1 |
commit: 0c46087add86facfccbc875e0064cbc167775249 |
2 |
Author: Thomas Deutschmann <whissi <AT> gentoo <DOT> org> |
3 |
AuthorDate: Mon Mar 4 00:28:44 2019 +0000 |
4 |
Commit: Thomas Deutschmann <whissi <AT> gentoo <DOT> org> |
5 |
CommitDate: Mon Mar 4 00:28:59 2019 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0c46087a |
7 |
|
8 |
media-libs/gd: rev bump to add some security patches |
9 |
|
10 |
ossfuzz5700 fix |
11 |
CVE-2018-5711 |
12 |
CVE-2019-6977 |
13 |
CVE-2019-6978 |
14 |
|
15 |
Package-Manager: Portage-2.3.62, Repoman-2.3.12 |
16 |
Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org> |
17 |
|
18 |
media-libs/gd/Manifest | 2 + |
19 |
media-libs/gd/files/gd-2.2.5-CVE-2018-5711.patch | 124 ++++++++++ |
20 |
media-libs/gd/files/gd-2.2.5-CVE-2019-6977.patch | 28 +++ |
21 |
media-libs/gd/files/gd-2.2.5-CVE-2019-6978.patch | 278 +++++++++++++++++++++++ |
22 |
media-libs/gd/files/gd-2.2.5-ossfuzz5700.patch | 103 +++++++++ |
23 |
media-libs/gd/gd-2.2.5-r2.ebuild | 82 +++++++ |
24 |
6 files changed, 617 insertions(+) |
25 |
|
26 |
diff --git a/media-libs/gd/Manifest b/media-libs/gd/Manifest |
27 |
index 9957e0f8f60..986a6d40524 100644 |
28 |
--- a/media-libs/gd/Manifest |
29 |
+++ b/media-libs/gd/Manifest |
30 |
@@ -1 +1,3 @@ |
31 |
+DIST libgd-2.2.5-ossfuzz5700.dat 30 BLAKE2B 5ddd3d2be2adf05e1e2eb1852cc689be57d4d77c57b471e8b6021877f2fb137d15b4c73445fbb23a9ed585974a96dd154759a48712c1e7b5bdc5750d534aee4a SHA512 2394e92ff7a42c818e13a1ac9ad15bc81aa401adc917366ec8c440bb7f27a63777ab059aa03c501dafef0ac16b462dd23c7fb9f8086ce558203384a98a235fff |
32 |
+DIST libgd-2.2.5-php_bug_75571.dat 1731 BLAKE2B 4b5d3f258b73e8089ede1b2c9f538855f410965a9e01e1f3f151ae52f072036172b184bd1a4d07b8355bb974bf088bebb0e812175a277bb67926274272bd80a0 SHA512 b3048640ce7828cca7901fadc989e867cfc6d31b44c0f5a1bda54d7428f317c8c8fc6403fef301e193869a95eb46eb7195d47710ec7f8c507ba049cb6cdcb281 |
33 |
DIST libgd-2.2.5.tar.xz 2594092 BLAKE2B 222a7e012fbf9924ac391ee96c7cd3dec96afd78c6d43dfb680b33e7143e7df87fe6be75bbfe8fb93e916302d7daf08271214c84da28712e93a36465566cb2bd SHA512 e4598e17a277a75e02255402182cab139cb3f2cffcd68ec05cc10bbeaf6bc7aa39162c3445cd4a7efc1a26b72b9152bbedb187351e3ed099ea51767319997a6b |
34 |
|
35 |
diff --git a/media-libs/gd/files/gd-2.2.5-CVE-2018-5711.patch b/media-libs/gd/files/gd-2.2.5-CVE-2018-5711.patch |
36 |
new file mode 100644 |
37 |
index 00000000000..6d9de06998a |
38 |
--- /dev/null |
39 |
+++ b/media-libs/gd/files/gd-2.2.5-CVE-2018-5711.patch |
40 |
@@ -0,0 +1,124 @@ |
41 |
+From a11f47475e6443b7f32d21f2271f28f417e2ac04 Mon Sep 17 00:00:00 2001 |
42 |
+From: "Christoph M. Becker" <cmbecker69@×××.de> |
43 |
+Date: Wed, 29 Nov 2017 19:37:38 +0100 |
44 |
+Subject: [PATCH] Fix #420: Potential infinite loop in gdImageCreateFromGifCtx |
45 |
+ |
46 |
+Due to a signedness confusion in `GetCode_` a corrupt GIF file can |
47 |
+trigger an infinite loop. Furthermore we make sure that a GIF without |
48 |
+any palette entries is treated as invalid *after* open palette entries |
49 |
+have been removed. |
50 |
+ |
51 |
+CVE-2018-5711 |
52 |
+ |
53 |
+See also https://bugs.php.net/bug.php?id=75571. |
54 |
+--- |
55 |
+ src/gd_gif_in.c | 12 ++++++------ |
56 |
+ tests/gif/CMakeLists.txt | 1 + |
57 |
+ tests/gif/Makemodule.am | 2 ++ |
58 |
+ tests/gif/php_bug_75571.c | 28 ++++++++++++++++++++++++++++ |
59 |
+ tests/gif/php_bug_75571.gif | Bin 0 -> 1731 bytes |
60 |
+ 6 files changed, 38 insertions(+), 6 deletions(-) |
61 |
+ create mode 100644 tests/gif/php_bug_75571.c |
62 |
+ |
63 |
+diff --git a/src/gd_gif_in.c b/src/gd_gif_in.c |
64 |
+index daf26e79..0a8bd717 100644 |
65 |
+--- a/src/gd_gif_in.c |
66 |
++++ b/src/gd_gif_in.c |
67 |
+@@ -335,11 +335,6 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromGifCtx(gdIOCtxPtr fd) |
68 |
+ return 0; |
69 |
+ } |
70 |
+ |
71 |
+- if(!im->colorsTotal) { |
72 |
+- gdImageDestroy(im); |
73 |
+- return 0; |
74 |
+- } |
75 |
+- |
76 |
+ /* Check for open colors at the end, so |
77 |
+ * we can reduce colorsTotal and ultimately |
78 |
+ * BitsPerPixel */ |
79 |
+@@ -351,6 +346,11 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromGifCtx(gdIOCtxPtr fd) |
80 |
+ } |
81 |
+ } |
82 |
+ |
83 |
++ if(!im->colorsTotal) { |
84 |
++ gdImageDestroy(im); |
85 |
++ return 0; |
86 |
++ } |
87 |
++ |
88 |
+ return im; |
89 |
+ } |
90 |
+ |
91 |
+@@ -447,7 +447,7 @@ static int |
92 |
+ GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_size, int flag, int *ZeroDataBlockP) |
93 |
+ { |
94 |
+ int i, j, ret; |
95 |
+- unsigned char count; |
96 |
++ int count; |
97 |
+ |
98 |
+ if(flag) { |
99 |
+ scd->curbit = 0; |
100 |
+diff --git a/tests/gif/CMakeLists.txt b/tests/gif/CMakeLists.txt |
101 |
+index 2b73749e..e58e6b09 100644 |
102 |
+--- a/tests/gif/CMakeLists.txt |
103 |
++++ b/tests/gif/CMakeLists.txt |
104 |
+@@ -4,6 +4,7 @@ LIST(APPEND TESTS_FILES |
105 |
+ bug00227 |
106 |
+ gif_null |
107 |
+ ossfuzz5700 |
108 |
++ php_bug_75571 |
109 |
+ uninitialized_memory_read |
110 |
+ ) |
111 |
+ |
112 |
+diff --git a/tests/gif/Makemodule.am b/tests/gif/Makemodule.am |
113 |
+index 3199438f..5dbeac53 100644 |
114 |
+--- a/tests/gif/Makemodule.am |
115 |
++++ b/tests/gif/Makemodule.am |
116 |
+@@ -4,6 +4,7 @@ libgd_test_programs += \ |
117 |
+ gif/bug00227 \ |
118 |
+ gif/gif_null \ |
119 |
+ gif/ossfuzz5700 \ |
120 |
++ gif/php_bug_75571 \ |
121 |
+ gif/uninitialized_memory_read |
122 |
+ |
123 |
+ if HAVE_LIBPNG |
124 |
+@@ -26,4 +27,5 @@ EXTRA_DIST += \ |
125 |
+ gif/bug00066.gif \ |
126 |
+ gif/bug00066_exp.png \ |
127 |
+ gif/ossfuzz5700.gif \ |
128 |
++ gif/php_bug_75571.gif \ |
129 |
+ gif/unitialized_memory_read.gif |
130 |
+diff --git a/tests/gif/php_bug_75571.c b/tests/gif/php_bug_75571.c |
131 |
+new file mode 100644 |
132 |
+index 00000000..d4fae3ae |
133 |
+--- /dev/null |
134 |
++++ b/tests/gif/php_bug_75571.c |
135 |
+@@ -0,0 +1,28 @@ |
136 |
++/** |
137 |
++ * Test that GIF reading does not loop infinitely |
138 |
++ * |
139 |
++ * We are reading a crafted GIF image which has been truncated. This would |
140 |
++ * trigger an infinite loop formerly, but know bails out early, returning |
141 |
++ * NULL from gdImageCreateFromGif(). |
142 |
++ * |
143 |
++ * See also https://bugs.php.net/bug.php?id=75571. |
144 |
++ */ |
145 |
++ |
146 |
++ |
147 |
++#include "gd.h" |
148 |
++#include "gdtest.h" |
149 |
++ |
150 |
++ |
151 |
++int main() |
152 |
++{ |
153 |
++ gdImagePtr im; |
154 |
++ FILE *fp; |
155 |
++ |
156 |
++ fp = gdTestFileOpen2("gif", "php_bug_75571.gif"); |
157 |
++ gdTestAssert(fp != NULL); |
158 |
++ im = gdImageCreateFromGif(fp); |
159 |
++ gdTestAssert(im == NULL); |
160 |
++ fclose(fp); |
161 |
++ |
162 |
++ return gdNumFailures(); |
163 |
++} |
164 |
+ |
165 |
|
166 |
diff --git a/media-libs/gd/files/gd-2.2.5-CVE-2019-6977.patch b/media-libs/gd/files/gd-2.2.5-CVE-2019-6977.patch |
167 |
new file mode 100644 |
168 |
index 00000000000..0b67a596c6b |
169 |
--- /dev/null |
170 |
+++ b/media-libs/gd/files/gd-2.2.5-CVE-2019-6977.patch |
171 |
@@ -0,0 +1,28 @@ |
172 |
+Description: Heap-based buffer overflow in gdImageColorMatch |
173 |
+Origin: other, https://gist.github.com/cmb69/1f36d285eb297ed326f5c821d7aafced |
174 |
+Bug-PHP: https://bugs.php.net/bug.php?id=77270 |
175 |
+Bug-Debian: https://bugs.debian.org/920645 |
176 |
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-6977 |
177 |
+Forwarded: no |
178 |
+Author: "Christoph M. Becker" <cmbecker69@×××.de> |
179 |
+Last-Update: 2019-02-01 |
180 |
+ |
181 |
+At least some of the image reading functions may return images which |
182 |
+use color indexes greater than or equal to im->colorsTotal. We cater |
183 |
+to this by always using a buffer size which is sufficient for |
184 |
+`gdMaxColors` in `gdImageColorMatch()`. |
185 |
+--- |
186 |
+ |
187 |
+--- a/src/gd_color_match.c |
188 |
++++ b/src/gd_color_match.c |
189 |
+@@ -31,8 +31,8 @@ BGD_DECLARE(int) gdImageColorMatch (gdIm |
190 |
+ return -4; /* At least 1 color must be allocated */ |
191 |
+ } |
192 |
+ |
193 |
+- buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * im2->colorsTotal); |
194 |
+- memset (buf, 0, sizeof(unsigned long) * 5 * im2->colorsTotal ); |
195 |
++ buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * gdMaxColors); |
196 |
++ memset (buf, 0, sizeof(unsigned long) * 5 * gdMaxColors ); |
197 |
+ |
198 |
+ for (x=0; x < im1->sx; x++) { |
199 |
+ for( y=0; y<im1->sy; y++ ) { |
200 |
|
201 |
diff --git a/media-libs/gd/files/gd-2.2.5-CVE-2019-6978.patch b/media-libs/gd/files/gd-2.2.5-CVE-2019-6978.patch |
202 |
new file mode 100644 |
203 |
index 00000000000..2eb9369a0ba |
204 |
--- /dev/null |
205 |
+++ b/media-libs/gd/files/gd-2.2.5-CVE-2019-6978.patch |
206 |
@@ -0,0 +1,278 @@ |
207 |
+From 553702980ae89c83f2d6e254d62cf82e204956d0 Mon Sep 17 00:00:00 2001 |
208 |
+From: "Christoph M. Becker" <cmbecker69@×××.de> |
209 |
+Date: Thu, 17 Jan 2019 11:54:55 +0100 |
210 |
+Subject: [PATCH] Fix #492: Potential double-free in gdImage*Ptr() |
211 |
+ |
212 |
+Whenever `gdImage*Ptr()` calls `gdImage*Ctx()` and the latter fails, we |
213 |
+must not call `gdDPExtractData()`; otherwise a double-free would |
214 |
+happen. Since `gdImage*Ctx()` are void functions, and we can't change |
215 |
+that for BC reasons, we're introducing static helpers which are used |
216 |
+internally. |
217 |
+ |
218 |
+We're adding a regression test for `gdImageJpegPtr()`, but not for |
219 |
+`gdImageGifPtr()` and `gdImageWbmpPtr()` since we don't know how to |
220 |
+trigger failure of the respective `gdImage*Ctx()` calls. |
221 |
+ |
222 |
+This potential security issue has been reported by Solmaz Salimi (aka. |
223 |
+Rooney). |
224 |
+--- |
225 |
+ src/gd_gif_out.c | 18 +++++++++++++++--- |
226 |
+ src/gd_jpeg.c | 20 ++++++++++++++++---- |
227 |
+ src/gd_wbmp.c | 21 ++++++++++++++++++--- |
228 |
+ tests/jpeg/CMakeLists.txt | 1 + |
229 |
+ tests/jpeg/Makemodule.am | 3 ++- |
230 |
+ tests/jpeg/jpeg_ptr_double_free.c | 31 +++++++++++++++++++++++++++++++ |
231 |
+ 7 files changed, 84 insertions(+), 11 deletions(-) |
232 |
+ create mode 100644 tests/jpeg/jpeg_ptr_double_free.c |
233 |
+ |
234 |
+diff --git a/src/gd_gif_out.c b/src/gd_gif_out.c |
235 |
+index 298a5812..d5a95346 100644 |
236 |
+--- a/src/gd_gif_out.c |
237 |
++++ b/src/gd_gif_out.c |
238 |
+@@ -99,6 +99,7 @@ static void char_init(GifCtx *ctx); |
239 |
+ static void char_out(int c, GifCtx *ctx); |
240 |
+ static void flush_char(GifCtx *ctx); |
241 |
+ |
242 |
++static int _gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out); |
243 |
+ |
244 |
+ |
245 |
+ |
246 |
+@@ -131,8 +132,11 @@ BGD_DECLARE(void *) gdImageGifPtr(gdImagePtr im, int *size) |
247 |
+ void *rv; |
248 |
+ gdIOCtx *out = gdNewDynamicCtx(2048, NULL); |
249 |
+ if (out == NULL) return NULL; |
250 |
+- gdImageGifCtx(im, out); |
251 |
+- rv = gdDPExtractData(out, size); |
252 |
++ if (!_gdImageGifCtx(im, out)) { |
253 |
++ rv = gdDPExtractData(out, size); |
254 |
++ } else { |
255 |
++ rv = NULL; |
256 |
++ } |
257 |
+ out->gd_free(out); |
258 |
+ return rv; |
259 |
+ } |
260 |
+@@ -220,6 +224,12 @@ BGD_DECLARE(void) gdImageGif(gdImagePtr im, FILE *outFile) |
261 |
+ |
262 |
+ */ |
263 |
+ BGD_DECLARE(void) gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out) |
264 |
++{ |
265 |
++ _gdImageGifCtx(im, out); |
266 |
++} |
267 |
++ |
268 |
++/* returns 0 on success, 1 on failure */ |
269 |
++static int _gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out) |
270 |
+ { |
271 |
+ gdImagePtr pim = 0, tim = im; |
272 |
+ int interlace, BitsPerPixel; |
273 |
+@@ -231,7 +241,7 @@ BGD_DECLARE(void) gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out) |
274 |
+ based temporary image. */ |
275 |
+ pim = gdImageCreatePaletteFromTrueColor(im, 1, 256); |
276 |
+ if(!pim) { |
277 |
+- return; |
278 |
++ return 1; |
279 |
+ } |
280 |
+ tim = pim; |
281 |
+ } |
282 |
+@@ -247,6 +257,8 @@ BGD_DECLARE(void) gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out) |
283 |
+ /* Destroy palette based temporary image. */ |
284 |
+ gdImageDestroy( pim); |
285 |
+ } |
286 |
++ |
287 |
++ return 0; |
288 |
+ } |
289 |
+ |
290 |
+ |
291 |
+diff --git a/src/gd_jpeg.c b/src/gd_jpeg.c |
292 |
+index fc058420..96ef4302 100644 |
293 |
+--- a/src/gd_jpeg.c |
294 |
++++ b/src/gd_jpeg.c |
295 |
+@@ -117,6 +117,8 @@ static void fatal_jpeg_error(j_common_ptr cinfo) |
296 |
+ exit(99); |
297 |
+ } |
298 |
+ |
299 |
++static int _gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality); |
300 |
++ |
301 |
+ /* |
302 |
+ * Write IM to OUTFILE as a JFIF-formatted JPEG image, using quality |
303 |
+ * QUALITY. If QUALITY is in the range 0-100, increasing values |
304 |
+@@ -231,8 +233,11 @@ BGD_DECLARE(void *) gdImageJpegPtr(gdImagePtr im, int *size, int quality) |
305 |
+ void *rv; |
306 |
+ gdIOCtx *out = gdNewDynamicCtx(2048, NULL); |
307 |
+ if (out == NULL) return NULL; |
308 |
+- gdImageJpegCtx(im, out, quality); |
309 |
+- rv = gdDPExtractData(out, size); |
310 |
++ if (!_gdImageJpegCtx(im, out, quality)) { |
311 |
++ rv = gdDPExtractData(out, size); |
312 |
++ } else { |
313 |
++ rv = NULL; |
314 |
++ } |
315 |
+ out->gd_free(out); |
316 |
+ return rv; |
317 |
+ } |
318 |
+@@ -253,6 +258,12 @@ void jpeg_gdIOCtx_dest(j_compress_ptr cinfo, gdIOCtx *outfile); |
319 |
+ |
320 |
+ */ |
321 |
+ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality) |
322 |
++{ |
323 |
++ _gdImageJpegCtx(im, outfile, quality); |
324 |
++} |
325 |
++ |
326 |
++/* returns 0 on success, 1 on failure */ |
327 |
++static int _gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality) |
328 |
+ { |
329 |
+ struct jpeg_compress_struct cinfo; |
330 |
+ struct jpeg_error_mgr jerr; |
331 |
+@@ -287,7 +298,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality) |
332 |
+ if(row) { |
333 |
+ gdFree(row); |
334 |
+ } |
335 |
+- return; |
336 |
++ return 1; |
337 |
+ } |
338 |
+ |
339 |
+ cinfo.err->emit_message = jpeg_emit_message; |
340 |
+@@ -328,7 +339,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality) |
341 |
+ if(row == 0) { |
342 |
+ gd_error("gd-jpeg: error: unable to allocate JPEG row structure: gdCalloc returns NULL\n"); |
343 |
+ jpeg_destroy_compress(&cinfo); |
344 |
+- return; |
345 |
++ return 1; |
346 |
+ } |
347 |
+ |
348 |
+ rowptr[0] = row; |
349 |
+@@ -405,6 +416,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality) |
350 |
+ jpeg_finish_compress(&cinfo); |
351 |
+ jpeg_destroy_compress(&cinfo); |
352 |
+ gdFree(row); |
353 |
++ return 0; |
354 |
+ } |
355 |
+ |
356 |
+ |
357 |
+diff --git a/src/gd_wbmp.c b/src/gd_wbmp.c |
358 |
+index f19a1c96..a49bdbec 100644 |
359 |
+--- a/src/gd_wbmp.c |
360 |
++++ b/src/gd_wbmp.c |
361 |
+@@ -88,6 +88,8 @@ int gd_getin(void *in) |
362 |
+ return (gdGetC((gdIOCtx *)in)); |
363 |
+ } |
364 |
+ |
365 |
++static int _gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out); |
366 |
++ |
367 |
+ /* |
368 |
+ Function: gdImageWBMPCtx |
369 |
+ |
370 |
+@@ -100,6 +102,12 @@ int gd_getin(void *in) |
371 |
+ out - the stream where to write |
372 |
+ */ |
373 |
+ BGD_DECLARE(void) gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out) |
374 |
++{ |
375 |
++ _gdImageWBMPCtx(image, fg, out); |
376 |
++} |
377 |
++ |
378 |
++/* returns 0 on success, 1 on failure */ |
379 |
++static int _gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out) |
380 |
+ { |
381 |
+ int x, y, pos; |
382 |
+ Wbmp *wbmp; |
383 |
+@@ -107,7 +115,7 @@ BGD_DECLARE(void) gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out) |
384 |
+ /* create the WBMP */ |
385 |
+ if((wbmp = createwbmp(gdImageSX(image), gdImageSY(image), WBMP_WHITE)) == NULL) { |
386 |
+ gd_error("Could not create WBMP\n"); |
387 |
+- return; |
388 |
++ return 1; |
389 |
+ } |
390 |
+ |
391 |
+ /* fill up the WBMP structure */ |
392 |
+@@ -123,11 +131,15 @@ BGD_DECLARE(void) gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out) |
393 |
+ |
394 |
+ /* write the WBMP to a gd file descriptor */ |
395 |
+ if(writewbmp(wbmp, &gd_putout, out)) { |
396 |
++ freewbmp(wbmp); |
397 |
+ gd_error("Could not save WBMP\n"); |
398 |
++ return 1; |
399 |
+ } |
400 |
+ |
401 |
+ /* des submitted this bugfix: gdFree the memory. */ |
402 |
+ freewbmp(wbmp); |
403 |
++ |
404 |
++ return 0; |
405 |
+ } |
406 |
+ |
407 |
+ /* |
408 |
+@@ -271,8 +283,11 @@ BGD_DECLARE(void *) gdImageWBMPPtr(gdImagePtr im, int *size, int fg) |
409 |
+ void *rv; |
410 |
+ gdIOCtx *out = gdNewDynamicCtx(2048, NULL); |
411 |
+ if (out == NULL) return NULL; |
412 |
+- gdImageWBMPCtx(im, fg, out); |
413 |
+- rv = gdDPExtractData(out, size); |
414 |
++ if (!_gdImageWBMPCtx(im, fg, out)) { |
415 |
++ rv = gdDPExtractData(out, size); |
416 |
++ } else { |
417 |
++ rv = NULL; |
418 |
++ } |
419 |
+ out->gd_free(out); |
420 |
+ return rv; |
421 |
+ } |
422 |
+diff --git a/tests/jpeg/CMakeLists.txt b/tests/jpeg/CMakeLists.txt |
423 |
+index 19964b0c..a8d8162f 100644 |
424 |
+--- a/tests/jpeg/CMakeLists.txt |
425 |
++++ b/tests/jpeg/CMakeLists.txt |
426 |
+@@ -2,6 +2,7 @@ IF(JPEG_FOUND) |
427 |
+ LIST(APPEND TESTS_FILES |
428 |
+ jpeg_empty_file |
429 |
+ jpeg_im2im |
430 |
++ jpeg_ptr_double_free |
431 |
+ jpeg_null |
432 |
+ ) |
433 |
+ |
434 |
+diff --git a/tests/jpeg/Makemodule.am b/tests/jpeg/Makemodule.am |
435 |
+index 7e5d317b..b89e1695 100644 |
436 |
+--- a/tests/jpeg/Makemodule.am |
437 |
++++ b/tests/jpeg/Makemodule.am |
438 |
+@@ -2,7 +2,8 @@ if HAVE_LIBJPEG |
439 |
+ libgd_test_programs += \ |
440 |
+ jpeg/jpeg_empty_file \ |
441 |
+ jpeg/jpeg_im2im \ |
442 |
+- jpeg/jpeg_null |
443 |
++ jpeg/jpeg_null \ |
444 |
++ jpeg/jpeg_ptr_double_free |
445 |
+ |
446 |
+ if HAVE_LIBPNG |
447 |
+ libgd_test_programs += \ |
448 |
+diff --git a/tests/jpeg/jpeg_ptr_double_free.c b/tests/jpeg/jpeg_ptr_double_free.c |
449 |
+new file mode 100644 |
450 |
+index 00000000..df5a510b |
451 |
+--- /dev/null |
452 |
++++ b/tests/jpeg/jpeg_ptr_double_free.c |
453 |
+@@ -0,0 +1,31 @@ |
454 |
++/** |
455 |
++ * Test that failure to convert to JPEG returns NULL |
456 |
++ * |
457 |
++ * We are creating an image, set its width to zero, and pass this image to |
458 |
++ * `gdImageJpegPtr()` which is supposed to fail, and as such should return NULL. |
459 |
++ * |
460 |
++ * See also <https://github.com/libgd/libgd/issues/381> |
461 |
++ */ |
462 |
++ |
463 |
++ |
464 |
++#include "gd.h" |
465 |
++#include "gdtest.h" |
466 |
++ |
467 |
++ |
468 |
++int main() |
469 |
++{ |
470 |
++ gdImagePtr src, dst; |
471 |
++ int size; |
472 |
++ |
473 |
++ src = gdImageCreateTrueColor(1, 10); |
474 |
++ gdTestAssert(src != NULL); |
475 |
++ |
476 |
++ src->sx = 0; /* this hack forces gdImageJpegPtr() to fail */ |
477 |
++ |
478 |
++ dst = gdImageJpegPtr(src, &size, 0); |
479 |
++ gdTestAssert(dst == NULL); |
480 |
++ |
481 |
++ gdImageDestroy(src); |
482 |
++ |
483 |
++ return gdNumFailures(); |
484 |
++} |
485 |
|
486 |
diff --git a/media-libs/gd/files/gd-2.2.5-ossfuzz5700.patch b/media-libs/gd/files/gd-2.2.5-ossfuzz5700.patch |
487 |
new file mode 100644 |
488 |
index 00000000000..891c232115e |
489 |
--- /dev/null |
490 |
+++ b/media-libs/gd/files/gd-2.2.5-ossfuzz5700.patch |
491 |
@@ -0,0 +1,103 @@ |
492 |
+From 9fa3abd2e61da18ed2b889704e4e252f0f5a95fe Mon Sep 17 00:00:00 2001 |
493 |
+From: Mike Frysinger <vapier@g.o> |
494 |
+Date: Fri, 26 Jan 2018 01:57:52 -0500 |
495 |
+Subject: [PATCH] gif: fix out-of-bounds read w/corrupted lzw data |
496 |
+ |
497 |
+oss-fuzz pointed out: |
498 |
+gd_gif_in.c:605:16: runtime error: index 5595 out of bounds for type 'int [4096]' |
499 |
+ |
500 |
+Add some bounds checking on each code that we read from the file. |
501 |
+--- |
502 |
+ src/gd_gif_in.c | 8 ++++++++ |
503 |
+ tests/gif/CMakeLists.txt | 3 ++- |
504 |
+ tests/gif/Makemodule.am | 2 ++ |
505 |
+ tests/gif/ossfuzz5700.c | 13 +++++++++++++ |
506 |
+ tests/gif/ossfuzz5700.gif | Bin 0 -> 30 bytes |
507 |
+ 6 files changed, 26 insertions(+), 1 deletion(-) |
508 |
+ create mode 100644 tests/gif/ossfuzz5700.c |
509 |
+ |
510 |
+diff --git a/src/gd_gif_in.c b/src/gd_gif_in.c |
511 |
+index afc08bf7..daf26e79 100644 |
512 |
+--- a/src/gd_gif_in.c |
513 |
++++ b/src/gd_gif_in.c |
514 |
+@@ -601,6 +601,10 @@ LWZReadByte_(gdIOCtx *fd, LZW_STATIC_DATA *sd, char flag, int input_code_size, i |
515 |
+ /* Bad compressed data stream */ |
516 |
+ return -1; |
517 |
+ } |
518 |
++ if(code >= (1 << MAX_LWZ_BITS)) { |
519 |
++ /* Corrupted code */ |
520 |
++ return -1; |
521 |
++ } |
522 |
+ |
523 |
+ *sd->sp++ = sd->table[1][code]; |
524 |
+ |
525 |
+@@ -610,6 +614,10 @@ LWZReadByte_(gdIOCtx *fd, LZW_STATIC_DATA *sd, char flag, int input_code_size, i |
526 |
+ |
527 |
+ code = sd->table[0][code]; |
528 |
+ } |
529 |
++ if(code >= (1 << MAX_LWZ_BITS)) { |
530 |
++ /* Corrupted code */ |
531 |
++ return -1; |
532 |
++ } |
533 |
+ |
534 |
+ *sd->sp++ = sd->firstcode = sd->table[1][code]; |
535 |
+ |
536 |
+diff --git a/tests/gif/CMakeLists.txt b/tests/gif/CMakeLists.txt |
537 |
+index 7d40cddc..2b73749e 100644 |
538 |
+--- a/tests/gif/CMakeLists.txt |
539 |
++++ b/tests/gif/CMakeLists.txt |
540 |
+@@ -3,6 +3,8 @@ LIST(APPEND TESTS_FILES |
541 |
+ bug00181 |
542 |
+ bug00227 |
543 |
+ gif_null |
544 |
++ ossfuzz5700 |
545 |
++ uninitialized_memory_read |
546 |
+ ) |
547 |
+ |
548 |
+ IF(PNG_FOUND) |
549 |
+@@ -12,7 +14,6 @@ LIST(APPEND TESTS_FILES |
550 |
+ bug00060 |
551 |
+ bug00066 |
552 |
+ gif_im2im |
553 |
+- uninitialized_memory_read |
554 |
+ ) |
555 |
+ ENDIF(PNG_FOUND) |
556 |
+ |
557 |
+diff --git a/tests/gif/Makemodule.am b/tests/gif/Makemodule.am |
558 |
+index 0bdeab7e..3199438f 100644 |
559 |
+--- a/tests/gif/Makemodule.am |
560 |
++++ b/tests/gif/Makemodule.am |
561 |
+@@ -3,6 +3,7 @@ libgd_test_programs += \ |
562 |
+ gif/bug00181 \ |
563 |
+ gif/bug00227 \ |
564 |
+ gif/gif_null \ |
565 |
++ gif/ossfuzz5700 \ |
566 |
+ gif/uninitialized_memory_read |
567 |
+ |
568 |
+ if HAVE_LIBPNG |
569 |
+@@ -24,4 +25,5 @@ EXTRA_DIST += \ |
570 |
+ gif/bug00060.gif \ |
571 |
+ gif/bug00066.gif \ |
572 |
+ gif/bug00066_exp.png \ |
573 |
++ gif/ossfuzz5700.gif \ |
574 |
+ gif/unitialized_memory_read.gif |
575 |
+diff --git a/tests/gif/ossfuzz5700.c b/tests/gif/ossfuzz5700.c |
576 |
+new file mode 100644 |
577 |
+index 00000000..8fc9f88c |
578 |
+--- /dev/null |
579 |
++++ b/tests/gif/ossfuzz5700.c |
580 |
+@@ -0,0 +1,13 @@ |
581 |
++#include <stdio.h> |
582 |
++#include "gd.h" |
583 |
++#include "gdtest.h" |
584 |
++ |
585 |
++int main() |
586 |
++{ |
587 |
++ gdImagePtr im; |
588 |
++ FILE *fp = gdTestFileOpen("gif/ossfuzz5700.gif"); |
589 |
++ im = gdImageCreateFromGif(fp); |
590 |
++ fclose(fp); |
591 |
++ gdImageDestroy(im); |
592 |
++ return 0; |
593 |
++} |
594 |
+ |
595 |
|
596 |
diff --git a/media-libs/gd/gd-2.2.5-r2.ebuild b/media-libs/gd/gd-2.2.5-r2.ebuild |
597 |
new file mode 100644 |
598 |
index 00000000000..7686c2013da |
599 |
--- /dev/null |
600 |
+++ b/media-libs/gd/gd-2.2.5-r2.ebuild |
601 |
@@ -0,0 +1,82 @@ |
602 |
+# Copyright 1999-2019 Gentoo Authors |
603 |
+# Distributed under the terms of the GNU General Public License v2 |
604 |
+ |
605 |
+EAPI="7" |
606 |
+ |
607 |
+inherit autotools multilib-minimal |
608 |
+ |
609 |
+DESCRIPTION="Graphics library for fast image creation" |
610 |
+HOMEPAGE="https://libgd.org/ https://www.boutell.com/gd/" |
611 |
+SRC_URI="https://github.com/libgd/libgd/releases/download/${P}/lib${P}.tar.xz |
612 |
+ test? ( |
613 |
+ https://github.com/libgd/libgd/raw/e0cb1b76c305db68b251fe782faa12da5d357593/tests/gif/ossfuzz5700.gif -> lib$P-ossfuzz5700.dat |
614 |
+ https://github.com/libgd/libgd/raw/e0cb1b76c305db68b251fe782faa12da5d357593/tests/gif/php_bug_75571.gif -> lib$P-php_bug_75571.dat |
615 |
+ )" |
616 |
+ |
617 |
+LICENSE="gd IJG HPND BSD" |
618 |
+SLOT="2/3" |
619 |
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris" |
620 |
+IUSE="fontconfig jpeg png static-libs test tiff truetype webp xpm zlib" |
621 |
+ |
622 |
+# fontconfig has prefixed font paths, details see bug #518970 |
623 |
+REQUIRED_USE="prefix? ( fontconfig )" |
624 |
+ |
625 |
+RDEPEND="fontconfig? ( >=media-libs/fontconfig-2.10.92[${MULTILIB_USEDEP}] ) |
626 |
+ jpeg? ( >=virtual/jpeg-0-r2:0=[${MULTILIB_USEDEP}] ) |
627 |
+ png? ( >=media-libs/libpng-1.6.10:0=[${MULTILIB_USEDEP}] ) |
628 |
+ tiff? ( media-libs/tiff:0[${MULTILIB_USEDEP}] ) |
629 |
+ truetype? ( >=media-libs/freetype-2.5.0.1[${MULTILIB_USEDEP}] ) |
630 |
+ webp? ( media-libs/libwebp:=[${MULTILIB_USEDEP}] ) |
631 |
+ xpm? ( >=x11-libs/libXpm-3.5.10-r1[${MULTILIB_USEDEP}] >=x11-libs/libXt-1.1.4[${MULTILIB_USEDEP}] ) |
632 |
+ zlib? ( >=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}] )" |
633 |
+DEPEND="${RDEPEND} |
634 |
+ >=virtual/pkgconfig-0-r1[${MULTILIB_USEDEP}]" |
635 |
+ |
636 |
+S="${WORKDIR}/lib${P}" |
637 |
+ |
638 |
+PATCHES=( |
639 |
+ "${FILESDIR}/${P}-ossfuzz5700.patch" |
640 |
+ "${FILESDIR}/${P}-CVE-2018-5711.patch" |
641 |
+ "${FILESDIR}/${P}-CVE-2018-1000222.patch" |
642 |
+ "${FILESDIR}/${P}-CVE-2019-6977.patch" |
643 |
+ "${FILESDIR}/${P}-CVE-2019-6978.patch" |
644 |
+) |
645 |
+ |
646 |
+src_unpack() { |
647 |
+ default |
648 |
+ |
649 |
+ cp "${DISTDIR}"/lib${P}-ossfuzz5700.dat "${S}"/tests/gif/ossfuzz5700.gif || die |
650 |
+ cp "${DISTDIR}"/lib${P}-php_bug_75571.dat "${S}"/tests/gif/php_bug_75571.gif || die |
651 |
+} |
652 |
+ |
653 |
+src_prepare() { |
654 |
+ default |
655 |
+ |
656 |
+ eautoreconf |
657 |
+} |
658 |
+ |
659 |
+multilib_src_configure() { |
660 |
+ # we aren't actually {en,dis}abling X here ... the configure |
661 |
+ # script uses it just to add explicit -I/-L paths which we |
662 |
+ # don't care about on Gentoo systems. |
663 |
+ local myeconfargs=( |
664 |
+ --disable-werror |
665 |
+ --without-x |
666 |
+ --without-liq |
667 |
+ $(use_enable static-libs static) |
668 |
+ $(use_with fontconfig) |
669 |
+ $(use_with png) |
670 |
+ $(use_with tiff) |
671 |
+ $(use_with truetype freetype) |
672 |
+ $(use_with jpeg) |
673 |
+ $(use_with webp) |
674 |
+ $(use_with xpm) |
675 |
+ $(use_with zlib) |
676 |
+ ) |
677 |
+ ECONF_SOURCE="${S}" econf "${myeconfargs[@]}" |
678 |
+} |
679 |
+ |
680 |
+multilib_src_install_all() { |
681 |
+ dodoc README.md |
682 |
+ find "${D}" -name '*.la' -delete || die |
683 |
+} |