Compare commits
9 Commits
Author | SHA1 | Date |
---|---|---|
Marek Skalický | 4588f4972b | |
Marek Skalický | faebf7f082 | |
Marek Skalický | 91f922d872 | |
Remi Collet | da9eaac8b5 | |
Remi Collet | 1fb3530455 | |
Marek Skalický | 9db5e2bdaa | |
Marek Skalický | 1bd3819e67 | |
Marek Skalický | 81914b0d59 | |
Marek Skalický | 8bd65163f5 |
|
@ -4,8 +4,3 @@ gd-2.0.35.tar.bz2
|
||||||
/libgd-2.1.0-725ba9de4005144d137d2a7a70f760068fc3d306.tgz
|
/libgd-2.1.0-725ba9de4005144d137d2a7a70f760068fc3d306.tgz
|
||||||
/libgd-2.1.0.tar.xz
|
/libgd-2.1.0.tar.xz
|
||||||
/libgd-2.1.1.tar.xz
|
/libgd-2.1.1.tar.xz
|
||||||
/libgd-2.2.1.tar.xz
|
|
||||||
/libgd-2.2.2.tar.xz
|
|
||||||
/libgd-2.2.3.tar.xz
|
|
||||||
/libgd-2.2.4.tar.xz
|
|
||||||
/libgd-2.2.5.tar.xz
|
|
||||||
|
|
Binary file not shown.
|
@ -0,0 +1,31 @@
|
||||||
|
From 4d29684fd4ddbd6bb4dbde805f0fdaa84b0f66f2 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
|
||||||
|
Date: Fri, 20 May 2016 09:39:38 +0200
|
||||||
|
Subject: [PATCH] CVE-2015-8874
|
||||||
|
|
||||||
|
---
|
||||||
|
src/gd.c | 11 +++++++++++
|
||||||
|
1 file changed, 11 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/gd.c b/src/gd.c
|
||||||
|
index 300dfce..0603247 100644
|
||||||
|
--- a/src/gd.c
|
||||||
|
+++ b/src/gd.c
|
||||||
|
@@ -1938,6 +1938,17 @@ BGD_DECLARE(void) gdImageFillToBorder (gdImagePtr im, int x, int y, int border,
|
||||||
|
restoreAlphaBleding = im->alphaBlendingFlag;
|
||||||
|
im->alphaBlendingFlag = 0;
|
||||||
|
|
||||||
|
+ if (x >= im->sx) {
|
||||||
|
+ x = im->sx - 1;
|
||||||
|
+ } else if (x < 0) {
|
||||||
|
+ x = 0;
|
||||||
|
+ }
|
||||||
|
+ if (y >= im->sy) {
|
||||||
|
+ y = im->sy - 1;
|
||||||
|
+ } else if (y < 0) {
|
||||||
|
+ y = 0;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
for (i = x; (i >= 0); i--) {
|
||||||
|
if (gdImageGetPixel (im, i, y) == border) {
|
||||||
|
break;
|
|
@ -0,0 +1,37 @@
|
||||||
|
Backported for 2.1, without binary patch, from:
|
||||||
|
|
||||||
|
|
||||||
|
From 78d83ac76c16d269b538a7cef4120a5fb5177b6d Mon Sep 17 00:00:00 2001
|
||||||
|
From: Pierre Joye <pierre.php@gmail.com>
|
||||||
|
Date: Tue, 28 Jun 2016 16:23:42 +0700
|
||||||
|
Subject: [PATCH] fix php bug 72339 (CVE-2016-5766), Integer Overflow in
|
||||||
|
_gd2GetHeader() resulting in heap overflow
|
||||||
|
|
||||||
|
---
|
||||||
|
src/gd_gd2.c | 5 ++++-
|
||||||
|
tests/gd2/CMakeLists.txt | 1 +
|
||||||
|
tests/gd2/Makemodule.am | 6 ++++--
|
||||||
|
tests/gd2/php_bug_72339.c | 21 +++++++++++++++++++++
|
||||||
|
tests/gd2/php_bug_72339_exp.gd2 | Bin 0 -> 67108882 bytes
|
||||||
|
5 files changed, 30 insertions(+), 3 deletions(-)
|
||||||
|
create mode 100644 tests/gd2/php_bug_72339.c
|
||||||
|
create mode 100644 tests/gd2/php_bug_72339_exp.gd2
|
||||||
|
|
||||||
|
diff --git a/src/gd_gd2.c b/src/gd_gd2.c
|
||||||
|
index fd1e0c9..bdbbecf 100644
|
||||||
|
--- a/src/gd_gd2.c
|
||||||
|
+++ b/src/gd_gd2.c
|
||||||
|
@@ -154,8 +154,11 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy,
|
||||||
|
nc = (*ncx) * (*ncy);
|
||||||
|
GD2_DBG (printf ("Reading %d chunk index entries\n", nc));
|
||||||
|
sidx = sizeof (t_chunk_info) * nc;
|
||||||
|
+ if (overflow2(sidx, nc)) {
|
||||||
|
+ goto fail1;
|
||||||
|
+ }
|
||||||
|
cidx = gdCalloc (sidx, 1);
|
||||||
|
- if (!cidx) {
|
||||||
|
+ if (cidx == NULL) {
|
||||||
|
goto fail1;
|
||||||
|
}
|
||||||
|
for (i = 0; i < nc; i++) {
|
||||||
|
|
|
@ -0,0 +1,27 @@
|
||||||
|
From 4751b606fa38edc456d627140898a7ec679fcc24 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Vladimir Mitrovic <vladimir.x.mitrovic@gmail.com>
|
||||||
|
Date: Wed, 5 Aug 2015 03:01:06 +0200
|
||||||
|
Subject: [PATCH] gdImageScaleTwoPass memory leak fix
|
||||||
|
|
||||||
|
Fixing memory leak in gdImageScaleTwoPass, as reported by @cmb69 and
|
||||||
|
confirmed by @vapier. This bug actually bit me in production and I'm
|
||||||
|
very thankful that it was reported with an easy fix.
|
||||||
|
|
||||||
|
Fixes #173.
|
||||||
|
---
|
||||||
|
src/gd_interpolation.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/gd_interpolation.c b/src/gd_interpolation.c
|
||||||
|
index fcc11e6..f00c946 100644
|
||||||
|
--- a/src/gd_interpolation.c
|
||||||
|
+++ b/src/gd_interpolation.c
|
||||||
|
@@ -1087,7 +1087,7 @@ gdImageScaleTwoPass(const gdImagePtr src, const unsigned int new_width,
|
||||||
|
}/* if */
|
||||||
|
|
||||||
|
if (src != tmp_im) {
|
||||||
|
- gdFree(tmp_im);
|
||||||
|
+ gdImageDestroy(tmp_im);
|
||||||
|
}/* if */
|
||||||
|
|
||||||
|
return dst;
|
|
@ -0,0 +1,37 @@
|
||||||
|
From d41eb72cd4545c394578332e5c102dee69e02ee8 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Remi Collet <fedora@famillecollet.com>
|
||||||
|
Date: Tue, 7 Apr 2015 13:11:03 +0200
|
||||||
|
Subject: [PATCH] Fix build with latest libvpx 1.4.0
|
||||||
|
|
||||||
|
These new constants exist at least since 1.0.0
|
||||||
|
Compatibility ones have been droped in 1.4.0
|
||||||
|
---
|
||||||
|
src/webpimg.c | 14 +++++++-------
|
||||||
|
1 file changed, 7 insertions(+), 7 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/webpimg.c b/src/webpimg.c
|
||||||
|
index cf73d64..e49fcc6 100644
|
||||||
|
--- a/src/webpimg.c
|
||||||
|
+++ b/src/webpimg.c
|
||||||
|
@@ -711,14 +711,14 @@ static WebPResult VPXEncode(const uint8* Y,
|
||||||
|
codec_ctl(&enc, VP8E_SET_STATIC_THRESHOLD, 0);
|
||||||
|
codec_ctl(&enc, VP8E_SET_TOKEN_PARTITIONS, 2);
|
||||||
|
|
||||||
|
- vpx_img_wrap(&img, IMG_FMT_I420,
|
||||||
|
+ vpx_img_wrap(&img, VPX_IMG_FMT_I420,
|
||||||
|
y_width, y_height, 16, (uint8*)(Y));
|
||||||
|
- img.planes[PLANE_Y] = (uint8*)(Y);
|
||||||
|
- img.planes[PLANE_U] = (uint8*)(U);
|
||||||
|
- img.planes[PLANE_V] = (uint8*)(V);
|
||||||
|
- img.stride[PLANE_Y] = y_stride;
|
||||||
|
- img.stride[PLANE_U] = uv_stride;
|
||||||
|
- img.stride[PLANE_V] = uv_stride;
|
||||||
|
+ img.planes[VPX_PLANE_Y] = (uint8*)(Y);
|
||||||
|
+ img.planes[VPX_PLANE_U] = (uint8*)(U);
|
||||||
|
+ img.planes[VPX_PLANE_V] = (uint8*)(V);
|
||||||
|
+ img.stride[VPX_PLANE_Y] = y_stride;
|
||||||
|
+ img.stride[VPX_PLANE_U] = uv_stride;
|
||||||
|
+ img.stride[VPX_PLANE_V] = uv_stride;
|
||||||
|
|
||||||
|
res = vpx_codec_encode(&enc, &img, 0, 1, 0, VPX_DL_BEST_QUALITY);
|
||||||
|
|
|
@ -0,0 +1,89 @@
|
||||||
|
From 4dc1a2d7931017d3625f2d7cff70a17ce58b53b4 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Mike Frysinger <vapier@gentoo.org>
|
||||||
|
Date: Sat, 14 May 2016 01:38:18 -0400
|
||||||
|
Subject: [PATCH] xbm: avoid stack overflow (read) with large names #211
|
||||||
|
|
||||||
|
We use the name passed in to printf into a local stack buffer which is
|
||||||
|
limited to 4000 bytes. So given a large enough value, lots of stack
|
||||||
|
data is leaked. Rewrite the code to do simple memory copies with most
|
||||||
|
of the strings to avoid that issue, and only use stack buffer for small
|
||||||
|
numbers of constant size.
|
||||||
|
|
||||||
|
This closes #211.
|
||||||
|
---
|
||||||
|
src/gd_xbm.c | 34 +++++++++++++++++++++++++++-------
|
||||||
|
1 file changed, 27 insertions(+), 7 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/gd_xbm.c b/src/gd_xbm.c
|
||||||
|
index 74d839b..d28fdfc 100644
|
||||||
|
--- a/src/gd_xbm.c
|
||||||
|
+++ b/src/gd_xbm.c
|
||||||
|
@@ -180,7 +180,7 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromXbm(FILE * fd)
|
||||||
|
/* {{{ gdCtxPrintf */
|
||||||
|
static void gdCtxPrintf(gdIOCtx * out, const char *format, ...)
|
||||||
|
{
|
||||||
|
- char buf[4096];
|
||||||
|
+ char buf[1024];
|
||||||
|
int len;
|
||||||
|
va_list args;
|
||||||
|
|
||||||
|
@@ -191,6 +191,9 @@ static void gdCtxPrintf(gdIOCtx * out, const char *format, ...)
|
||||||
|
}
|
||||||
|
/* }}} */
|
||||||
|
|
||||||
|
+/* The compiler will optimize strlen(constant) to a constant number. */
|
||||||
|
+#define gdCtxPuts(out, s) out->putBuf(out, s, strlen(s))
|
||||||
|
+
|
||||||
|
/* {{{ gdImageXbmCtx */
|
||||||
|
BGD_DECLARE(void) gdImageXbmCtx(gdImagePtr image, char* file_name, int fg, gdIOCtx * out)
|
||||||
|
{
|
||||||
|
@@ -215,9 +218,26 @@ BGD_DECLARE(void) gdImageXbmCtx(gdImagePtr image, char* file_name, int fg, gdIOC
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
- gdCtxPrintf(out, "#define %s_width %d\n", name, gdImageSX(image));
|
||||||
|
- gdCtxPrintf(out, "#define %s_height %d\n", name, gdImageSY(image));
|
||||||
|
- gdCtxPrintf(out, "static unsigned char %s_bits[] = {\n ", name);
|
||||||
|
+ /* Since "name" comes from the user, run it through a direct puts.
|
||||||
|
+ * Trying to printf it into a local buffer means we'd need a large
|
||||||
|
+ * or dynamic buffer to hold it all. */
|
||||||
|
+
|
||||||
|
+ /* #define <name>_width 1234 */
|
||||||
|
+ gdCtxPuts(out, "#define ");
|
||||||
|
+ gdCtxPuts(out, name);
|
||||||
|
+ gdCtxPuts(out, "_width ");
|
||||||
|
+ gdCtxPrintf(out, "%d\n", gdImageSX(image));
|
||||||
|
+
|
||||||
|
+ /* #define <name>_height 1234 */
|
||||||
|
+ gdCtxPuts(out, "#define ");
|
||||||
|
+ gdCtxPuts(out, name);
|
||||||
|
+ gdCtxPuts(out, "_height ");
|
||||||
|
+ gdCtxPrintf(out, "%d\n", gdImageSY(image));
|
||||||
|
+
|
||||||
|
+ /* static unsigned char <name>_bits[] = {\n */
|
||||||
|
+ gdCtxPuts(out, "static unsigned char ");
|
||||||
|
+ gdCtxPuts(out, name);
|
||||||
|
+ gdCtxPuts(out, "_bits[] = {\n ");
|
||||||
|
|
||||||
|
free(name);
|
||||||
|
|
||||||
|
@@ -234,9 +254,9 @@ BGD_DECLARE(void) gdImageXbmCtx(gdImagePtr image, char* file_name, int fg, gdIOC
|
||||||
|
if ((b == 128) || (x == sx && y == sy)) {
|
||||||
|
b = 1;
|
||||||
|
if (p) {
|
||||||
|
- gdCtxPrintf(out, ", ");
|
||||||
|
+ gdCtxPuts(out, ", ");
|
||||||
|
if (!(p%12)) {
|
||||||
|
- gdCtxPrintf(out, "\n ");
|
||||||
|
+ gdCtxPuts(out, "\n ");
|
||||||
|
p = 12;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
@@ -248,6 +268,6 @@ BGD_DECLARE(void) gdImageXbmCtx(gdImagePtr image, char* file_name, int fg, gdIOC
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
- gdCtxPrintf(out, "};\n");
|
||||||
|
+ gdCtxPuts(out, "};\n");
|
||||||
|
}
|
||||||
|
/* }}} */
|
|
@ -0,0 +1,119 @@
|
||||||
|
From 82b80dcb70a7ca8986125ff412bceddafc896842 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Mike Frysinger <vapier@gentoo.org>
|
||||||
|
Date: Sat, 14 May 2016 02:13:15 -0400
|
||||||
|
Subject: [PATCH] gif: avoid out-of-bound reads of masks array #209
|
||||||
|
|
||||||
|
When given invalid inputs, we might be fed the EOF marker before it is
|
||||||
|
actually the EOF. The gif logic assumes once it sees the EOF marker,
|
||||||
|
there won't be any more data, so it leaves the cur_bits index possibly
|
||||||
|
negative. So when we get more data, we underflow the masks array.
|
||||||
|
|
||||||
|
Flag it so we don't try to output anything more. The image is invalid,
|
||||||
|
so we shouldn't be truncating any valid inputs.
|
||||||
|
|
||||||
|
This fixes #209.
|
||||||
|
---
|
||||||
|
src/gd_gif_out.c | 12 +++++++++++-
|
||||||
|
1 file changed, 11 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
From 315dbfb0e75895e3ba84f649c491956e75f1106c Mon Sep 17 00:00:00 2001
|
||||||
|
From: "Christoph M. Becker" <cmbecker69@gmx.de>
|
||||||
|
Date: Tue, 19 Jul 2016 10:43:55 +0200
|
||||||
|
Subject: [PATCH] Add test case for issue #209
|
||||||
|
|
||||||
|
---
|
||||||
|
tests/gif/.gitignore | 1 +
|
||||||
|
tests/gif/CMakeLists.txt | 1 +
|
||||||
|
tests/gif/Makemodule.am | 4 +++-
|
||||||
|
tests/gif/bug00209.c | 29 +++++++++++++++++++++++++++++
|
||||||
|
tests/gif/bug00209.gd2 | Bin 0 -> 1050 bytes
|
||||||
|
5 files changed, 34 insertions(+), 1 deletion(-)
|
||||||
|
create mode 100644 tests/gif/bug00209.c
|
||||||
|
create mode 100644 tests/gif/bug00209.gd2
|
||||||
|
|
||||||
|
diff --git a/src/gd_gif_out.c b/src/gd_gif_out.c
|
||||||
|
index 51ceb75..3099d49 100644
|
||||||
|
--- a/src/gd_gif_out.c
|
||||||
|
+++ b/src/gd_gif_out.c
|
||||||
|
@@ -1442,15 +1442,23 @@ static void compress(int init_bits, gdIOCtxPtr outfile, gdImagePtr im, GifCtx *c
|
||||||
|
* code in turn. When the buffer fills up empty it and start over.
|
||||||
|
*/
|
||||||
|
|
||||||
|
-static unsigned long masks[] = {
|
||||||
|
+static const unsigned long masks[] = {
|
||||||
|
0x0000, 0x0001, 0x0003, 0x0007, 0x000F,
|
||||||
|
0x001F, 0x003F, 0x007F, 0x00FF,
|
||||||
|
0x01FF, 0x03FF, 0x07FF, 0x0FFF,
|
||||||
|
0x1FFF, 0x3FFF, 0x7FFF, 0xFFFF
|
||||||
|
};
|
||||||
|
|
||||||
|
+/* Arbitrary value to mark output is done. When we see EOFCode, then we don't
|
||||||
|
+ * expect to see any more data. If we do (e.g. corrupt image inputs), cur_bits
|
||||||
|
+ * might be negative, so flag it to return early.
|
||||||
|
+ */
|
||||||
|
+#define CUR_BITS_FINISHED -1000
|
||||||
|
+
|
||||||
|
static void output(code_int code, GifCtx *ctx)
|
||||||
|
{
|
||||||
|
+ if (ctx->cur_bits == CUR_BITS_FINISHED)
|
||||||
|
+ return;
|
||||||
|
ctx->cur_accum &= masks[ctx->cur_bits];
|
||||||
|
|
||||||
|
if(ctx->cur_bits > 0) {
|
||||||
|
@@ -1492,6 +1500,8 @@ static void output(code_int code, GifCtx *ctx)
|
||||||
|
ctx->cur_accum >>= 8;
|
||||||
|
ctx->cur_bits -= 8;
|
||||||
|
}
|
||||||
|
+ /* Flag that it's done to prevent re-entry. */
|
||||||
|
+ ctx->cur_bits = CUR_BITS_FINISHED;
|
||||||
|
|
||||||
|
flush_char(ctx);
|
||||||
|
}
|
||||||
|
|
||||||
|
diff --git a/tests/gif/CMakeLists.txt b/tests/gif/CMakeLists.txt
|
||||||
|
index 92010c3..d26b1fe 100644
|
||||||
|
--- a/tests/gif/CMakeLists.txt
|
||||||
|
+++ b/tests/gif/CMakeLists.txt
|
||||||
|
@@ -7,6 +7,7 @@ LIST(APPEND TESTS_FILES
|
||||||
|
bug00060
|
||||||
|
bug00066
|
||||||
|
bug00181
|
||||||
|
+ bug00209
|
||||||
|
bug00227
|
||||||
|
)
|
||||||
|
|
||||||
|
diff --git a/tests/gif/bug00209.c b/tests/gif/bug00209.c
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..6eafc32
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/tests/gif/bug00209.c
|
||||||
|
@@ -0,0 +1,29 @@
|
||||||
|
+/* Test case for <https://github.com/libgd/libgd/issues/209>. */
|
||||||
|
+
|
||||||
|
+#include "gd.h"
|
||||||
|
+#include "gdtest.h"
|
||||||
|
+
|
||||||
|
+int main()
|
||||||
|
+{
|
||||||
|
+ gdImagePtr im;
|
||||||
|
+ FILE *fp;
|
||||||
|
+
|
||||||
|
+ /* printf("start\n"); */
|
||||||
|
+
|
||||||
|
+ fp = gdTestFileOpen("gif/bug00209.gd2");
|
||||||
|
+ gdTestAssert(fp != NULL);
|
||||||
|
+ im = gdImageCreateFromGd2(fp);
|
||||||
|
+ gdTestAssert(im != NULL);
|
||||||
|
+ fclose(fp);
|
||||||
|
+ /* printf("loaded\n"); */
|
||||||
|
+
|
||||||
|
+ fp = gdTestTempFp();
|
||||||
|
+ gdTestAssert(fp != NULL);
|
||||||
|
+ gdImageGif(im, fp);
|
||||||
|
+ fclose(fp);
|
||||||
|
+ /* printf("saved\n"); */
|
||||||
|
+
|
||||||
|
+ gdImageDestroy(im);
|
||||||
|
+
|
||||||
|
+ return gdNumFailures();
|
||||||
|
+}
|
|
@ -0,0 +1,108 @@
|
||||||
|
diff --git a/src/gd_interpolation.c b/src/gd_interpolation.c
|
||||||
|
index a829d4f..ed2b743 100644
|
||||||
|
--- a/src/gd_interpolation.c
|
||||||
|
+++ b/src/gd_interpolation.c
|
||||||
|
@@ -888,6 +888,7 @@ static inline LineContribType * _gdContributionsAlloc(unsigned int line_length,
|
||||||
|
{
|
||||||
|
unsigned int u = 0;
|
||||||
|
LineContribType *res;
|
||||||
|
+ int overflow_error = 0;
|
||||||
|
|
||||||
|
res = (LineContribType *) gdMalloc(sizeof(LineContribType));
|
||||||
|
if (!res) {
|
||||||
|
@@ -895,10 +896,31 @@ static inline LineContribType * _gdContributionsAlloc(unsigned int line_length,
|
||||||
|
}
|
||||||
|
res->WindowSize = windows_size;
|
||||||
|
res->LineLength = line_length;
|
||||||
|
+ if (overflow2(line_length, sizeof(ContributionType))) {
|
||||||
|
+ gdFree(res);
|
||||||
|
+ return NULL;
|
||||||
|
+ }
|
||||||
|
res->ContribRow = (ContributionType *) gdMalloc(line_length * sizeof(ContributionType));
|
||||||
|
-
|
||||||
|
+ if (res->ContribRow == NULL) {
|
||||||
|
+ gdFree(res);
|
||||||
|
+ return NULL;
|
||||||
|
+ }
|
||||||
|
for (u = 0 ; u < line_length ; u++) {
|
||||||
|
- res->ContribRow[u].Weights = (double *) gdMalloc(windows_size * sizeof(double));
|
||||||
|
+ if (overflow2(windows_size, sizeof(double))) {
|
||||||
|
+ overflow_error = 1;
|
||||||
|
+ } else {
|
||||||
|
+ res->ContribRow[u].Weights = (double *) gdMalloc(windows_size * sizeof(double));
|
||||||
|
+ }
|
||||||
|
+ if (overflow_error == 1 || res->ContribRow[u].Weights == NULL) {
|
||||||
|
+ unsigned int i;
|
||||||
|
+ u--;
|
||||||
|
+ for (i=0;i<=u;i++) {
|
||||||
|
+ gdFree(res->ContribRow[i].Weights);
|
||||||
|
+ }
|
||||||
|
+ gdFree(res->ContribRow);
|
||||||
|
+ gdFree(res);
|
||||||
|
+ return NULL;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
return res;
|
||||||
|
}
|
||||||
|
@@ -931,7 +953,9 @@ static inline LineContribType *_gdContributionsCalc(unsigned int line_size, unsi
|
||||||
|
|
||||||
|
windows_size = 2 * (int)ceil(width_d) + 1;
|
||||||
|
res = _gdContributionsAlloc(line_size, windows_size);
|
||||||
|
-
|
||||||
|
+ if (res == NULL) {
|
||||||
|
+ return NULL;
|
||||||
|
+ }
|
||||||
|
for (u = 0; u < line_size; u++) {
|
||||||
|
const double dCenter = (double)u / scale_d;
|
||||||
|
/* get the significant edge points affecting the pixel */
|
||||||
|
@@ -1036,7 +1060,6 @@ _gdScalePass(const gdImagePtr pSrc, const unsigned int src_len,
|
||||||
|
_gdScaleOneAxis(pSrc, pDst, dst_len, line_ndx, contrib, axis);
|
||||||
|
}
|
||||||
|
_gdContributionsFree (contrib);
|
||||||
|
-
|
||||||
|
return 1;
|
||||||
|
}/* _gdScalePass*/
|
||||||
|
|
||||||
|
@@ -1049,6 +1072,7 @@ gdImageScaleTwoPass(const gdImagePtr src, const unsigned int new_width,
|
||||||
|
const unsigned int src_height = src->sy;
|
||||||
|
gdImagePtr tmp_im = NULL;;
|
||||||
|
gdImagePtr dst = NULL;
|
||||||
|
+ int scale_pass_res;
|
||||||
|
|
||||||
|
/* First, handle the trivial case. */
|
||||||
|
if (src_width == new_width && src_height == new_height) {
|
||||||
|
@@ -1070,7 +1094,11 @@ gdImageScaleTwoPass(const gdImagePtr src, const unsigned int new_width,
|
||||||
|
}
|
||||||
|
gdImageSetInterpolationMethod(tmp_im, src->interpolation_id);
|
||||||
|
|
||||||
|
- _gdScalePass(src, src_width, tmp_im, new_width, src_height, HORIZONTAL);
|
||||||
|
+ scale_pass_res = _gdScalePass(src, src_width, tmp_im, new_width, src_height, HORIZONTAL);
|
||||||
|
+ if (scale_pass_res != 1) {
|
||||||
|
+ gdImageDestroy(tmp_im);
|
||||||
|
+ return NULL;
|
||||||
|
+ }
|
||||||
|
}/* if .. else*/
|
||||||
|
|
||||||
|
/* If vertical sizes match, we're done. */
|
||||||
|
@@ -1083,11 +1111,18 @@ gdImageScaleTwoPass(const gdImagePtr src, const unsigned int new_width,
|
||||||
|
dst = gdImageCreateTrueColor(new_width, new_height);
|
||||||
|
if (dst != NULL) {
|
||||||
|
gdImageSetInterpolationMethod(dst, src->interpolation_id);
|
||||||
|
- _gdScalePass(tmp_im, src_height, dst, new_height, new_width, VERTICAL);
|
||||||
|
+ scale_pass_res = _gdScalePass(tmp_im, src_height, dst, new_height, new_width, VERTICAL);
|
||||||
|
+ if (scale_pass_res != 1) {
|
||||||
|
+ gdImageDestroy(dst);
|
||||||
|
+ if (src != tmp_im && tmp_im != NULL) {
|
||||||
|
+ gdImageDestroy(tmp_im);
|
||||||
|
+ }
|
||||||
|
+ return NULL;
|
||||||
|
+ }
|
||||||
|
}/* if */
|
||||||
|
|
||||||
|
- if (src != tmp_im) {
|
||||||
|
- gdFree(tmp_im);
|
||||||
|
+ if (tmp_im != NULL && src != tmp_im) {
|
||||||
|
+ gdImageDestroy(tmp_im);
|
||||||
|
}/* if */
|
||||||
|
|
||||||
|
return dst;
|
|
@ -0,0 +1,26 @@
|
||||||
|
From 53110871935244816bbb9d131da0bccff734bfe9 Mon Sep 17 00:00:00 2001
|
||||||
|
From: "Christoph M. Becker" <cmbecker69@gmx.de>
|
||||||
|
Date: Wed, 12 Oct 2016 11:15:32 +0200
|
||||||
|
Subject: [PATCH] Avoid potentially dangerous signed to unsigned conversion
|
||||||
|
|
||||||
|
We make sure to never pass a negative `rlen` as size to memcpy(). See
|
||||||
|
also <https://bugs.php.net/bug.php?id=73280>.
|
||||||
|
|
||||||
|
Patch provided by Emmanuel Law.
|
||||||
|
---
|
||||||
|
src/gd_io_dp.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/gd_io_dp.c b/src/gd_io_dp.c
|
||||||
|
index 135eda3..228bfa5 100644
|
||||||
|
--- a/src/gd_io_dp.c
|
||||||
|
+++ b/src/gd_io_dp.c
|
||||||
|
@@ -276,7 +276,7 @@ static int dynamicGetbuf(gdIOCtxPtr ctx, void *buf, int len)
|
||||||
|
if(remain >= len) {
|
||||||
|
rlen = len;
|
||||||
|
} else {
|
||||||
|
- if(remain == 0) {
|
||||||
|
+ if(remain <= 0) {
|
||||||
|
/* 2.0.34: EOF is incorrect. We use 0 for
|
||||||
|
* errors and EOF, just like fileGetbuf,
|
||||||
|
* which is a simple fread() wrapper.
|
|
@ -0,0 +1,27 @@
|
||||||
|
diff --git a/src/gd_webp.c b/src/gd_webp.c
|
||||||
|
index fae3861..a7ed222 100644
|
||||||
|
--- a/src/gd_webp.c
|
||||||
|
+++ b/src/gd_webp.c
|
||||||
|
@@ -179,6 +179,22 @@ BGD_DECLARE(void) gdImageWebpCtx (gdImagePtr im, gdIOCtx * outfile, int quantiza
|
||||||
|
/* Conversion to Y,U,V buffer */
|
||||||
|
yuv_width = (width + 1) >> 1;
|
||||||
|
yuv_height = (height + 1) >> 1;
|
||||||
|
+
|
||||||
|
+ if (overflow2(width, height)) {
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (overflow2(2, yuv_width)) {
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (overflow2(2 * yuv_width, yuv_height)) {
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (overflow2(width * height + 2 * yuv_width * yuv_height, 1)) {
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
yuv_nbytes = width * height + 2 * yuv_width * yuv_height;
|
||||||
|
|
||||||
|
if ((Y = (unsigned char *)gdCalloc(yuv_nbytes, sizeof(unsigned char))) == NULL) {
|
|
@ -1,73 +0,0 @@
|
||||||
From ac16bdf2d41724b5a65255d4c28fb0ec46bc42f5 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Mike Frysinger <vapier@gentoo.org>
|
|
||||||
Date: Sat, 14 Jul 2018 13:54:08 -0400
|
|
||||||
Subject: [PATCH] bmp: check return value in gdImageBmpPtr
|
|
||||||
|
|
||||||
Closes #447.
|
|
||||||
---
|
|
||||||
src/gd_bmp.c | 17 ++++++++++++++---
|
|
||||||
1 file changed, 14 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/gd_bmp.c b/src/gd_bmp.c
|
|
||||||
index bde0b9d3..78f40d9a 100644
|
|
||||||
--- a/src/gd_bmp.c
|
|
||||||
+++ b/src/gd_bmp.c
|
|
||||||
@@ -47,6 +47,8 @@ static int bmp_read_4bit(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info, bmp
|
|
||||||
static int bmp_read_8bit(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info, bmp_hdr_t *header);
|
|
||||||
static int bmp_read_rle(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info);
|
|
||||||
|
|
||||||
+static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression);
|
|
||||||
+
|
|
||||||
#define BMP_DEBUG(s)
|
|
||||||
|
|
||||||
static int gdBMPPutWord(gdIOCtx *out, int w)
|
|
||||||
@@ -87,8 +89,10 @@ BGD_DECLARE(void *) gdImageBmpPtr(gdImagePtr im, int *size, int compression)
|
|
||||||
void *rv;
|
|
||||||
gdIOCtx *out = gdNewDynamicCtx(2048, NULL);
|
|
||||||
if (out == NULL) return NULL;
|
|
||||||
- gdImageBmpCtx(im, out, compression);
|
|
||||||
- rv = gdDPExtractData(out, size);
|
|
||||||
+ if (!_gdImageBmpCtx(im, out, compression))
|
|
||||||
+ rv = gdDPExtractData(out, size);
|
|
||||||
+ else
|
|
||||||
+ rv = NULL;
|
|
||||||
out->gd_free(out);
|
|
||||||
return rv;
|
|
||||||
}
|
|
||||||
@@ -141,6 +145,11 @@ BGD_DECLARE(void) gdImageBmp(gdImagePtr im, FILE *outFile, int compression)
|
|
||||||
compression - whether to apply RLE or not.
|
|
||||||
*/
|
|
||||||
BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
|
|
||||||
+{
|
|
||||||
+ _gdImageBmpCtx(im, out, compression);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
|
|
||||||
{
|
|
||||||
int bitmap_size = 0, info_size, total_size, padding;
|
|
||||||
int i, row, xpos, pixel;
|
|
||||||
@@ -148,6 +157,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
|
|
||||||
unsigned char *uncompressed_row = NULL, *uncompressed_row_start = NULL;
|
|
||||||
FILE *tmpfile_for_compression = NULL;
|
|
||||||
gdIOCtxPtr out_original = NULL;
|
|
||||||
+ int ret = 1;
|
|
||||||
|
|
||||||
/* No compression if its true colour or we don't support seek */
|
|
||||||
if (im->trueColor) {
|
|
||||||
@@ -325,6 +335,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
|
|
||||||
out_original = NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ ret = 0;
|
|
||||||
cleanup:
|
|
||||||
if (tmpfile_for_compression) {
|
|
||||||
#ifdef _WIN32
|
|
||||||
@@ -338,7 +349,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
|
|
||||||
if (out_original) {
|
|
||||||
out_original->gd_free(out_original);
|
|
||||||
}
|
|
||||||
- return;
|
|
||||||
+ return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
static int compress_row(unsigned char *row, int length)
|
|
|
@ -1,28 +0,0 @@
|
||||||
From 98b2e94e62d873acbcc6d968f1f97af9749fe021 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Ondrej Dubaj <odubaj@redhat.com>
|
|
||||||
Date: Tue, 4 Jun 2019 10:54:45 +0200
|
|
||||||
Subject: [PATCH] heap based buffer overflow in
|
|
||||||
gd_color_match.c:gdImageColorMatch() in libgd as used in imagecolormatch()
|
|
||||||
|
|
||||||
---
|
|
||||||
src/gd_color_match.c | 4 ++--
|
|
||||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/gd_color_match.c b/src/gd_color_match.c
|
|
||||||
index f0842b6..a94a841 100755
|
|
||||||
--- a/src/gd_color_match.c
|
|
||||||
+++ b/src/gd_color_match.c
|
|
||||||
@@ -31,8 +31,8 @@ BGD_DECLARE(int) gdImageColorMatch (gdImagePtr im1, gdImagePtr im2)
|
|
||||||
return -4; /* At least 1 color must be allocated */
|
|
||||||
}
|
|
||||||
|
|
||||||
- buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * im2->colorsTotal);
|
|
||||||
- memset (buf, 0, sizeof(unsigned long) * 5 * im2->colorsTotal );
|
|
||||||
+ buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * gdMaxColors);
|
|
||||||
+ memset (buf, 0, sizeof(unsigned long) * 5 * gdMaxColors );
|
|
||||||
|
|
||||||
for (x=0; x < im1->sx; x++) {
|
|
||||||
for( y=0; y<im1->sy; y++ ) {
|
|
||||||
--
|
|
||||||
2.17.1
|
|
||||||
|
|
|
@ -1,283 +0,0 @@
|
||||||
From 4d9d8368d08c3a2be3ea4193b9314fffeddace52 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Ondrej Dubaj <odubaj@redhat.com>
|
|
||||||
Date: Tue, 4 Jun 2019 13:38:41 +0200
|
|
||||||
Subject: [PATCH] Potential double-free in gdImage*Ptr()
|
|
||||||
|
|
||||||
Whenever `gdImage*Ptr()` calls `gdImage*Ctx()` and the latter fails, we
|
|
||||||
must not call `gdDPExtractData()`; otherwise a double-free would
|
|
||||||
happen. Since `gdImage*Ctx()` are void functions, and we can't change
|
|
||||||
that for BC reasons, we're introducing static helpers which are used
|
|
||||||
internally.
|
|
||||||
|
|
||||||
We're adding a regression test for `gdImageJpegPtr()`, but not for
|
|
||||||
`gdImageGifPtr()` and `gdImageWbmpPtr()` since we don't know how to
|
|
||||||
trigger failure of the respective `gdImage*Ctx()` calls.
|
|
||||||
|
|
||||||
This potential security issue has been reported by Solmaz Salimi (aka.
|
|
||||||
Rooney).
|
|
||||||
---
|
|
||||||
src/gd_gif_out.c | 19 +++++++++++++++----
|
|
||||||
src/gd_jpeg.c | 20 ++++++++++++++++----
|
|
||||||
src/gd_wbmp.c | 21 ++++++++++++++++++---
|
|
||||||
tests/jpeg/CMakeLists.txt | 1 +
|
|
||||||
tests/jpeg/Makemodule.am | 3 ++-
|
|
||||||
tests/jpeg/jpeg_ptr_double_free.c | 31 +++++++++++++++++++++++++++++++
|
|
||||||
6 files changed, 83 insertions(+), 12 deletions(-)
|
|
||||||
create mode 100644 tests/jpeg/jpeg_ptr_double_free.c
|
|
||||||
|
|
||||||
diff --git a/src/gd_gif_out.c b/src/gd_gif_out.c
|
|
||||||
index 6fe707d..4a05c09 100755
|
|
||||||
--- a/src/gd_gif_out.c
|
|
||||||
+++ b/src/gd_gif_out.c
|
|
||||||
@@ -99,7 +99,7 @@ static void char_init(GifCtx *ctx);
|
|
||||||
static void char_out(int c, GifCtx *ctx);
|
|
||||||
static void flush_char(GifCtx *ctx);
|
|
||||||
|
|
||||||
-
|
|
||||||
+static int _gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out);
|
|
||||||
|
|
||||||
|
|
||||||
/*
|
|
||||||
@@ -131,8 +131,11 @@ BGD_DECLARE(void *) gdImageGifPtr(gdImagePtr im, int *size)
|
|
||||||
void *rv;
|
|
||||||
gdIOCtx *out = gdNewDynamicCtx(2048, NULL);
|
|
||||||
if (out == NULL) return NULL;
|
|
||||||
- gdImageGifCtx(im, out);
|
|
||||||
- rv = gdDPExtractData(out, size);
|
|
||||||
+ if (!_gdImageGifCtx(im, out)) {
|
|
||||||
+ rv = gdDPExtractData(out, size);
|
|
||||||
+ } else {
|
|
||||||
+ rv = NULL;
|
|
||||||
+ }
|
|
||||||
out->gd_free(out);
|
|
||||||
return rv;
|
|
||||||
}
|
|
||||||
@@ -220,6 +223,12 @@ BGD_DECLARE(void) gdImageGif(gdImagePtr im, FILE *outFile)
|
|
||||||
|
|
||||||
*/
|
|
||||||
BGD_DECLARE(void) gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out)
|
|
||||||
+{
|
|
||||||
+ _gdImageGifCtx(im, out);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/* returns 0 on success, 1 on failure */
|
|
||||||
+static int _gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out)
|
|
||||||
{
|
|
||||||
gdImagePtr pim = 0, tim = im;
|
|
||||||
int interlace, BitsPerPixel;
|
|
||||||
@@ -231,7 +240,7 @@ BGD_DECLARE(void) gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out)
|
|
||||||
based temporary image. */
|
|
||||||
pim = gdImageCreatePaletteFromTrueColor(im, 1, 256);
|
|
||||||
if(!pim) {
|
|
||||||
- return;
|
|
||||||
+ return 1;
|
|
||||||
}
|
|
||||||
tim = pim;
|
|
||||||
}
|
|
||||||
@@ -247,6 +256,8 @@ BGD_DECLARE(void) gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out)
|
|
||||||
/* Destroy palette based temporary image. */
|
|
||||||
gdImageDestroy( pim);
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+ return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
diff --git a/src/gd_jpeg.c b/src/gd_jpeg.c
|
|
||||||
index 271ef46..bd8fc27 100755
|
|
||||||
--- a/src/gd_jpeg.c
|
|
||||||
+++ b/src/gd_jpeg.c
|
|
||||||
@@ -123,6 +123,8 @@ static void fatal_jpeg_error(j_common_ptr cinfo)
|
|
||||||
exit(99);
|
|
||||||
}
|
|
||||||
|
|
||||||
+static int _gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality);
|
|
||||||
+
|
|
||||||
/*
|
|
||||||
* Write IM to OUTFILE as a JFIF-formatted JPEG image, using quality
|
|
||||||
* QUALITY. If QUALITY is in the range 0-100, increasing values
|
|
||||||
@@ -237,8 +239,11 @@ BGD_DECLARE(void *) gdImageJpegPtr(gdImagePtr im, int *size, int quality)
|
|
||||||
void *rv;
|
|
||||||
gdIOCtx *out = gdNewDynamicCtx(2048, NULL);
|
|
||||||
if (out == NULL) return NULL;
|
|
||||||
- gdImageJpegCtx(im, out, quality);
|
|
||||||
- rv = gdDPExtractData(out, size);
|
|
||||||
+ if (!_gdImageJpegCtx(im, out, quality)) {
|
|
||||||
+ rv = gdDPExtractData(out, size);
|
|
||||||
+ } else {
|
|
||||||
+ rv = NULL;
|
|
||||||
+ }
|
|
||||||
out->gd_free(out);
|
|
||||||
return rv;
|
|
||||||
}
|
|
||||||
@@ -259,6 +264,12 @@ void jpeg_gdIOCtx_dest(j_compress_ptr cinfo, gdIOCtx *outfile);
|
|
||||||
|
|
||||||
*/
|
|
||||||
BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality)
|
|
||||||
+{
|
|
||||||
+ _gdImageJpegCtx(im, outfile, quality);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/* returns 0 on success, 1 on failure */
|
|
||||||
+static int _gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality)
|
|
||||||
{
|
|
||||||
struct jpeg_compress_struct cinfo;
|
|
||||||
struct jpeg_error_mgr jerr;
|
|
||||||
@@ -293,7 +304,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality)
|
|
||||||
if(row) {
|
|
||||||
gdFree(row);
|
|
||||||
}
|
|
||||||
- return;
|
|
||||||
+ return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
cinfo.err->emit_message = jpeg_emit_message;
|
|
||||||
@@ -334,7 +345,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality)
|
|
||||||
if(row == 0) {
|
|
||||||
gd_error("gd-jpeg: error: unable to allocate JPEG row structure: gdCalloc returns NULL\n");
|
|
||||||
jpeg_destroy_compress(&cinfo);
|
|
||||||
- return;
|
|
||||||
+ return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
rowptr[0] = row;
|
|
||||||
@@ -411,6 +422,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality)
|
|
||||||
jpeg_finish_compress(&cinfo);
|
|
||||||
jpeg_destroy_compress(&cinfo);
|
|
||||||
gdFree(row);
|
|
||||||
+ return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
diff --git a/src/gd_wbmp.c b/src/gd_wbmp.c
|
|
||||||
index 0028273..341ff6e 100755
|
|
||||||
--- a/src/gd_wbmp.c
|
|
||||||
+++ b/src/gd_wbmp.c
|
|
||||||
@@ -88,6 +88,8 @@ int gd_getin(void *in)
|
|
||||||
return (gdGetC((gdIOCtx *)in));
|
|
||||||
}
|
|
||||||
|
|
||||||
+static int _gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out);
|
|
||||||
+
|
|
||||||
/*
|
|
||||||
Function: gdImageWBMPCtx
|
|
||||||
|
|
||||||
@@ -100,6 +102,12 @@ int gd_getin(void *in)
|
|
||||||
out - the stream where to write
|
|
||||||
*/
|
|
||||||
BGD_DECLARE(void) gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out)
|
|
||||||
+{
|
|
||||||
+ _gdImageWBMPCtx(image, fg, out);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/* returns 0 on success, 1 on failure */
|
|
||||||
+static int _gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out)
|
|
||||||
{
|
|
||||||
int x, y, pos;
|
|
||||||
Wbmp *wbmp;
|
|
||||||
@@ -107,7 +115,7 @@ BGD_DECLARE(void) gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out)
|
|
||||||
/* create the WBMP */
|
|
||||||
if((wbmp = createwbmp(gdImageSX(image), gdImageSY(image), WBMP_WHITE)) == NULL) {
|
|
||||||
gd_error("Could not create WBMP\n");
|
|
||||||
- return;
|
|
||||||
+ return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* fill up the WBMP structure */
|
|
||||||
@@ -123,11 +131,15 @@ BGD_DECLARE(void) gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out)
|
|
||||||
|
|
||||||
/* write the WBMP to a gd file descriptor */
|
|
||||||
if(writewbmp(wbmp, &gd_putout, out)) {
|
|
||||||
+ freewbmp(wbmp);
|
|
||||||
gd_error("Could not save WBMP\n");
|
|
||||||
+ return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* des submitted this bugfix: gdFree the memory. */
|
|
||||||
freewbmp(wbmp);
|
|
||||||
+
|
|
||||||
+ return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
||||||
@@ -271,8 +283,11 @@ BGD_DECLARE(void *) gdImageWBMPPtr(gdImagePtr im, int *size, int fg)
|
|
||||||
void *rv;
|
|
||||||
gdIOCtx *out = gdNewDynamicCtx(2048, NULL);
|
|
||||||
if (out == NULL) return NULL;
|
|
||||||
- gdImageWBMPCtx(im, fg, out);
|
|
||||||
- rv = gdDPExtractData(out, size);
|
|
||||||
+ if (!_gdImageWBMPCtx(im, fg, out)) {
|
|
||||||
+ rv = gdDPExtractData(out, size);
|
|
||||||
+ } else {
|
|
||||||
+ rv = NULL;
|
|
||||||
+ }
|
|
||||||
out->gd_free(out);
|
|
||||||
return rv;
|
|
||||||
}
|
|
||||||
diff --git a/tests/jpeg/CMakeLists.txt b/tests/jpeg/CMakeLists.txt
|
|
||||||
index 19964b0..a8d8162 100755
|
|
||||||
--- a/tests/jpeg/CMakeLists.txt
|
|
||||||
+++ b/tests/jpeg/CMakeLists.txt
|
|
||||||
@@ -2,6 +2,7 @@ IF(JPEG_FOUND)
|
|
||||||
LIST(APPEND TESTS_FILES
|
|
||||||
jpeg_empty_file
|
|
||||||
jpeg_im2im
|
|
||||||
+ jpeg_ptr_double_free
|
|
||||||
jpeg_null
|
|
||||||
)
|
|
||||||
|
|
||||||
diff --git a/tests/jpeg/Makemodule.am b/tests/jpeg/Makemodule.am
|
|
||||||
index 7e5d317..b89e169 100755
|
|
||||||
--- a/tests/jpeg/Makemodule.am
|
|
||||||
+++ b/tests/jpeg/Makemodule.am
|
|
||||||
@@ -2,7 +2,8 @@ if HAVE_LIBJPEG
|
|
||||||
libgd_test_programs += \
|
|
||||||
jpeg/jpeg_empty_file \
|
|
||||||
jpeg/jpeg_im2im \
|
|
||||||
- jpeg/jpeg_null
|
|
||||||
+ jpeg/jpeg_null \
|
|
||||||
+ jpeg/jpeg_ptr_double_free
|
|
||||||
|
|
||||||
if HAVE_LIBPNG
|
|
||||||
libgd_test_programs += \
|
|
||||||
diff --git a/tests/jpeg/jpeg_ptr_double_free.c b/tests/jpeg/jpeg_ptr_double_free.c
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000..c80aeb6
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/tests/jpeg/jpeg_ptr_double_free.c
|
|
||||||
@@ -0,0 +1,31 @@
|
|
||||||
+/**
|
|
||||||
+ * Test that failure to convert to JPEG returns NULL
|
|
||||||
+ *
|
|
||||||
+ * We are creating an image, set its width to zero, and pass this image to
|
|
||||||
+ * `gdImageJpegPtr()` which is supposed to fail, and as such should return NULL.
|
|
||||||
+ *
|
|
||||||
+ * See also <https://github.com/libgd/libgd/issues/381>
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+#include "gd.h"
|
|
||||||
+#include "gdtest.h"
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+int main()
|
|
||||||
+{
|
|
||||||
+ gdImagePtr src, dst;
|
|
||||||
+ int size;
|
|
||||||
+
|
|
||||||
+ src = gdImageCreateTrueColor(1, 10);
|
|
||||||
+ gdTestAssert(src != NULL);
|
|
||||||
+
|
|
||||||
+ src->sx = 0; /* this hack forces gdImageJpegPtr() to fail */
|
|
||||||
+
|
|
||||||
+ dst = gdImageJpegPtr(src, &size, 0);
|
|
||||||
+ gdTestAssert(dst == NULL);
|
|
||||||
+
|
|
||||||
+ gdImageDestroy(src);
|
|
||||||
+
|
|
||||||
+ return gdNumFailures();
|
|
||||||
+}
|
|
||||||
\ No newline at end of file
|
|
||||||
--
|
|
||||||
2.17.1
|
|
||||||
|
|
|
@ -1,62 +0,0 @@
|
||||||
From a11f47475e6443b7f32d21f2271f28f417e2ac04 Mon Sep 17 00:00:00 2001
|
|
||||||
From: "Christoph M. Becker" <cmbecker69@gmx.de>
|
|
||||||
Date: Wed, 29 Nov 2017 19:37:38 +0100
|
|
||||||
Subject: [PATCH] Fix #420: Potential infinite loop in gdImageCreateFromGifCtx
|
|
||||||
|
|
||||||
Due to a signedness confusion in `GetCode_` a corrupt GIF file can
|
|
||||||
trigger an infinite loop. Furthermore we make sure that a GIF without
|
|
||||||
any palette entries is treated as invalid *after* open palette entries
|
|
||||||
have been removed.
|
|
||||||
|
|
||||||
CVE-2018-5711
|
|
||||||
|
|
||||||
See also https://bugs.php.net/bug.php?id=75571.
|
|
||||||
---
|
|
||||||
src/gd_gif_in.c | 12 ++++++------
|
|
||||||
tests/gif/.gitignore | 1 +
|
|
||||||
tests/gif/CMakeLists.txt | 1 +
|
|
||||||
tests/gif/Makemodule.am | 2 ++
|
|
||||||
tests/gif/php_bug_75571.c | 28 ++++++++++++++++++++++++++++
|
|
||||||
tests/gif/php_bug_75571.gif | Bin 0 -> 1731 bytes
|
|
||||||
6 files changed, 38 insertions(+), 6 deletions(-)
|
|
||||||
create mode 100644 tests/gif/php_bug_75571.c
|
|
||||||
create mode 100644 tests/gif/php_bug_75571.gif
|
|
||||||
|
|
||||||
diff --git a/src/gd_gif_in.c b/src/gd_gif_in.c
|
|
||||||
index daf26e79..0a8bd717 100644
|
|
||||||
--- a/src/gd_gif_in.c
|
|
||||||
+++ b/src/gd_gif_in.c
|
|
||||||
@@ -335,11 +335,6 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromGifCtx(gdIOCtxPtr fd)
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if(!im->colorsTotal) {
|
|
||||||
- gdImageDestroy(im);
|
|
||||||
- return 0;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
/* Check for open colors at the end, so
|
|
||||||
* we can reduce colorsTotal and ultimately
|
|
||||||
* BitsPerPixel */
|
|
||||||
@@ -351,6 +346,11 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromGifCtx(gdIOCtxPtr fd)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if(!im->colorsTotal) {
|
|
||||||
+ gdImageDestroy(im);
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
return im;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -447,7 +447,7 @@ static int
|
|
||||||
GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_size, int flag, int *ZeroDataBlockP)
|
|
||||||
{
|
|
||||||
int i, j, ret;
|
|
||||||
- unsigned char count;
|
|
||||||
+ int count;
|
|
||||||
|
|
||||||
if(flag) {
|
|
||||||
scd->curbit = 0;
|
|
||||||
|
|
Binary file not shown.
|
@ -0,0 +1,59 @@
|
||||||
|
diff --git a/src/gd_gd2.c b/src/gd_gd2.c
|
||||||
|
index 6f28461..a50b33d 100644
|
||||||
|
--- a/src/gd_gd2.c
|
||||||
|
+++ b/src/gd_gd2.c
|
||||||
|
@@ -165,6 +165,8 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy,
|
||||||
|
if (gdGetInt (&cidx[i].size, in) != 1) {
|
||||||
|
goto fail2;
|
||||||
|
};
|
||||||
|
+ if (cidx[i].offset < 0 || cidx[i].size < 0)
|
||||||
|
+ goto fail2;
|
||||||
|
};
|
||||||
|
*chunkIdx = cidx;
|
||||||
|
};
|
||||||
|
diff --git a/tests/Makefile.am b/tests/Makefile.am
|
||||||
|
index ed2c35b..b582266 100644
|
||||||
|
--- a/tests/Makefile.am
|
||||||
|
+++ b/tests/Makefile.am
|
||||||
|
@@ -129,7 +129,8 @@ endif
|
||||||
|
|
||||||
|
if HAVE_LIBZ
|
||||||
|
check_PROGRAMS += \
|
||||||
|
- gd2/gd2_null
|
||||||
|
+ gd2/gd2_null \
|
||||||
|
+ gd2/gd2_read_corrupt
|
||||||
|
endif
|
||||||
|
|
||||||
|
if HAVE_LIBPNG
|
||||||
|
diff --git a/tests/gd2/gd2_read_corrupt.c b/tests/gd2/gd2_read_corrupt.c
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..11f6a67
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/tests/gd2/gd2_read_corrupt.c
|
||||||
|
@@ -0,0 +1,25 @@
|
||||||
|
+/* Just try to read the invalid gd2 image & not crash. */
|
||||||
|
+#include "gd.h"
|
||||||
|
+#include <stdio.h>
|
||||||
|
+#include <stdlib.h>
|
||||||
|
+#include "gdtest.h"
|
||||||
|
+
|
||||||
|
+int main()
|
||||||
|
+{
|
||||||
|
+ gdImagePtr im;
|
||||||
|
+ FILE *fp;
|
||||||
|
+ char path[1024];
|
||||||
|
+
|
||||||
|
+ /* Read the corrupt image. */
|
||||||
|
+ sprintf(path, "%s/gd2/invalid_neg_size.gd2", GDTEST_TOP_DIR);
|
||||||
|
+ fp = fopen(path, "rb");
|
||||||
|
+ if (!fp) {
|
||||||
|
+ printf("failed, cannot open file\n");
|
||||||
|
+ return 1;
|
||||||
|
+ }
|
||||||
|
+ im = gdImageCreateFromGd2(fp);
|
||||||
|
+ fclose(fp);
|
||||||
|
+
|
||||||
|
+ /* Should have failed & rejected it. */
|
||||||
|
+ return im == NULL ? 0 : 1;
|
||||||
|
+}
|
||||||
|
|
207
gd.spec
207
gd.spec
|
@ -1,34 +1,55 @@
|
||||||
# requested by https://bugzilla.redhat.com/1468338
|
#global prever rc2
|
||||||
# this break gdimagefile/gdnametest:
|
#global commit 725ba9de4005144d137d2a7a70f760068fc3d306
|
||||||
# gdimagefile/gdnametest.c:122: 255 pixels different on /tmp/gdtest.CrpdIb/img.gif
|
#global short %(c=%{commit}; echo ${c:0:7})
|
||||||
# gdimagefile/gdnametest.c:122: 255 pixels different on /tmp/gdtest.CrpdIb/img.GIF
|
|
||||||
# FAIL gdimagefile/gdnametest (exit status: 2)
|
|
||||||
%global with_liq 0
|
|
||||||
|
|
||||||
|
|
||||||
Summary: A graphics library for quick creation of PNG or JPEG images
|
Summary: A graphics library for quick creation of PNG or JPEG images
|
||||||
Name: gd
|
Name: gd
|
||||||
Version: 2.2.5
|
Version: 2.1.1
|
||||||
Release: 10%{?prever}%{?short}%{?dist}
|
Release: 11%{?prever}%{?short}%{?dist}
|
||||||
|
Group: System Environment/Libraries
|
||||||
License: MIT
|
License: MIT
|
||||||
URL: http://libgd.github.io/
|
URL: http://libgd.bitbucket.org/
|
||||||
%if 0%{?commit:1}
|
%if 0%{?commit:1}
|
||||||
# git clone https://github.com/libgd/libgd.git; cd gd-libgd
|
# git clone git@bitbucket.org:libgd/gd-libgd.git; cd gd-libgd
|
||||||
# git archive --format=tgz --output=libgd-%{version}-%{commit}.tgz --prefix=libgd-%{version}/ master
|
# git archive --format=tgz --output=libgd-2.1.0-$(git rev-parse master).tgz --prefix=libgd-2.1.0/ master
|
||||||
Source0: libgd-%{version}-%{commit}.tgz
|
Source0: libgd-%{version}-%{commit}.tgz
|
||||||
%else
|
%else
|
||||||
Source0: https://github.com/libgd/libgd/releases/download/gd-%{version}/libgd-%{version}.tar.xz
|
Source0: https://bitbucket.org/libgd/gd-libgd/downloads/libgd-%{version}%{?prever:-%{prever}}.tar.xz
|
||||||
%endif
|
%endif
|
||||||
|
# Missing in official archive, need for autoreconf
|
||||||
|
Source2: getver.pl
|
||||||
|
# Test data for CVE-2016-3074 test
|
||||||
|
Source3: invalid_neg_size.gd2
|
||||||
|
# Test data for CVE-2016-6161 test
|
||||||
|
Source4: bug00209.gd2
|
||||||
|
|
||||||
Patch1: gd-2.1.0-multilib.patch
|
Patch1: gd-2.1.0-multilib.patch
|
||||||
# CVE-2018-5711 - https://github.com/libgd/libgd/commit/a11f47475e6443b7f32d21f2271f28f417e2ac04
|
Patch2: gd-2.1.1-libvpx.patch
|
||||||
Patch2: gd-2.2.5-upstream.patch
|
# CVE-2016-3074
|
||||||
# CVE-2018-1000222 - https://github.com/libgd/libgd/commit/ac16bdf2d41724b5a65255d4c28fb0ec46bc42f5
|
Patch3: gd-heap-overflow.patch
|
||||||
Patch3: gd-2.2.5-gdImageBmpPtr-double-free.patch
|
# CVE-2015-8877
|
||||||
# CVE-2019-6977
|
# (included in patch gd-2.2.3-CVE-2016-6207.patch)
|
||||||
Patch4: gd-2.2.5-heap-based-buffer-overflow.patch
|
#Patch4: gd-2.1.1-gdImagreScaleTwoPass-leak.patch
|
||||||
# CVE-2019-6978
|
# CVE-2016-5116
|
||||||
Patch5: gd-2.2.5-potential-double-free.patch
|
Patch5: gd-2.1.1-xbm-large-names-overflow.patch
|
||||||
|
# CVE-2015-8874
|
||||||
|
Patch6: gd-2.1.1-CVE-2015-8874.patch
|
||||||
|
# CVE-2016-5766
|
||||||
|
Patch7: gd-2.1.1-CVE-2016-5766.patch
|
||||||
|
# CVE-2016-6161
|
||||||
|
Patch8: gd-2.2.3-CVE-2016-6161.patch
|
||||||
|
# CVE-2016-6207
|
||||||
|
# cherry-picked 0dd40 d3258 ff911 f60ec 7a28c commits from libgd master
|
||||||
|
Patch9: gd-2.2.3-CVE-2016-6207.patch
|
||||||
|
# CVE-2016-7568
|
||||||
|
Patch10: gd-2.2.3-overflow-in-gdImageWebpCtx.patch
|
||||||
|
# CVE-2016-8670
|
||||||
|
Patch11: gd-2.2.3-dynamicGetbuf-negative-rlen.patch
|
||||||
|
# CVE-2016-6911
|
||||||
|
# TODO - created by one of upstream maintainers, but not in upstream yet
|
||||||
|
# https://github.com/libgd/libgd/pull/353
|
||||||
|
Patch12: gd-2.2.x-fix-invalid-read-in-gdImageCreateFromTiffPtr.patch
|
||||||
|
|
||||||
|
|
||||||
BuildRequires: freetype-devel
|
BuildRequires: freetype-devel
|
||||||
BuildRequires: fontconfig-devel
|
BuildRequires: fontconfig-devel
|
||||||
|
@ -36,20 +57,13 @@ BuildRequires: gettext-devel
|
||||||
BuildRequires: libjpeg-devel
|
BuildRequires: libjpeg-devel
|
||||||
BuildRequires: libpng-devel
|
BuildRequires: libpng-devel
|
||||||
BuildRequires: libtiff-devel
|
BuildRequires: libtiff-devel
|
||||||
BuildRequires: libwebp-devel
|
BuildRequires: libvpx-devel
|
||||||
%if %{with_liq}
|
|
||||||
BuildRequires: libimagequant-devel
|
|
||||||
%endif
|
|
||||||
BuildRequires: libX11-devel
|
BuildRequires: libX11-devel
|
||||||
BuildRequires: libXpm-devel
|
BuildRequires: libXpm-devel
|
||||||
BuildRequires: zlib-devel
|
BuildRequires: zlib-devel
|
||||||
BuildRequires: pkgconfig
|
BuildRequires: pkgconfig
|
||||||
BuildRequires: libtool
|
BuildRequires: libtool
|
||||||
BuildRequires: perl-interpreter
|
BuildRequires: perl
|
||||||
BuildRequires: perl-generators
|
|
||||||
# for fontconfig/basic test
|
|
||||||
BuildRequires: liberation-sans-fonts
|
|
||||||
BuildRequires: libimagequant-devel
|
|
||||||
|
|
||||||
|
|
||||||
%description
|
%description
|
||||||
|
@ -64,6 +78,7 @@ browsers. Note that gd is not a paint program.
|
||||||
%package progs
|
%package progs
|
||||||
Requires: %{name}%{?_isa} = %{version}-%{release}
|
Requires: %{name}%{?_isa} = %{version}-%{release}
|
||||||
Summary: Utility programs that use libgd
|
Summary: Utility programs that use libgd
|
||||||
|
Group: Applications/Multimedia
|
||||||
|
|
||||||
%description progs
|
%description progs
|
||||||
The gd-progs package includes utility programs supplied with gd, a
|
The gd-progs package includes utility programs supplied with gd, a
|
||||||
|
@ -72,17 +87,17 @@ graphics library for creating PNG and JPEG images.
|
||||||
|
|
||||||
%package devel
|
%package devel
|
||||||
Summary: The development libraries and header files for gd
|
Summary: The development libraries and header files for gd
|
||||||
|
Group: Development/Libraries
|
||||||
Requires: %{name}%{?_isa} = %{version}-%{release}
|
Requires: %{name}%{?_isa} = %{version}-%{release}
|
||||||
Requires: freetype-devel%{?_isa}
|
Requires: freetype-devel%{?_isa}
|
||||||
Requires: fontconfig-devel%{?_isa}
|
Requires: fontconfig-devel%{?_isa}
|
||||||
Requires: libjpeg-devel%{?_isa}
|
Requires: libjpeg-devel%{?_isa}
|
||||||
Requires: libpng-devel%{?_isa}
|
Requires: libpng-devel%{?_isa}
|
||||||
Requires: libtiff-devel%{?_isa}
|
Requires: libtiff-devel%{?_isa}
|
||||||
Requires: libwebp-devel%{?_isa}
|
Requires: libvpx-devel%{?_isa}
|
||||||
Requires: libX11-devel%{?_isa}
|
Requires: libX11-devel%{?_isa}
|
||||||
Requires: libXpm-devel%{?_isa}
|
Requires: libXpm-devel%{?_isa}
|
||||||
Requires: zlib-devel%{?_isa}
|
Requires: zlib-devel%{?_isa}
|
||||||
Requires: libimagequant-devel%{?_isa}
|
|
||||||
|
|
||||||
%description devel
|
%description devel
|
||||||
The gd-devel package contains the development libraries and header
|
The gd-devel package contains the development libraries and header
|
||||||
|
@ -92,10 +107,22 @@ files for gd, a graphics library for creating PNG and JPEG graphics.
|
||||||
%prep
|
%prep
|
||||||
%setup -q -n libgd-%{version}%{?prever:-%{prever}}
|
%setup -q -n libgd-%{version}%{?prever:-%{prever}}
|
||||||
%patch1 -p1 -b .mlib
|
%patch1 -p1 -b .mlib
|
||||||
%patch2 -p1 -b .upstream
|
%patch2 -p1 -b .vpx
|
||||||
%patch3 -p1 -b .gdImageBmpPtr-free
|
%patch3 -p1
|
||||||
%patch4 -p1
|
#%patch4 -p1 -b .image-scale
|
||||||
%patch5 -p1
|
%patch5 -p1 -b .xbm-overflow
|
||||||
|
%patch6 -p1 -b .cve-2015-8874
|
||||||
|
%patch7 -p1 -b .cve-2016-5766
|
||||||
|
%patch8 -p1 -b .cve-2016-6161
|
||||||
|
%patch9 -p1 -b .cve-2016-6207
|
||||||
|
%patch10 -p1 -b .gdImageWebpCtx
|
||||||
|
%patch11 -p1 -b .dynamicGetbuf
|
||||||
|
# Patch5 adds some non-text files (.tiff)
|
||||||
|
patch -p1 --binary < %{PATCH12}
|
||||||
|
|
||||||
|
# Workaround for missing file
|
||||||
|
cp %{SOURCE2} config/getver.pl
|
||||||
|
|
||||||
|
|
||||||
: $(perl config/getver.pl)
|
: $(perl config/getver.pl)
|
||||||
|
|
||||||
|
@ -117,17 +144,8 @@ CFLAGS="$RPM_OPT_FLAGS -DDEFAULT_FONTPATH='\"\
|
||||||
/usr/share/X11/fonts/Type1:\
|
/usr/share/X11/fonts/Type1:\
|
||||||
/usr/share/fonts/liberation\"'"
|
/usr/share/fonts/liberation\"'"
|
||||||
|
|
||||||
%ifarch %{ix86}
|
|
||||||
# see https://github.com/libgd/libgd/issues/242
|
|
||||||
CFLAGS="$CFLAGS -msse -mfpmath=sse"
|
|
||||||
%endif
|
|
||||||
|
|
||||||
%ifarch aarch64 ppc64 ppc64le s390 s390x
|
|
||||||
# workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1359680
|
|
||||||
export CFLAGS="$CFLAGS -ffp-contract=off"
|
|
||||||
%endif
|
|
||||||
|
|
||||||
%configure \
|
%configure \
|
||||||
|
--with-vpx=%{_prefix} \
|
||||||
--with-tiff=%{_prefix} \
|
--with-tiff=%{_prefix} \
|
||||||
--disable-rpath
|
--disable-rpath
|
||||||
make %{?_smp_mflags}
|
make %{?_smp_mflags}
|
||||||
|
@ -140,6 +158,9 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libgd.a
|
||||||
|
|
||||||
|
|
||||||
%check
|
%check
|
||||||
|
cp %SOURCE3 tests/gd2/
|
||||||
|
cp %SOURCE4 tests/gif/
|
||||||
|
|
||||||
: Upstream test suite
|
: Upstream test suite
|
||||||
make check
|
make check
|
||||||
|
|
||||||
|
@ -147,7 +168,9 @@ make check
|
||||||
grep %{version} $RPM_BUILD_ROOT%{_libdir}/pkgconfig/gdlib.pc
|
grep %{version} $RPM_BUILD_ROOT%{_libdir}/pkgconfig/gdlib.pc
|
||||||
|
|
||||||
|
|
||||||
%ldconfig_scriptlets
|
%post -p /sbin/ldconfig
|
||||||
|
|
||||||
|
%postun -p /sbin/ldconfig
|
||||||
|
|
||||||
|
|
||||||
%files
|
%files
|
||||||
|
@ -160,6 +183,7 @@ grep %{version} $RPM_BUILD_ROOT%{_libdir}/pkgconfig/gdlib.pc
|
||||||
%exclude %{_bindir}/gdlib-config
|
%exclude %{_bindir}/gdlib-config
|
||||||
|
|
||||||
%files devel
|
%files devel
|
||||||
|
%doc ChangeLog
|
||||||
%{_bindir}/gdlib-config
|
%{_bindir}/gdlib-config
|
||||||
%{_includedir}/*
|
%{_includedir}/*
|
||||||
%{_libdir}/*.so
|
%{_libdir}/*.so
|
||||||
|
@ -167,94 +191,31 @@ grep %{version} $RPM_BUILD_ROOT%{_libdir}/pkgconfig/gdlib.pc
|
||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Fri Nov 01 2019 odubaj@redhat.com - 2.2.5-10
|
* Tue Dec 06 2016 Marek Skalický <mskalick@redhat.com> - 2.1.1-11
|
||||||
- Fixed heap based buffer overflow in gd_color_match.c:gdImageColorMatch() in libgd as used in imagecolormatch()
|
|
||||||
- Resolves: RHBZ#1678104 (CVE-2019-6977)
|
|
||||||
- Fixed potential double-free in gdImage*Ptr()
|
|
||||||
- Resolves: RHBZ#1671391 (CVE-2019-6978)
|
|
||||||
|
|
||||||
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.5-9
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
|
||||||
|
|
||||||
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.5-8
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
|
|
||||||
|
|
||||||
* Fri Sep 07 2018 mskalick@redhat.com - 2.2.5-7
|
|
||||||
- Add missing requires to libimagequent-devel
|
|
||||||
|
|
||||||
* Thu Aug 30 2018 mskalick@redhat.com - 2.2.5-6
|
|
||||||
- Use libimagequant library (RHBZ#1468338)
|
|
||||||
|
|
||||||
* Thu Aug 30 2018 mskalick@redhat.com - 2.2.5-5
|
|
||||||
- Check return value in gdImageBmpPtr to avoid double free (CVE-2018-1000222)
|
|
||||||
- Don't mark gdimagegrayscale/basic test as failing
|
|
||||||
|
|
||||||
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.5-4
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
|
|
||||||
|
|
||||||
* Mon Mar 26 2018 Marek Skalický <mskalick@redhat.com> - 2.2.5-3
|
|
||||||
- Fix CVE-2018-5711 - Potential infinite loop in gdImageCreateFromGifCtx
|
|
||||||
|
|
||||||
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.5-2
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
|
|
||||||
|
|
||||||
* Wed Aug 30 2017 Remi Collet <remi@fedoraproject.org> - 2.2.5-1
|
|
||||||
- Update to 2.2.5
|
|
||||||
- fix double-free in gdImagePngPtr(). CVE-2017-6362
|
|
||||||
- fix buffer over-read into uninitialized memory. CVE-2017-7890
|
|
||||||
|
|
||||||
* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.4-5
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
|
|
||||||
|
|
||||||
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.4-4
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
|
|
||||||
|
|
||||||
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.4-3
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
|
|
||||||
|
|
||||||
* Wed Feb 01 2017 Sandro Mani <manisandro@gmail.com> - 2.2.4-2
|
|
||||||
- Rebuild (libwebp)
|
|
||||||
|
|
||||||
* Wed Jan 18 2017 Remi Collet <remi@fedoraproject.org> - 2.2.4-1
|
|
||||||
- Update to 2.2.4
|
|
||||||
|
|
||||||
* Tue Dec 06 2016 Marek Skalický <mskalick@redhat.com> - 2.2.3-5
|
|
||||||
- Fix invalid read in gdImageCreateFromTiffPtr() ( CVE-2016-6911)
|
- Fix invalid read in gdImageCreateFromTiffPtr() ( CVE-2016-6911)
|
||||||
- Disable tests using freetype in Fedora 26 (freetype > 2.6)
|
|
||||||
|
|
||||||
* Mon Dec 05 2016 Marek Skalický <mskalick@redhat.com> - 2.2.3-4
|
|
||||||
- Fix stack based buffer overflow when passing negative `rlen` as size to
|
- Fix stack based buffer overflow when passing negative `rlen` as size to
|
||||||
memcpy() (CVE-2016-8670)
|
memcpy() (CVE-2016-8670)
|
||||||
|
|
||||||
* Mon Dec 05 2016 Marek Skalický <mskalick@redhat.com> - 2.2.3-3
|
|
||||||
- Fix possible overflow in gdImageWebpCtx (CVE-2016-7568)
|
- Fix possible overflow in gdImageWebpCtx (CVE-2016-7568)
|
||||||
|
|
||||||
* Tue Jul 26 2016 Dan Horák <dan[at]danny.cz> - 2.2.3-2
|
* Mon Sep 19 2016 Marek Skalický <mskalick@redhat.com> - 2.1.1-10
|
||||||
- apply workaround for rhbz#1359680
|
- Fix CVE-2016-6207
|
||||||
|
|
||||||
* Fri Jul 22 2016 Remi Collet <remi@fedoraproject.org> - 2.2.3-1
|
* Mon Sep 19 2016 Marek Skalický <mskalick@redhat.com> - 2.1.1-9
|
||||||
- Update to 2.2.3
|
- Fix out of bounds read when encoding gif from malformed input with gd2togif
|
||||||
- use -msse -mfpmath=sse build options (x86-32)
|
(CVE-2016-6161)
|
||||||
|
|
||||||
* Fri Jun 24 2016 Remi Collet <remi@fedoraproject.org> - 2.2.2-1
|
* Tue Jun 28 2016 Remi Collet <remi@fedoraproject.org> - 2.1.1-8
|
||||||
- Update to 2.2.2
|
- fix integer Overflow in _gd2GetHeader() (CVE-2016-5766)
|
||||||
|
|
||||||
* Sat May 28 2016 Remi Collet <remi@fedoraproject.org> - 2.2.1-2
|
* Fri Jun 24 2016 Remi Collet <remi@fedoraproject.org> - 2.1.1-7
|
||||||
- remove unneeded sources
|
- fix for stack overflow with gdImageFillToBorder (CVE-2015-8874)
|
||||||
|
|
||||||
* Fri May 27 2016 Marek Skalicky <mskalick@redhat.com> - 2.2.1-1
|
* Tue May 31 2016 Marek Skalicky <mskalick@redhat.com> - 2.1.1-6
|
||||||
- Upgrade to 2.2.1 release
|
- Backported fixes of two memory leaks (CVE-2015-8877, CVE-2016-5116)
|
||||||
- Upstream moved to github.com
|
|
||||||
|
|
||||||
* Thu Apr 28 2016 Marek Skalicky <mskalick@redhat.com> - 2.1.1-7
|
* Thu Apr 28 2016 Marek Skalicky <mskalick@redhat.com> - 2.1.1-5
|
||||||
- Fixed heap overflow (CVE-2016-3074)
|
- Fixed heap overflow (CVE-2016-3074)
|
||||||
|
|
||||||
* Wed Feb 03 2016 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.1-6
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
|
|
||||||
|
|
||||||
* Tue Dec 1 2015 Tom Callaway <spot@fedoraproject.org> - 2.1.1-5
|
|
||||||
- rebuild for libvpx 1.5.0
|
|
||||||
|
|
||||||
* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.1.1-4
|
* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.1.1-4
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,42 @@
|
||||||
|
#!/usr/bin/env perl
|
||||||
|
|
||||||
|
# Simple script to extract the version number parts from src/gd.h. If
|
||||||
|
# called with the middle word of the version macro, it prints the
|
||||||
|
# value of that macro. If called with no argument, it outputs a
|
||||||
|
# human-readable version string. This must be run in the project
|
||||||
|
# root. It is used by configure.ac and docs/naturaldocs/run_docs.sh.
|
||||||
|
|
||||||
|
use strict;
|
||||||
|
|
||||||
|
my $key = shift;
|
||||||
|
my @version_parts = ();
|
||||||
|
|
||||||
|
open FH, "<src/gd.h" # old-style filehandle for max. portability
|
||||||
|
or die "Unable to open 'version.h' for reading.\n";
|
||||||
|
|
||||||
|
while(<FH>) {
|
||||||
|
next unless m{version605b5d1778};
|
||||||
|
next unless /^#define\s+GD_([A-Z0-9]+)_VERSION+\s+(\S+)/;
|
||||||
|
my ($lk, $lv) = ($1, $2);
|
||||||
|
if ($lk eq $key) {
|
||||||
|
chomp $lv;
|
||||||
|
$lv =~ s/"//g;
|
||||||
|
|
||||||
|
print $lv; # no newline
|
||||||
|
exit(0); # success!
|
||||||
|
}
|
||||||
|
|
||||||
|
push @version_parts, $lv if (!$key);
|
||||||
|
}
|
||||||
|
|
||||||
|
close(FH);
|
||||||
|
|
||||||
|
if (scalar @version_parts == 4) {
|
||||||
|
my $result = join(".", @version_parts[0..2]);
|
||||||
|
$result .= $version_parts[3];
|
||||||
|
$result =~ s/"//g;
|
||||||
|
print $result;
|
||||||
|
exit(0);
|
||||||
|
}
|
||||||
|
|
||||||
|
exit(1); # failure
|
Binary file not shown.
Loading…
Reference in New Issue