cve-2016-6207
+%patch10 -p1 -b .gdImageWebpCtx
+%patch11 -p1 -b .dynamicGetbuf
+# Patch5 adds some non-text files (.tiff)
+patch -p1 --binary < %{PATCH12}
+
+# Workaround for missing file
+cp %{SOURCE2} config/getver.pl
+
 
 : $(perl config/getver.pl)
 
@@ -117,17 +144,8 @@ CFLAGS="$RPM_OPT_FLAGS -DDEFAULT_FONTPATH='\"\
 /usr/share/X11/fonts/Type1:\
 /usr/share/fonts/liberation\"'"
 
-%ifarch %{ix86}
-# see https://github.com/libgd/libgd/issues/242
-CFLAGS="$CFLAGS -msse -mfpmath=sse"
-%endif
-
-%ifarch aarch64 ppc64 ppc64le s390 s390x
-# workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1359680
-export CFLAGS="$CFLAGS -ffp-contract=off"
-%endif
-
 %configure \
+    --with-vpx=%{_prefix} \
     --with-tiff=%{_prefix} \
     --disable-rpath
 make %{?_smp_mflags}
@@ -140,6 +158,9 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libgd.a
 
 
 %check
+cp %SOURCE3 tests/gd2/
+cp %SOURCE4 tests/gif/
+
 : Upstream test suite
 make check
 
@@ -147,7 +168,9 @@ make check
 grep %{version} $RPM_BUILD_ROOT%{_libdir}/pkgconfig/gdlib.pc
 
 
-%ldconfig_scriptlets
+%post -p /sbin/ldconfig
+
+%postun -p /sbin/ldconfig
 
 
 %files
@@ -160,6 +183,7 @@ grep %{version} $RPM_BUILD_ROOT%{_libdir}/pkgconfig/gdlib.pc
 %exclude %{_bindir}/gdlib-config
 
 %files devel
+%doc ChangeLog
 %{_bindir}/gdlib-config
 %{_includedir}/*
 %{_libdir}/*.so
@@ -167,94 +191,31 @@ grep %{version} $RPM_BUILD_ROOT%{_libdir}/pkgconfig/gdlib.pc
 
 
 %changelog
-* Fri Nov 01 2019 odubaj@redhat.com - 2.2.5-10
-- Fixed heap based buffer overflow in gd_color_match.c:gdImageColorMatch() in libgd as used in imagecolormatch()
-- Resolves: RHBZ#1678104 (CVE-2019-6977)
-- Fixed potential double-free in gdImage*Ptr()
-- Resolves: RHBZ#1671391 (CVE-2019-6978)
-
-* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.5-9
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
-
-* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.5-8
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
-
-* Fri Sep 07 2018 mskalick@redhat.com - 2.2.5-7
-- Add missing requires to libimagequent-devel
-
-* Thu Aug 30 2018 mskalick@redhat.com - 2.2.5-6
-- Use libimagequant library (RHBZ#1468338)
-
-* Thu Aug 30 2018 mskalick@redhat.com - 2.2.5-5
-- Check return value in gdImageBmpPtr to avoid double free (CVE-2018-1000222)
-- Don't mark gdimagegrayscale/basic test as failing
-
-* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.5-4
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
-
-* Mon Mar 26 2018 Marek Skalický <mskalick@redhat.com> - 2.2.5-3
-- Fix CVE-2018-5711 - Potential infinite loop in gdImageCreateFromGifCtx
-
-* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.5-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
-
-* Wed Aug 30 2017 Remi Collet <remi@fedoraproject.org> - 2.2.5-1
-- Update to 2.2.5
-- fix double-free in gdImagePngPtr(). CVE-2017-6362
-- fix buffer over-read into uninitialized memory. CVE-2017-7890
-
-* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.4-5
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
-
-* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.4-4
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
-
-* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.4-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
-
-* Wed Feb 01 2017 Sandro Mani <manisandro@gmail.com> - 2.2.4-2
-- Rebuild (libwebp)
-
-* Wed Jan 18 2017 Remi Collet <remi@fedoraproject.org> - 2.2.4-1
-- Update to 2.2.4
-
-* Tue Dec 06 2016 Marek Skalický <mskalick@redhat.com> - 2.2.3-5
+* Tue Dec 06 2016 Marek Skalický <mskalick@redhat.com> - 2.1.1-11
 - Fix invalid read in gdImageCreateFromTiffPtr() ( CVE-2016-6911)
-- Disable tests using freetype in Fedora 26 (freetype > 2.6)
-
-* Mon Dec 05 2016 Marek Skalický <mskalick@redhat.com> - 2.2.3-4
 - Fix stack based buffer overflow when passing negative `rlen` as size to
   memcpy() (CVE-2016-8670)
-
-* Mon Dec 05 2016 Marek Skalický <mskalick@redhat.com> - 2.2.3-3
 - Fix possible overflow in gdImageWebpCtx (CVE-2016-7568)
 
-* Tue Jul 26 2016 Dan Horák <dan[at]danny.cz> - 2.2.3-2
-- apply workaround for rhbz#1359680
+* Mon Sep 19 2016 Marek Skalický <mskalick@redhat.com> - 2.1.1-10
+- Fix CVE-2016-6207
 
-* Fri Jul 22 2016 Remi Collet <remi@fedoraproject.org> - 2.2.3-1
-- Update to 2.2.3
-- use -msse -mfpmath=sse build options (x86-32)
+* Mon Sep 19 2016 Marek Skalický <mskalick@redhat.com> - 2.1.1-9
+- Fix out of bounds read when encoding gif from malformed input with gd2togif
+  (CVE-2016-6161)
 
-* Fri Jun 24 2016 Remi Collet <remi@fedoraproject.org> - 2.2.2-1
-- Update to 2.2.2
+* Tue Jun 28 2016 Remi Collet <remi@fedoraproject.org> - 2.1.1-8
+- fix integer Overflow in _gd2GetHeader() (CVE-2016-5766)
 
-* Sat May 28 2016 Remi Collet <remi@fedoraproject.org> - 2.2.1-2
-- remove unneeded sources
+* Fri Jun 24 2016 Remi Collet <remi@fedoraproject.org> - 2.1.1-7
+- fix for stack overflow with gdImageFillToBorder (CVE-2015-8874)
 
-* Fri May 27 2016 Marek Skalicky <mskalick@redhat.com> - 2.2.1-1
-- Upgrade to 2.2.1 release
-- Upstream moved to github.com
+* Tue May 31 2016 Marek Skalicky <mskalick@redhat.com> - 2.1.1-6
+- Backported fixes of two memory leaks (CVE-2015-8877, CVE-2016-5116)
 
-* Thu Apr 28 2016 Marek Skalicky <mskalick@redhat.com> - 2.1.1-7
+* Thu Apr 28 2016 Marek Skalicky <mskalick@redhat.com> - 2.1.1-5
 - Fixed heap overflow (CVE-2016-3074)
 
-* Wed Feb 03 2016 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.1-6
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
-
-* Tue Dec  1 2015 Tom Callaway <spot@fedoraproject.org> - 2.1.1-5
-- rebuild for libvpx 1.5.0
-
 * Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.1.1-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
 

getver.pl

@@ -0,0 +1,42 @@
+#!/usr/bin/env perl
+
+# Simple script to extract the version number parts from src/gd.h.  If
+# called with the middle word of the version macro, it prints the
+# value of that macro.  If called with no argument, it outputs a
+# human-readable version string.  This must be run in the project
+# root.  It is used by configure.ac and docs/naturaldocs/run_docs.sh.
+
+use strict;
+
+my $key = shift;
+my @version_parts = ();
+
+open FH, "<src/gd.h"   # old-style filehandle for max. portability
+  or die "Unable to open 'version.h' for reading.\n";
+
+while(<FH>) {
+  next unless m{version605b5d1778};
+  next unless /^#define\s+GD_([A-Z0-9]+)_VERSION+\s+(\S+)/;
+  my ($lk, $lv) = ($1, $2);
+  if ($lk eq $key) {
+    chomp $lv;
+    $lv =~ s/"//g;
+
+    print $lv;   # no newline
+    exit(0);    # success!
+  }
+
+  push @version_parts, $lv if (!$key);
+}
+
+close(FH);
+
+if (scalar @version_parts == 4) {
+  my $result = join(".", @version_parts[0..2]);
+  $result .= $version_parts[3];
+  $result =~ s/"//g;
+  print $result;
+  exit(0);
+}
+
+exit(1);        # failure

sources

@@ -1 +1 @@
-SHA512 (libgd-2.2.5.tar.xz) = 946675b0a9dbecdee3dda927d496a35d6b5b071d3252a82cd649db0d959a82fcc65ce067ec34d07eed0e0497cd92cc0d93803609a4854f42d284e950764044d0
+9076f3abd1f9815d106da36467ea15bc  libgd-2.1.1.tar.xz