| 1 |
commit: 0c46087add86facfccbc875e0064cbc167775249 |
| 2 |
Author: Thomas Deutschmann <whissi <AT> gentoo <DOT> org> |
| 3 |
AuthorDate: Mon Mar 4 00:28:44 2019 +0000 |
| 4 |
Commit: Thomas Deutschmann <whissi <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Mon Mar 4 00:28:59 2019 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0c46087a |
| 7 |
|
| 8 |
media-libs/gd: rev bump to add some security patches |
| 9 |
|
| 10 |
ossfuzz5700 fix |
| 11 |
CVE-2018-5711 |
| 12 |
CVE-2019-6977 |
| 13 |
CVE-2019-6978 |
| 14 |
|
| 15 |
Package-Manager: Portage-2.3.62, Repoman-2.3.12 |
| 16 |
Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org> |
| 17 |
|
| 18 |
media-libs/gd/Manifest | 2 + |
| 19 |
media-libs/gd/files/gd-2.2.5-CVE-2018-5711.patch | 124 ++++++++++ |
| 20 |
media-libs/gd/files/gd-2.2.5-CVE-2019-6977.patch | 28 +++ |
| 21 |
media-libs/gd/files/gd-2.2.5-CVE-2019-6978.patch | 278 +++++++++++++++++++++++ |
| 22 |
media-libs/gd/files/gd-2.2.5-ossfuzz5700.patch | 103 +++++++++ |
| 23 |
media-libs/gd/gd-2.2.5-r2.ebuild | 82 +++++++ |
| 24 |
6 files changed, 617 insertions(+) |
| 25 |
|
| 26 |
diff --git a/media-libs/gd/Manifest b/media-libs/gd/Manifest |
| 27 |
index 9957e0f8f60..986a6d40524 100644 |
| 28 |
--- a/media-libs/gd/Manifest |
| 29 |
+++ b/media-libs/gd/Manifest |
| 30 |
@@ -1 +1,3 @@ |
| 31 |
+DIST libgd-2.2.5-ossfuzz5700.dat 30 BLAKE2B 5ddd3d2be2adf05e1e2eb1852cc689be57d4d77c57b471e8b6021877f2fb137d15b4c73445fbb23a9ed585974a96dd154759a48712c1e7b5bdc5750d534aee4a SHA512 2394e92ff7a42c818e13a1ac9ad15bc81aa401adc917366ec8c440bb7f27a63777ab059aa03c501dafef0ac16b462dd23c7fb9f8086ce558203384a98a235fff |
| 32 |
+DIST libgd-2.2.5-php_bug_75571.dat 1731 BLAKE2B 4b5d3f258b73e8089ede1b2c9f538855f410965a9e01e1f3f151ae52f072036172b184bd1a4d07b8355bb974bf088bebb0e812175a277bb67926274272bd80a0 SHA512 b3048640ce7828cca7901fadc989e867cfc6d31b44c0f5a1bda54d7428f317c8c8fc6403fef301e193869a95eb46eb7195d47710ec7f8c507ba049cb6cdcb281 |
| 33 |
DIST libgd-2.2.5.tar.xz 2594092 BLAKE2B 222a7e012fbf9924ac391ee96c7cd3dec96afd78c6d43dfb680b33e7143e7df87fe6be75bbfe8fb93e916302d7daf08271214c84da28712e93a36465566cb2bd SHA512 e4598e17a277a75e02255402182cab139cb3f2cffcd68ec05cc10bbeaf6bc7aa39162c3445cd4a7efc1a26b72b9152bbedb187351e3ed099ea51767319997a6b |
| 34 |
|
| 35 |
diff --git a/media-libs/gd/files/gd-2.2.5-CVE-2018-5711.patch b/media-libs/gd/files/gd-2.2.5-CVE-2018-5711.patch |
| 36 |
new file mode 100644 |
| 37 |
index 00000000000..6d9de06998a |
| 38 |
--- /dev/null |
| 39 |
+++ b/media-libs/gd/files/gd-2.2.5-CVE-2018-5711.patch |
| 40 |
@@ -0,0 +1,124 @@ |
| 41 |
+From a11f47475e6443b7f32d21f2271f28f417e2ac04 Mon Sep 17 00:00:00 2001 |
| 42 |
+From: "Christoph M. Becker" <cmbecker69@×××.de> |
| 43 |
+Date: Wed, 29 Nov 2017 19:37:38 +0100 |
| 44 |
+Subject: [PATCH] Fix #420: Potential infinite loop in gdImageCreateFromGifCtx |
| 45 |
+ |
| 46 |
+Due to a signedness confusion in `GetCode_` a corrupt GIF file can |
| 47 |
+trigger an infinite loop. Furthermore we make sure that a GIF without |
| 48 |
+any palette entries is treated as invalid *after* open palette entries |
| 49 |
+have been removed. |
| 50 |
+ |
| 51 |
+CVE-2018-5711 |
| 52 |
+ |
| 53 |
+See also https://bugs.php.net/bug.php?id=75571. |
| 54 |
+--- |
| 55 |
+ src/gd_gif_in.c | 12 ++++++------ |
| 56 |
+ tests/gif/CMakeLists.txt | 1 + |
| 57 |
+ tests/gif/Makemodule.am | 2 ++ |
| 58 |
+ tests/gif/php_bug_75571.c | 28 ++++++++++++++++++++++++++++ |
| 59 |
+ tests/gif/php_bug_75571.gif | Bin 0 -> 1731 bytes |
| 60 |
+ 6 files changed, 38 insertions(+), 6 deletions(-) |
| 61 |
+ create mode 100644 tests/gif/php_bug_75571.c |
| 62 |
+ |
| 63 |
+diff --git a/src/gd_gif_in.c b/src/gd_gif_in.c |
| 64 |
+index daf26e79..0a8bd717 100644 |
| 65 |
+--- a/src/gd_gif_in.c |
| 66 |
++++ b/src/gd_gif_in.c |
| 67 |
+@@ -335,11 +335,6 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromGifCtx(gdIOCtxPtr fd) |
| 68 |
+ return 0; |
| 69 |
+ } |
| 70 |
+ |
| 71 |
+- if(!im->colorsTotal) { |
| 72 |
+- gdImageDestroy(im); |
| 73 |
+- return 0; |
| 74 |
+- } |
| 75 |
+- |
| 76 |
+ /* Check for open colors at the end, so |
| 77 |
+ * we can reduce colorsTotal and ultimately |
| 78 |
+ * BitsPerPixel */ |
| 79 |
+@@ -351,6 +346,11 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromGifCtx(gdIOCtxPtr fd) |
| 80 |
+ } |
| 81 |
+ } |
| 82 |
+ |
| 83 |
++ if(!im->colorsTotal) { |
| 84 |
++ gdImageDestroy(im); |
| 85 |
++ return 0; |
| 86 |
++ } |
| 87 |
++ |
| 88 |
+ return im; |
| 89 |
+ } |
| 90 |
+ |
| 91 |
+@@ -447,7 +447,7 @@ static int |
| 92 |
+ GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_size, int flag, int *ZeroDataBlockP) |
| 93 |
+ { |
| 94 |
+ int i, j, ret; |
| 95 |
+- unsigned char count; |
| 96 |
++ int count; |
| 97 |
+ |
| 98 |
+ if(flag) { |
| 99 |
+ scd->curbit = 0; |
| 100 |
+diff --git a/tests/gif/CMakeLists.txt b/tests/gif/CMakeLists.txt |
| 101 |
+index 2b73749e..e58e6b09 100644 |
| 102 |
+--- a/tests/gif/CMakeLists.txt |
| 103 |
++++ b/tests/gif/CMakeLists.txt |
| 104 |
+@@ -4,6 +4,7 @@ LIST(APPEND TESTS_FILES |
| 105 |
+ bug00227 |
| 106 |
+ gif_null |
| 107 |
+ ossfuzz5700 |
| 108 |
++ php_bug_75571 |
| 109 |
+ uninitialized_memory_read |
| 110 |
+ ) |
| 111 |
+ |
| 112 |
+diff --git a/tests/gif/Makemodule.am b/tests/gif/Makemodule.am |
| 113 |
+index 3199438f..5dbeac53 100644 |
| 114 |
+--- a/tests/gif/Makemodule.am |
| 115 |
++++ b/tests/gif/Makemodule.am |
| 116 |
+@@ -4,6 +4,7 @@ libgd_test_programs += \ |
| 117 |
+ gif/bug00227 \ |
| 118 |
+ gif/gif_null \ |
| 119 |
+ gif/ossfuzz5700 \ |
| 120 |
++ gif/php_bug_75571 \ |
| 121 |
+ gif/uninitialized_memory_read |
| 122 |
+ |
| 123 |
+ if HAVE_LIBPNG |
| 124 |
+@@ -26,4 +27,5 @@ EXTRA_DIST += \ |
| 125 |
+ gif/bug00066.gif \ |
| 126 |
+ gif/bug00066_exp.png \ |
| 127 |
+ gif/ossfuzz5700.gif \ |
| 128 |
++ gif/php_bug_75571.gif \ |
| 129 |
+ gif/unitialized_memory_read.gif |
| 130 |
+diff --git a/tests/gif/php_bug_75571.c b/tests/gif/php_bug_75571.c |
| 131 |
+new file mode 100644 |
| 132 |
+index 00000000..d4fae3ae |
| 133 |
+--- /dev/null |
| 134 |
++++ b/tests/gif/php_bug_75571.c |
| 135 |
+@@ -0,0 +1,28 @@ |
| 136 |
++/** |
| 137 |
++ * Test that GIF reading does not loop infinitely |
| 138 |
++ * |
| 139 |
++ * We are reading a crafted GIF image which has been truncated. This would |
| 140 |
++ * trigger an infinite loop formerly, but know bails out early, returning |
| 141 |
++ * NULL from gdImageCreateFromGif(). |
| 142 |
++ * |
| 143 |
++ * See also https://bugs.php.net/bug.php?id=75571. |
| 144 |
++ */ |
| 145 |
++ |
| 146 |
++ |
| 147 |
++#include "gd.h" |
| 148 |
++#include "gdtest.h" |
| 149 |
++ |
| 150 |
++ |
| 151 |
++int main() |
| 152 |
++{ |
| 153 |
++ gdImagePtr im; |
| 154 |
++ FILE *fp; |
| 155 |
++ |
| 156 |
++ fp = gdTestFileOpen2("gif", "php_bug_75571.gif"); |
| 157 |
++ gdTestAssert(fp != NULL); |
| 158 |
++ im = gdImageCreateFromGif(fp); |
| 159 |
++ gdTestAssert(im == NULL); |
| 160 |
++ fclose(fp); |
| 161 |
++ |
| 162 |
++ return gdNumFailures(); |
| 163 |
++} |
| 164 |
+ |
| 165 |
|
| 166 |
diff --git a/media-libs/gd/files/gd-2.2.5-CVE-2019-6977.patch b/media-libs/gd/files/gd-2.2.5-CVE-2019-6977.patch |
| 167 |
new file mode 100644 |
| 168 |
index 00000000000..0b67a596c6b |
| 169 |
--- /dev/null |
| 170 |
+++ b/media-libs/gd/files/gd-2.2.5-CVE-2019-6977.patch |
| 171 |
@@ -0,0 +1,28 @@ |
| 172 |
+Description: Heap-based buffer overflow in gdImageColorMatch |
| 173 |
+Origin: other, https://gist.github.com/cmb69/1f36d285eb297ed326f5c821d7aafced |
| 174 |
+Bug-PHP: https://bugs.php.net/bug.php?id=77270 |
| 175 |
+Bug-Debian: https://bugs.debian.org/920645 |
| 176 |
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-6977 |
| 177 |
+Forwarded: no |
| 178 |
+Author: "Christoph M. Becker" <cmbecker69@×××.de> |
| 179 |
+Last-Update: 2019-02-01 |
| 180 |
+ |
| 181 |
+At least some of the image reading functions may return images which |
| 182 |
+use color indexes greater than or equal to im->colorsTotal. We cater |
| 183 |
+to this by always using a buffer size which is sufficient for |
| 184 |
+`gdMaxColors` in `gdImageColorMatch()`. |
| 185 |
+--- |
| 186 |
+ |
| 187 |
+--- a/src/gd_color_match.c |
| 188 |
++++ b/src/gd_color_match.c |
| 189 |
+@@ -31,8 +31,8 @@ BGD_DECLARE(int) gdImageColorMatch (gdIm |
| 190 |
+ return -4; /* At least 1 color must be allocated */ |
| 191 |
+ } |
| 192 |
+ |
| 193 |
+- buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * im2->colorsTotal); |
| 194 |
+- memset (buf, 0, sizeof(unsigned long) * 5 * im2->colorsTotal ); |
| 195 |
++ buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * gdMaxColors); |
| 196 |
++ memset (buf, 0, sizeof(unsigned long) * 5 * gdMaxColors ); |
| 197 |
+ |
| 198 |
+ for (x=0; x < im1->sx; x++) { |
| 199 |
+ for( y=0; y<im1->sy; y++ ) { |
| 200 |
|
| 201 |
diff --git a/media-libs/gd/files/gd-2.2.5-CVE-2019-6978.patch b/media-libs/gd/files/gd-2.2.5-CVE-2019-6978.patch |
| 202 |
new file mode 100644 |
| 203 |
index 00000000000..2eb9369a0ba |
| 204 |
--- /dev/null |
| 205 |
+++ b/media-libs/gd/files/gd-2.2.5-CVE-2019-6978.patch |
| 206 |
@@ -0,0 +1,278 @@ |
| 207 |
+From 553702980ae89c83f2d6e254d62cf82e204956d0 Mon Sep 17 00:00:00 2001 |
| 208 |
+From: "Christoph M. Becker" <cmbecker69@×××.de> |
| 209 |
+Date: Thu, 17 Jan 2019 11:54:55 +0100 |
| 210 |
+Subject: [PATCH] Fix #492: Potential double-free in gdImage*Ptr() |
| 211 |
+ |
| 212 |
+Whenever `gdImage*Ptr()` calls `gdImage*Ctx()` and the latter fails, we |
| 213 |
+must not call `gdDPExtractData()`; otherwise a double-free would |
| 214 |
+happen. Since `gdImage*Ctx()` are void functions, and we can't change |
| 215 |
+that for BC reasons, we're introducing static helpers which are used |
| 216 |
+internally. |
| 217 |
+ |
| 218 |
+We're adding a regression test for `gdImageJpegPtr()`, but not for |
| 219 |
+`gdImageGifPtr()` and `gdImageWbmpPtr()` since we don't know how to |
| 220 |
+trigger failure of the respective `gdImage*Ctx()` calls. |
| 221 |
+ |
| 222 |
+This potential security issue has been reported by Solmaz Salimi (aka. |
| 223 |
+Rooney). |
| 224 |
+--- |
| 225 |
+ src/gd_gif_out.c | 18 +++++++++++++++--- |
| 226 |
+ src/gd_jpeg.c | 20 ++++++++++++++++---- |
| 227 |
+ src/gd_wbmp.c | 21 ++++++++++++++++++--- |
| 228 |
+ tests/jpeg/CMakeLists.txt | 1 + |
| 229 |
+ tests/jpeg/Makemodule.am | 3 ++- |
| 230 |
+ tests/jpeg/jpeg_ptr_double_free.c | 31 +++++++++++++++++++++++++++++++ |
| 231 |
+ 7 files changed, 84 insertions(+), 11 deletions(-) |
| 232 |
+ create mode 100644 tests/jpeg/jpeg_ptr_double_free.c |
| 233 |
+ |
| 234 |
+diff --git a/src/gd_gif_out.c b/src/gd_gif_out.c |
| 235 |
+index 298a5812..d5a95346 100644 |
| 236 |
+--- a/src/gd_gif_out.c |
| 237 |
++++ b/src/gd_gif_out.c |
| 238 |
+@@ -99,6 +99,7 @@ static void char_init(GifCtx *ctx); |
| 239 |
+ static void char_out(int c, GifCtx *ctx); |
| 240 |
+ static void flush_char(GifCtx *ctx); |
| 241 |
+ |
| 242 |
++static int _gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out); |
| 243 |
+ |
| 244 |
+ |
| 245 |
+ |
| 246 |
+@@ -131,8 +132,11 @@ BGD_DECLARE(void *) gdImageGifPtr(gdImagePtr im, int *size) |
| 247 |
+ void *rv; |
| 248 |
+ gdIOCtx *out = gdNewDynamicCtx(2048, NULL); |
| 249 |
+ if (out == NULL) return NULL; |
| 250 |
+- gdImageGifCtx(im, out); |
| 251 |
+- rv = gdDPExtractData(out, size); |
| 252 |
++ if (!_gdImageGifCtx(im, out)) { |
| 253 |
++ rv = gdDPExtractData(out, size); |
| 254 |
++ } else { |
| 255 |
++ rv = NULL; |
| 256 |
++ } |
| 257 |
+ out->gd_free(out); |
| 258 |
+ return rv; |
| 259 |
+ } |
| 260 |
+@@ -220,6 +224,12 @@ BGD_DECLARE(void) gdImageGif(gdImagePtr im, FILE *outFile) |
| 261 |
+ |
| 262 |
+ */ |
| 263 |
+ BGD_DECLARE(void) gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out) |
| 264 |
++{ |
| 265 |
++ _gdImageGifCtx(im, out); |
| 266 |
++} |
| 267 |
++ |
| 268 |
++/* returns 0 on success, 1 on failure */ |
| 269 |
++static int _gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out) |
| 270 |
+ { |
| 271 |
+ gdImagePtr pim = 0, tim = im; |
| 272 |
+ int interlace, BitsPerPixel; |
| 273 |
+@@ -231,7 +241,7 @@ BGD_DECLARE(void) gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out) |
| 274 |
+ based temporary image. */ |
| 275 |
+ pim = gdImageCreatePaletteFromTrueColor(im, 1, 256); |
| 276 |
+ if(!pim) { |
| 277 |
+- return; |
| 278 |
++ return 1; |
| 279 |
+ } |
| 280 |
+ tim = pim; |
| 281 |
+ } |
| 282 |
+@@ -247,6 +257,8 @@ BGD_DECLARE(void) gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out) |
| 283 |
+ /* Destroy palette based temporary image. */ |
| 284 |
+ gdImageDestroy( pim); |
| 285 |
+ } |
| 286 |
++ |
| 287 |
++ return 0; |
| 288 |
+ } |
| 289 |
+ |
| 290 |
+ |
| 291 |
+diff --git a/src/gd_jpeg.c b/src/gd_jpeg.c |
| 292 |
+index fc058420..96ef4302 100644 |
| 293 |
+--- a/src/gd_jpeg.c |
| 294 |
++++ b/src/gd_jpeg.c |
| 295 |
+@@ -117,6 +117,8 @@ static void fatal_jpeg_error(j_common_ptr cinfo) |
| 296 |
+ exit(99); |
| 297 |
+ } |
| 298 |
+ |
| 299 |
++static int _gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality); |
| 300 |
++ |
| 301 |
+ /* |
| 302 |
+ * Write IM to OUTFILE as a JFIF-formatted JPEG image, using quality |
| 303 |
+ * QUALITY. If QUALITY is in the range 0-100, increasing values |
| 304 |
+@@ -231,8 +233,11 @@ BGD_DECLARE(void *) gdImageJpegPtr(gdImagePtr im, int *size, int quality) |
| 305 |
+ void *rv; |
| 306 |
+ gdIOCtx *out = gdNewDynamicCtx(2048, NULL); |
| 307 |
+ if (out == NULL) return NULL; |
| 308 |
+- gdImageJpegCtx(im, out, quality); |
| 309 |
+- rv = gdDPExtractData(out, size); |
| 310 |
++ if (!_gdImageJpegCtx(im, out, quality)) { |
| 311 |
++ rv = gdDPExtractData(out, size); |
| 312 |
++ } else { |
| 313 |
++ rv = NULL; |
| 314 |
++ } |
| 315 |
+ out->gd_free(out); |
| 316 |
+ return rv; |
| 317 |
+ } |
| 318 |
+@@ -253,6 +258,12 @@ void jpeg_gdIOCtx_dest(j_compress_ptr cinfo, gdIOCtx *outfile); |
| 319 |
+ |
| 320 |
+ */ |
| 321 |
+ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality) |
| 322 |
++{ |
| 323 |
++ _gdImageJpegCtx(im, outfile, quality); |
| 324 |
++} |
| 325 |
++ |
| 326 |
++/* returns 0 on success, 1 on failure */ |
| 327 |
++static int _gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality) |
| 328 |
+ { |
| 329 |
+ struct jpeg_compress_struct cinfo; |
| 330 |
+ struct jpeg_error_mgr jerr; |
| 331 |
+@@ -287,7 +298,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality) |
| 332 |
+ if(row) { |
| 333 |
+ gdFree(row); |
| 334 |
+ } |
| 335 |
+- return; |
| 336 |
++ return 1; |
| 337 |
+ } |
| 338 |
+ |
| 339 |
+ cinfo.err->emit_message = jpeg_emit_message; |
| 340 |
+@@ -328,7 +339,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality) |
| 341 |
+ if(row == 0) { |
| 342 |
+ gd_error("gd-jpeg: error: unable to allocate JPEG row structure: gdCalloc returns NULL\n"); |
| 343 |
+ jpeg_destroy_compress(&cinfo); |
| 344 |
+- return; |
| 345 |
++ return 1; |
| 346 |
+ } |
| 347 |
+ |
| 348 |
+ rowptr[0] = row; |
| 349 |
+@@ -405,6 +416,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality) |
| 350 |
+ jpeg_finish_compress(&cinfo); |
| 351 |
+ jpeg_destroy_compress(&cinfo); |
| 352 |
+ gdFree(row); |
| 353 |
++ return 0; |
| 354 |
+ } |
| 355 |
+ |
| 356 |
+ |
| 357 |
+diff --git a/src/gd_wbmp.c b/src/gd_wbmp.c |
| 358 |
+index f19a1c96..a49bdbec 100644 |
| 359 |
+--- a/src/gd_wbmp.c |
| 360 |
++++ b/src/gd_wbmp.c |
| 361 |
+@@ -88,6 +88,8 @@ int gd_getin(void *in) |
| 362 |
+ return (gdGetC((gdIOCtx *)in)); |
| 363 |
+ } |
| 364 |
+ |
| 365 |
++static int _gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out); |
| 366 |
++ |
| 367 |
+ /* |
| 368 |
+ Function: gdImageWBMPCtx |
| 369 |
+ |
| 370 |
+@@ -100,6 +102,12 @@ int gd_getin(void *in) |
| 371 |
+ out - the stream where to write |
| 372 |
+ */ |
| 373 |
+ BGD_DECLARE(void) gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out) |
| 374 |
++{ |
| 375 |
++ _gdImageWBMPCtx(image, fg, out); |
| 376 |
++} |
| 377 |
++ |
| 378 |
++/* returns 0 on success, 1 on failure */ |
| 379 |
++static int _gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out) |
| 380 |
+ { |
| 381 |
+ int x, y, pos; |
| 382 |
+ Wbmp *wbmp; |
| 383 |
+@@ -107,7 +115,7 @@ BGD_DECLARE(void) gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out) |
| 384 |
+ /* create the WBMP */ |
| 385 |
+ if((wbmp = createwbmp(gdImageSX(image), gdImageSY(image), WBMP_WHITE)) == NULL) { |
| 386 |
+ gd_error("Could not create WBMP\n"); |
| 387 |
+- return; |
| 388 |
++ return 1; |
| 389 |
+ } |
| 390 |
+ |
| 391 |
+ /* fill up the WBMP structure */ |
| 392 |
+@@ -123,11 +131,15 @@ BGD_DECLARE(void) gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out) |
| 393 |
+ |
| 394 |
+ /* write the WBMP to a gd file descriptor */ |
| 395 |
+ if(writewbmp(wbmp, &gd_putout, out)) { |
| 396 |
++ freewbmp(wbmp); |
| 397 |
+ gd_error("Could not save WBMP\n"); |
| 398 |
++ return 1; |
| 399 |
+ } |
| 400 |
+ |
| 401 |
+ /* des submitted this bugfix: gdFree the memory. */ |
| 402 |
+ freewbmp(wbmp); |
| 403 |
++ |
| 404 |
++ return 0; |
| 405 |
+ } |
| 406 |
+ |
| 407 |
+ /* |
| 408 |
+@@ -271,8 +283,11 @@ BGD_DECLARE(void *) gdImageWBMPPtr(gdImagePtr im, int *size, int fg) |
| 409 |
+ void *rv; |
| 410 |
+ gdIOCtx *out = gdNewDynamicCtx(2048, NULL); |
| 411 |
+ if (out == NULL) return NULL; |
| 412 |
+- gdImageWBMPCtx(im, fg, out); |
| 413 |
+- rv = gdDPExtractData(out, size); |
| 414 |
++ if (!_gdImageWBMPCtx(im, fg, out)) { |
| 415 |
++ rv = gdDPExtractData(out, size); |
| 416 |
++ } else { |
| 417 |
++ rv = NULL; |
| 418 |
++ } |
| 419 |
+ out->gd_free(out); |
| 420 |
+ return rv; |
| 421 |
+ } |
| 422 |
+diff --git a/tests/jpeg/CMakeLists.txt b/tests/jpeg/CMakeLists.txt |
| 423 |
+index 19964b0c..a8d8162f 100644 |
| 424 |
+--- a/tests/jpeg/CMakeLists.txt |
| 425 |
++++ b/tests/jpeg/CMakeLists.txt |
| 426 |
+@@ -2,6 +2,7 @@ IF(JPEG_FOUND) |
| 427 |
+ LIST(APPEND TESTS_FILES |
| 428 |
+ jpeg_empty_file |
| 429 |
+ jpeg_im2im |
| 430 |
++ jpeg_ptr_double_free |
| 431 |
+ jpeg_null |
| 432 |
+ ) |
| 433 |
+ |
| 434 |
+diff --git a/tests/jpeg/Makemodule.am b/tests/jpeg/Makemodule.am |
| 435 |
+index 7e5d317b..b89e1695 100644 |
| 436 |
+--- a/tests/jpeg/Makemodule.am |
| 437 |
++++ b/tests/jpeg/Makemodule.am |
| 438 |
+@@ -2,7 +2,8 @@ if HAVE_LIBJPEG |
| 439 |
+ libgd_test_programs += \ |
| 440 |
+ jpeg/jpeg_empty_file \ |
| 441 |
+ jpeg/jpeg_im2im \ |
| 442 |
+- jpeg/jpeg_null |
| 443 |
++ jpeg/jpeg_null \ |
| 444 |
++ jpeg/jpeg_ptr_double_free |
| 445 |
+ |
| 446 |
+ if HAVE_LIBPNG |
| 447 |
+ libgd_test_programs += \ |
| 448 |
+diff --git a/tests/jpeg/jpeg_ptr_double_free.c b/tests/jpeg/jpeg_ptr_double_free.c |
| 449 |
+new file mode 100644 |
| 450 |
+index 00000000..df5a510b |
| 451 |
+--- /dev/null |
| 452 |
++++ b/tests/jpeg/jpeg_ptr_double_free.c |
| 453 |
+@@ -0,0 +1,31 @@ |
| 454 |
++/** |
| 455 |
++ * Test that failure to convert to JPEG returns NULL |
| 456 |
++ * |
| 457 |
++ * We are creating an image, set its width to zero, and pass this image to |
| 458 |
++ * `gdImageJpegPtr()` which is supposed to fail, and as such should return NULL. |
| 459 |
++ * |
| 460 |
++ * See also <https://github.com/libgd/libgd/issues/381> |
| 461 |
++ */ |
| 462 |
++ |
| 463 |
++ |
| 464 |
++#include "gd.h" |
| 465 |
++#include "gdtest.h" |
| 466 |
++ |
| 467 |
++ |
| 468 |
++int main() |
| 469 |
++{ |
| 470 |
++ gdImagePtr src, dst; |
| 471 |
++ int size; |
| 472 |
++ |
| 473 |
++ src = gdImageCreateTrueColor(1, 10); |
| 474 |
++ gdTestAssert(src != NULL); |
| 475 |
++ |
| 476 |
++ src->sx = 0; /* this hack forces gdImageJpegPtr() to fail */ |
| 477 |
++ |
| 478 |
++ dst = gdImageJpegPtr(src, &size, 0); |
| 479 |
++ gdTestAssert(dst == NULL); |
| 480 |
++ |
| 481 |
++ gdImageDestroy(src); |
| 482 |
++ |
| 483 |
++ return gdNumFailures(); |
| 484 |
++} |
| 485 |
|
| 486 |
diff --git a/media-libs/gd/files/gd-2.2.5-ossfuzz5700.patch b/media-libs/gd/files/gd-2.2.5-ossfuzz5700.patch |
| 487 |
new file mode 100644 |
| 488 |
index 00000000000..891c232115e |
| 489 |
--- /dev/null |
| 490 |
+++ b/media-libs/gd/files/gd-2.2.5-ossfuzz5700.patch |
| 491 |
@@ -0,0 +1,103 @@ |
| 492 |
+From 9fa3abd2e61da18ed2b889704e4e252f0f5a95fe Mon Sep 17 00:00:00 2001 |
| 493 |
+From: Mike Frysinger <vapier@g.o> |
| 494 |
+Date: Fri, 26 Jan 2018 01:57:52 -0500 |
| 495 |
+Subject: [PATCH] gif: fix out-of-bounds read w/corrupted lzw data |
| 496 |
+ |
| 497 |
+oss-fuzz pointed out: |
| 498 |
+gd_gif_in.c:605:16: runtime error: index 5595 out of bounds for type 'int [4096]' |
| 499 |
+ |
| 500 |
+Add some bounds checking on each code that we read from the file. |
| 501 |
+--- |
| 502 |
+ src/gd_gif_in.c | 8 ++++++++ |
| 503 |
+ tests/gif/CMakeLists.txt | 3 ++- |
| 504 |
+ tests/gif/Makemodule.am | 2 ++ |
| 505 |
+ tests/gif/ossfuzz5700.c | 13 +++++++++++++ |
| 506 |
+ tests/gif/ossfuzz5700.gif | Bin 0 -> 30 bytes |
| 507 |
+ 6 files changed, 26 insertions(+), 1 deletion(-) |
| 508 |
+ create mode 100644 tests/gif/ossfuzz5700.c |
| 509 |
+ |
| 510 |
+diff --git a/src/gd_gif_in.c b/src/gd_gif_in.c |
| 511 |
+index afc08bf7..daf26e79 100644 |
| 512 |
+--- a/src/gd_gif_in.c |
| 513 |
++++ b/src/gd_gif_in.c |
| 514 |
+@@ -601,6 +601,10 @@ LWZReadByte_(gdIOCtx *fd, LZW_STATIC_DATA *sd, char flag, int input_code_size, i |
| 515 |
+ /* Bad compressed data stream */ |
| 516 |
+ return -1; |
| 517 |
+ } |
| 518 |
++ if(code >= (1 << MAX_LWZ_BITS)) { |
| 519 |
++ /* Corrupted code */ |
| 520 |
++ return -1; |
| 521 |
++ } |
| 522 |
+ |
| 523 |
+ *sd->sp++ = sd->table[1][code]; |
| 524 |
+ |
| 525 |
+@@ -610,6 +614,10 @@ LWZReadByte_(gdIOCtx *fd, LZW_STATIC_DATA *sd, char flag, int input_code_size, i |
| 526 |
+ |
| 527 |
+ code = sd->table[0][code]; |
| 528 |
+ } |
| 529 |
++ if(code >= (1 << MAX_LWZ_BITS)) { |
| 530 |
++ /* Corrupted code */ |
| 531 |
++ return -1; |
| 532 |
++ } |
| 533 |
+ |
| 534 |
+ *sd->sp++ = sd->firstcode = sd->table[1][code]; |
| 535 |
+ |
| 536 |
+diff --git a/tests/gif/CMakeLists.txt b/tests/gif/CMakeLists.txt |
| 537 |
+index 7d40cddc..2b73749e 100644 |
| 538 |
+--- a/tests/gif/CMakeLists.txt |
| 539 |
++++ b/tests/gif/CMakeLists.txt |
| 540 |
+@@ -3,6 +3,8 @@ LIST(APPEND TESTS_FILES |
| 541 |
+ bug00181 |
| 542 |
+ bug00227 |
| 543 |
+ gif_null |
| 544 |
++ ossfuzz5700 |
| 545 |
++ uninitialized_memory_read |
| 546 |
+ ) |
| 547 |
+ |
| 548 |
+ IF(PNG_FOUND) |
| 549 |
+@@ -12,7 +14,6 @@ LIST(APPEND TESTS_FILES |
| 550 |
+ bug00060 |
| 551 |
+ bug00066 |
| 552 |
+ gif_im2im |
| 553 |
+- uninitialized_memory_read |
| 554 |
+ ) |
| 555 |
+ ENDIF(PNG_FOUND) |
| 556 |
+ |
| 557 |
+diff --git a/tests/gif/Makemodule.am b/tests/gif/Makemodule.am |
| 558 |
+index 0bdeab7e..3199438f 100644 |
| 559 |
+--- a/tests/gif/Makemodule.am |
| 560 |
++++ b/tests/gif/Makemodule.am |
| 561 |
+@@ -3,6 +3,7 @@ libgd_test_programs += \ |
| 562 |
+ gif/bug00181 \ |
| 563 |
+ gif/bug00227 \ |
| 564 |
+ gif/gif_null \ |
| 565 |
++ gif/ossfuzz5700 \ |
| 566 |
+ gif/uninitialized_memory_read |
| 567 |
+ |
| 568 |
+ if HAVE_LIBPNG |
| 569 |
+@@ -24,4 +25,5 @@ EXTRA_DIST += \ |
| 570 |
+ gif/bug00060.gif \ |
| 571 |
+ gif/bug00066.gif \ |
| 572 |
+ gif/bug00066_exp.png \ |
| 573 |
++ gif/ossfuzz5700.gif \ |
| 574 |
+ gif/unitialized_memory_read.gif |
| 575 |
+diff --git a/tests/gif/ossfuzz5700.c b/tests/gif/ossfuzz5700.c |
| 576 |
+new file mode 100644 |
| 577 |
+index 00000000..8fc9f88c |
| 578 |
+--- /dev/null |
| 579 |
++++ b/tests/gif/ossfuzz5700.c |
| 580 |
+@@ -0,0 +1,13 @@ |
| 581 |
++#include <stdio.h> |
| 582 |
++#include "gd.h" |
| 583 |
++#include "gdtest.h" |
| 584 |
++ |
| 585 |
++int main() |
| 586 |
++{ |
| 587 |
++ gdImagePtr im; |
| 588 |
++ FILE *fp = gdTestFileOpen("gif/ossfuzz5700.gif"); |
| 589 |
++ im = gdImageCreateFromGif(fp); |
| 590 |
++ fclose(fp); |
| 591 |
++ gdImageDestroy(im); |
| 592 |
++ return 0; |
| 593 |
++} |
| 594 |
+ |
| 595 |
|
| 596 |
diff --git a/media-libs/gd/gd-2.2.5-r2.ebuild b/media-libs/gd/gd-2.2.5-r2.ebuild |
| 597 |
new file mode 100644 |
| 598 |
index 00000000000..7686c2013da |
| 599 |
--- /dev/null |
| 600 |
+++ b/media-libs/gd/gd-2.2.5-r2.ebuild |
| 601 |
@@ -0,0 +1,82 @@ |
| 602 |
+# Copyright 1999-2019 Gentoo Authors |
| 603 |
+# Distributed under the terms of the GNU General Public License v2 |
| 604 |
+ |
| 605 |
+EAPI="7" |
| 606 |
+ |
| 607 |
+inherit autotools multilib-minimal |
| 608 |
+ |
| 609 |
+DESCRIPTION="Graphics library for fast image creation" |
| 610 |
+HOMEPAGE="https://libgd.org/ https://www.boutell.com/gd/" |
| 611 |
+SRC_URI="https://github.com/libgd/libgd/releases/download/${P}/lib${P}.tar.xz |
| 612 |
+ test? ( |
| 613 |
+ https://github.com/libgd/libgd/raw/e0cb1b76c305db68b251fe782faa12da5d357593/tests/gif/ossfuzz5700.gif -> lib$P-ossfuzz5700.dat |
| 614 |
+ https://github.com/libgd/libgd/raw/e0cb1b76c305db68b251fe782faa12da5d357593/tests/gif/php_bug_75571.gif -> lib$P-php_bug_75571.dat |
| 615 |
+ )" |
| 616 |
+ |
| 617 |
+LICENSE="gd IJG HPND BSD" |
| 618 |
+SLOT="2/3" |
| 619 |
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris" |
| 620 |
+IUSE="fontconfig jpeg png static-libs test tiff truetype webp xpm zlib" |
| 621 |
+ |
| 622 |
+# fontconfig has prefixed font paths, details see bug #518970 |
| 623 |
+REQUIRED_USE="prefix? ( fontconfig )" |
| 624 |
+ |
| 625 |
+RDEPEND="fontconfig? ( >=media-libs/fontconfig-2.10.92[${MULTILIB_USEDEP}] ) |
| 626 |
+ jpeg? ( >=virtual/jpeg-0-r2:0=[${MULTILIB_USEDEP}] ) |
| 627 |
+ png? ( >=media-libs/libpng-1.6.10:0=[${MULTILIB_USEDEP}] ) |
| 628 |
+ tiff? ( media-libs/tiff:0[${MULTILIB_USEDEP}] ) |
| 629 |
+ truetype? ( >=media-libs/freetype-2.5.0.1[${MULTILIB_USEDEP}] ) |
| 630 |
+ webp? ( media-libs/libwebp:=[${MULTILIB_USEDEP}] ) |
| 631 |
+ xpm? ( >=x11-libs/libXpm-3.5.10-r1[${MULTILIB_USEDEP}] >=x11-libs/libXt-1.1.4[${MULTILIB_USEDEP}] ) |
| 632 |
+ zlib? ( >=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}] )" |
| 633 |
+DEPEND="${RDEPEND} |
| 634 |
+ >=virtual/pkgconfig-0-r1[${MULTILIB_USEDEP}]" |
| 635 |
+ |
| 636 |
+S="${WORKDIR}/lib${P}" |
| 637 |
+ |
| 638 |
+PATCHES=( |
| 639 |
+ "${FILESDIR}/${P}-ossfuzz5700.patch" |
| 640 |
+ "${FILESDIR}/${P}-CVE-2018-5711.patch" |
| 641 |
+ "${FILESDIR}/${P}-CVE-2018-1000222.patch" |
| 642 |
+ "${FILESDIR}/${P}-CVE-2019-6977.patch" |
| 643 |
+ "${FILESDIR}/${P}-CVE-2019-6978.patch" |
| 644 |
+) |
| 645 |
+ |
| 646 |
+src_unpack() { |
| 647 |
+ default |
| 648 |
+ |
| 649 |
+ cp "${DISTDIR}"/lib${P}-ossfuzz5700.dat "${S}"/tests/gif/ossfuzz5700.gif || die |
| 650 |
+ cp "${DISTDIR}"/lib${P}-php_bug_75571.dat "${S}"/tests/gif/php_bug_75571.gif || die |
| 651 |
+} |
| 652 |
+ |
| 653 |
+src_prepare() { |
| 654 |
+ default |
| 655 |
+ |
| 656 |
+ eautoreconf |
| 657 |
+} |
| 658 |
+ |
| 659 |
+multilib_src_configure() { |
| 660 |
+ # we aren't actually {en,dis}abling X here ... the configure |
| 661 |
+ # script uses it just to add explicit -I/-L paths which we |
| 662 |
+ # don't care about on Gentoo systems. |
| 663 |
+ local myeconfargs=( |
| 664 |
+ --disable-werror |
| 665 |
+ --without-x |
| 666 |
+ --without-liq |
| 667 |
+ $(use_enable static-libs static) |
| 668 |
+ $(use_with fontconfig) |
| 669 |
+ $(use_with png) |
| 670 |
+ $(use_with tiff) |
| 671 |
+ $(use_with truetype freetype) |
| 672 |
+ $(use_with jpeg) |
| 673 |
+ $(use_with webp) |
| 674 |
+ $(use_with xpm) |
| 675 |
+ $(use_with zlib) |
| 676 |
+ ) |
| 677 |
+ ECONF_SOURCE="${S}" econf "${myeconfargs[@]}" |
| 678 |
+} |
| 679 |
+ |
| 680 |
+multilib_src_install_all() { |
| 681 |
+ dodoc README.md |
| 682 |
+ find "${D}" -name '*.la' -delete || die |
| 683 |
+} |
Archives
