| 1 |
commit: 6f62811e7f813c38a3e576f1ceee8f27a5f5da6a |
| 2 |
Author: Michael Mair-Keimberger <m.mairkeimberger <AT> gmail <DOT> com> |
| 3 |
AuthorDate: Fri Jun 26 06:50:51 2020 +0000 |
| 4 |
Commit: Aaron Bauman <bman <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Sat Jun 27 20:49:26 2020 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6f62811e |
| 7 |
|
| 8 |
media-libs/gd: remove unused patches |
| 9 |
|
| 10 |
Package-Manager: Portage-2.3.101, Repoman-2.3.22 |
| 11 |
Signed-off-by: Michael Mair-Keimberger <m.mairkeimberger <AT> gmail.com> |
| 12 |
Closes: https://github.com/gentoo/gentoo/pull/16425 |
| 13 |
Signed-off-by: Aaron Bauman <bman <AT> gentoo.org> |
| 14 |
|
| 15 |
.../gd/files/gd-2.2.5-CVE-2018-1000222.patch | 73 ------ |
| 16 |
media-libs/gd/files/gd-2.2.5-CVE-2018-5711.patch | 124 --------- |
| 17 |
media-libs/gd/files/gd-2.2.5-CVE-2019-6977.patch | 28 --- |
| 18 |
media-libs/gd/files/gd-2.2.5-CVE-2019-6978.patch | 278 --------------------- |
| 19 |
media-libs/gd/files/gd-2.2.5-ossfuzz5700.patch | 103 -------- |
| 20 |
5 files changed, 606 deletions(-) |
| 21 |
|
| 22 |
diff --git a/media-libs/gd/files/gd-2.2.5-CVE-2018-1000222.patch b/media-libs/gd/files/gd-2.2.5-CVE-2018-1000222.patch |
| 23 |
deleted file mode 100644 |
| 24 |
index 80f9712bf8e..00000000000 |
| 25 |
--- a/media-libs/gd/files/gd-2.2.5-CVE-2018-1000222.patch |
| 26 |
+++ /dev/null |
| 27 |
@@ -1,73 +0,0 @@ |
| 28 |
-From ac16bdf2d41724b5a65255d4c28fb0ec46bc42f5 Mon Sep 17 00:00:00 2001 |
| 29 |
-From: Mike Frysinger <vapier@g.o> |
| 30 |
-Date: Sat, 14 Jul 2018 13:54:08 -0400 |
| 31 |
-Subject: [PATCH] bmp: check return value in gdImageBmpPtr |
| 32 |
- |
| 33 |
-Closes #447. |
| 34 |
---- |
| 35 |
- src/gd_bmp.c | 17 ++++++++++++++--- |
| 36 |
- 1 file changed, 14 insertions(+), 3 deletions(-) |
| 37 |
- |
| 38 |
-diff --git a/src/gd_bmp.c b/src/gd_bmp.c |
| 39 |
-index bde0b9d3..78f40d9a 100644 |
| 40 |
---- a/src/gd_bmp.c |
| 41 |
-+++ b/src/gd_bmp.c |
| 42 |
-@@ -47,6 +47,8 @@ static int bmp_read_4bit(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info, bmp |
| 43 |
- static int bmp_read_8bit(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info, bmp_hdr_t *header); |
| 44 |
- static int bmp_read_rle(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info); |
| 45 |
- |
| 46 |
-+static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression); |
| 47 |
-+ |
| 48 |
- #define BMP_DEBUG(s) |
| 49 |
- |
| 50 |
- static int gdBMPPutWord(gdIOCtx *out, int w) |
| 51 |
-@@ -87,8 +89,10 @@ BGD_DECLARE(void *) gdImageBmpPtr(gdImagePtr im, int *size, int compression) |
| 52 |
- void *rv; |
| 53 |
- gdIOCtx *out = gdNewDynamicCtx(2048, NULL); |
| 54 |
- if (out == NULL) return NULL; |
| 55 |
-- gdImageBmpCtx(im, out, compression); |
| 56 |
-- rv = gdDPExtractData(out, size); |
| 57 |
-+ if (!_gdImageBmpCtx(im, out, compression)) |
| 58 |
-+ rv = gdDPExtractData(out, size); |
| 59 |
-+ else |
| 60 |
-+ rv = NULL; |
| 61 |
- out->gd_free(out); |
| 62 |
- return rv; |
| 63 |
- } |
| 64 |
-@@ -141,6 +145,11 @@ BGD_DECLARE(void) gdImageBmp(gdImagePtr im, FILE *outFile, int compression) |
| 65 |
- compression - whether to apply RLE or not. |
| 66 |
- */ |
| 67 |
- BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression) |
| 68 |
-+{ |
| 69 |
-+ _gdImageBmpCtx(im, out, compression); |
| 70 |
-+} |
| 71 |
-+ |
| 72 |
-+static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression) |
| 73 |
- { |
| 74 |
- int bitmap_size = 0, info_size, total_size, padding; |
| 75 |
- int i, row, xpos, pixel; |
| 76 |
-@@ -148,6 +157,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression) |
| 77 |
- unsigned char *uncompressed_row = NULL, *uncompressed_row_start = NULL; |
| 78 |
- FILE *tmpfile_for_compression = NULL; |
| 79 |
- gdIOCtxPtr out_original = NULL; |
| 80 |
-+ int ret = 1; |
| 81 |
- |
| 82 |
- /* No compression if its true colour or we don't support seek */ |
| 83 |
- if (im->trueColor) { |
| 84 |
-@@ -325,6 +335,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression) |
| 85 |
- out_original = NULL; |
| 86 |
- } |
| 87 |
- |
| 88 |
-+ ret = 0; |
| 89 |
- cleanup: |
| 90 |
- if (tmpfile_for_compression) { |
| 91 |
- #ifdef _WIN32 |
| 92 |
-@@ -338,7 +349,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression) |
| 93 |
- if (out_original) { |
| 94 |
- out_original->gd_free(out_original); |
| 95 |
- } |
| 96 |
-- return; |
| 97 |
-+ return ret; |
| 98 |
- } |
| 99 |
- |
| 100 |
- static int compress_row(unsigned char *row, int length) |
| 101 |
|
| 102 |
diff --git a/media-libs/gd/files/gd-2.2.5-CVE-2018-5711.patch b/media-libs/gd/files/gd-2.2.5-CVE-2018-5711.patch |
| 103 |
deleted file mode 100644 |
| 104 |
index 6d9de06998a..00000000000 |
| 105 |
--- a/media-libs/gd/files/gd-2.2.5-CVE-2018-5711.patch |
| 106 |
+++ /dev/null |
| 107 |
@@ -1,124 +0,0 @@ |
| 108 |
-From a11f47475e6443b7f32d21f2271f28f417e2ac04 Mon Sep 17 00:00:00 2001 |
| 109 |
-From: "Christoph M. Becker" <cmbecker69@×××.de> |
| 110 |
-Date: Wed, 29 Nov 2017 19:37:38 +0100 |
| 111 |
-Subject: [PATCH] Fix #420: Potential infinite loop in gdImageCreateFromGifCtx |
| 112 |
- |
| 113 |
-Due to a signedness confusion in `GetCode_` a corrupt GIF file can |
| 114 |
-trigger an infinite loop. Furthermore we make sure that a GIF without |
| 115 |
-any palette entries is treated as invalid *after* open palette entries |
| 116 |
-have been removed. |
| 117 |
- |
| 118 |
-CVE-2018-5711 |
| 119 |
- |
| 120 |
-See also https://bugs.php.net/bug.php?id=75571. |
| 121 |
---- |
| 122 |
- src/gd_gif_in.c | 12 ++++++------ |
| 123 |
- tests/gif/CMakeLists.txt | 1 + |
| 124 |
- tests/gif/Makemodule.am | 2 ++ |
| 125 |
- tests/gif/php_bug_75571.c | 28 ++++++++++++++++++++++++++++ |
| 126 |
- tests/gif/php_bug_75571.gif | Bin 0 -> 1731 bytes |
| 127 |
- 6 files changed, 38 insertions(+), 6 deletions(-) |
| 128 |
- create mode 100644 tests/gif/php_bug_75571.c |
| 129 |
- |
| 130 |
-diff --git a/src/gd_gif_in.c b/src/gd_gif_in.c |
| 131 |
-index daf26e79..0a8bd717 100644 |
| 132 |
---- a/src/gd_gif_in.c |
| 133 |
-+++ b/src/gd_gif_in.c |
| 134 |
-@@ -335,11 +335,6 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromGifCtx(gdIOCtxPtr fd) |
| 135 |
- return 0; |
| 136 |
- } |
| 137 |
- |
| 138 |
-- if(!im->colorsTotal) { |
| 139 |
-- gdImageDestroy(im); |
| 140 |
-- return 0; |
| 141 |
-- } |
| 142 |
-- |
| 143 |
- /* Check for open colors at the end, so |
| 144 |
- * we can reduce colorsTotal and ultimately |
| 145 |
- * BitsPerPixel */ |
| 146 |
-@@ -351,6 +346,11 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromGifCtx(gdIOCtxPtr fd) |
| 147 |
- } |
| 148 |
- } |
| 149 |
- |
| 150 |
-+ if(!im->colorsTotal) { |
| 151 |
-+ gdImageDestroy(im); |
| 152 |
-+ return 0; |
| 153 |
-+ } |
| 154 |
-+ |
| 155 |
- return im; |
| 156 |
- } |
| 157 |
- |
| 158 |
-@@ -447,7 +447,7 @@ static int |
| 159 |
- GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_size, int flag, int *ZeroDataBlockP) |
| 160 |
- { |
| 161 |
- int i, j, ret; |
| 162 |
-- unsigned char count; |
| 163 |
-+ int count; |
| 164 |
- |
| 165 |
- if(flag) { |
| 166 |
- scd->curbit = 0; |
| 167 |
-diff --git a/tests/gif/CMakeLists.txt b/tests/gif/CMakeLists.txt |
| 168 |
-index 2b73749e..e58e6b09 100644 |
| 169 |
---- a/tests/gif/CMakeLists.txt |
| 170 |
-+++ b/tests/gif/CMakeLists.txt |
| 171 |
-@@ -4,6 +4,7 @@ LIST(APPEND TESTS_FILES |
| 172 |
- bug00227 |
| 173 |
- gif_null |
| 174 |
- ossfuzz5700 |
| 175 |
-+ php_bug_75571 |
| 176 |
- uninitialized_memory_read |
| 177 |
- ) |
| 178 |
- |
| 179 |
-diff --git a/tests/gif/Makemodule.am b/tests/gif/Makemodule.am |
| 180 |
-index 3199438f..5dbeac53 100644 |
| 181 |
---- a/tests/gif/Makemodule.am |
| 182 |
-+++ b/tests/gif/Makemodule.am |
| 183 |
-@@ -4,6 +4,7 @@ libgd_test_programs += \ |
| 184 |
- gif/bug00227 \ |
| 185 |
- gif/gif_null \ |
| 186 |
- gif/ossfuzz5700 \ |
| 187 |
-+ gif/php_bug_75571 \ |
| 188 |
- gif/uninitialized_memory_read |
| 189 |
- |
| 190 |
- if HAVE_LIBPNG |
| 191 |
-@@ -26,4 +27,5 @@ EXTRA_DIST += \ |
| 192 |
- gif/bug00066.gif \ |
| 193 |
- gif/bug00066_exp.png \ |
| 194 |
- gif/ossfuzz5700.gif \ |
| 195 |
-+ gif/php_bug_75571.gif \ |
| 196 |
- gif/unitialized_memory_read.gif |
| 197 |
-diff --git a/tests/gif/php_bug_75571.c b/tests/gif/php_bug_75571.c |
| 198 |
-new file mode 100644 |
| 199 |
-index 00000000..d4fae3ae |
| 200 |
---- /dev/null |
| 201 |
-+++ b/tests/gif/php_bug_75571.c |
| 202 |
-@@ -0,0 +1,28 @@ |
| 203 |
-+/** |
| 204 |
-+ * Test that GIF reading does not loop infinitely |
| 205 |
-+ * |
| 206 |
-+ * We are reading a crafted GIF image which has been truncated. This would |
| 207 |
-+ * trigger an infinite loop formerly, but know bails out early, returning |
| 208 |
-+ * NULL from gdImageCreateFromGif(). |
| 209 |
-+ * |
| 210 |
-+ * See also https://bugs.php.net/bug.php?id=75571. |
| 211 |
-+ */ |
| 212 |
-+ |
| 213 |
-+ |
| 214 |
-+#include "gd.h" |
| 215 |
-+#include "gdtest.h" |
| 216 |
-+ |
| 217 |
-+ |
| 218 |
-+int main() |
| 219 |
-+{ |
| 220 |
-+ gdImagePtr im; |
| 221 |
-+ FILE *fp; |
| 222 |
-+ |
| 223 |
-+ fp = gdTestFileOpen2("gif", "php_bug_75571.gif"); |
| 224 |
-+ gdTestAssert(fp != NULL); |
| 225 |
-+ im = gdImageCreateFromGif(fp); |
| 226 |
-+ gdTestAssert(im == NULL); |
| 227 |
-+ fclose(fp); |
| 228 |
-+ |
| 229 |
-+ return gdNumFailures(); |
| 230 |
-+} |
| 231 |
- |
| 232 |
|
| 233 |
diff --git a/media-libs/gd/files/gd-2.2.5-CVE-2019-6977.patch b/media-libs/gd/files/gd-2.2.5-CVE-2019-6977.patch |
| 234 |
deleted file mode 100644 |
| 235 |
index 0b67a596c6b..00000000000 |
| 236 |
--- a/media-libs/gd/files/gd-2.2.5-CVE-2019-6977.patch |
| 237 |
+++ /dev/null |
| 238 |
@@ -1,28 +0,0 @@ |
| 239 |
-Description: Heap-based buffer overflow in gdImageColorMatch |
| 240 |
-Origin: other, https://gist.github.com/cmb69/1f36d285eb297ed326f5c821d7aafced |
| 241 |
-Bug-PHP: https://bugs.php.net/bug.php?id=77270 |
| 242 |
-Bug-Debian: https://bugs.debian.org/920645 |
| 243 |
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-6977 |
| 244 |
-Forwarded: no |
| 245 |
-Author: "Christoph M. Becker" <cmbecker69@×××.de> |
| 246 |
-Last-Update: 2019-02-01 |
| 247 |
- |
| 248 |
-At least some of the image reading functions may return images which |
| 249 |
-use color indexes greater than or equal to im->colorsTotal. We cater |
| 250 |
-to this by always using a buffer size which is sufficient for |
| 251 |
-`gdMaxColors` in `gdImageColorMatch()`. |
| 252 |
---- |
| 253 |
- |
| 254 |
---- a/src/gd_color_match.c |
| 255 |
-+++ b/src/gd_color_match.c |
| 256 |
-@@ -31,8 +31,8 @@ BGD_DECLARE(int) gdImageColorMatch (gdIm |
| 257 |
- return -4; /* At least 1 color must be allocated */ |
| 258 |
- } |
| 259 |
- |
| 260 |
-- buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * im2->colorsTotal); |
| 261 |
-- memset (buf, 0, sizeof(unsigned long) * 5 * im2->colorsTotal ); |
| 262 |
-+ buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * gdMaxColors); |
| 263 |
-+ memset (buf, 0, sizeof(unsigned long) * 5 * gdMaxColors ); |
| 264 |
- |
| 265 |
- for (x=0; x < im1->sx; x++) { |
| 266 |
- for( y=0; y<im1->sy; y++ ) { |
| 267 |
|
| 268 |
diff --git a/media-libs/gd/files/gd-2.2.5-CVE-2019-6978.patch b/media-libs/gd/files/gd-2.2.5-CVE-2019-6978.patch |
| 269 |
deleted file mode 100644 |
| 270 |
index 2eb9369a0ba..00000000000 |
| 271 |
--- a/media-libs/gd/files/gd-2.2.5-CVE-2019-6978.patch |
| 272 |
+++ /dev/null |
| 273 |
@@ -1,278 +0,0 @@ |
| 274 |
-From 553702980ae89c83f2d6e254d62cf82e204956d0 Mon Sep 17 00:00:00 2001 |
| 275 |
-From: "Christoph M. Becker" <cmbecker69@×××.de> |
| 276 |
-Date: Thu, 17 Jan 2019 11:54:55 +0100 |
| 277 |
-Subject: [PATCH] Fix #492: Potential double-free in gdImage*Ptr() |
| 278 |
- |
| 279 |
-Whenever `gdImage*Ptr()` calls `gdImage*Ctx()` and the latter fails, we |
| 280 |
-must not call `gdDPExtractData()`; otherwise a double-free would |
| 281 |
-happen. Since `gdImage*Ctx()` are void functions, and we can't change |
| 282 |
-that for BC reasons, we're introducing static helpers which are used |
| 283 |
-internally. |
| 284 |
- |
| 285 |
-We're adding a regression test for `gdImageJpegPtr()`, but not for |
| 286 |
-`gdImageGifPtr()` and `gdImageWbmpPtr()` since we don't know how to |
| 287 |
-trigger failure of the respective `gdImage*Ctx()` calls. |
| 288 |
- |
| 289 |
-This potential security issue has been reported by Solmaz Salimi (aka. |
| 290 |
-Rooney). |
| 291 |
---- |
| 292 |
- src/gd_gif_out.c | 18 +++++++++++++++--- |
| 293 |
- src/gd_jpeg.c | 20 ++++++++++++++++---- |
| 294 |
- src/gd_wbmp.c | 21 ++++++++++++++++++--- |
| 295 |
- tests/jpeg/CMakeLists.txt | 1 + |
| 296 |
- tests/jpeg/Makemodule.am | 3 ++- |
| 297 |
- tests/jpeg/jpeg_ptr_double_free.c | 31 +++++++++++++++++++++++++++++++ |
| 298 |
- 7 files changed, 84 insertions(+), 11 deletions(-) |
| 299 |
- create mode 100644 tests/jpeg/jpeg_ptr_double_free.c |
| 300 |
- |
| 301 |
-diff --git a/src/gd_gif_out.c b/src/gd_gif_out.c |
| 302 |
-index 298a5812..d5a95346 100644 |
| 303 |
---- a/src/gd_gif_out.c |
| 304 |
-+++ b/src/gd_gif_out.c |
| 305 |
-@@ -99,6 +99,7 @@ static void char_init(GifCtx *ctx); |
| 306 |
- static void char_out(int c, GifCtx *ctx); |
| 307 |
- static void flush_char(GifCtx *ctx); |
| 308 |
- |
| 309 |
-+static int _gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out); |
| 310 |
- |
| 311 |
- |
| 312 |
- |
| 313 |
-@@ -131,8 +132,11 @@ BGD_DECLARE(void *) gdImageGifPtr(gdImagePtr im, int *size) |
| 314 |
- void *rv; |
| 315 |
- gdIOCtx *out = gdNewDynamicCtx(2048, NULL); |
| 316 |
- if (out == NULL) return NULL; |
| 317 |
-- gdImageGifCtx(im, out); |
| 318 |
-- rv = gdDPExtractData(out, size); |
| 319 |
-+ if (!_gdImageGifCtx(im, out)) { |
| 320 |
-+ rv = gdDPExtractData(out, size); |
| 321 |
-+ } else { |
| 322 |
-+ rv = NULL; |
| 323 |
-+ } |
| 324 |
- out->gd_free(out); |
| 325 |
- return rv; |
| 326 |
- } |
| 327 |
-@@ -220,6 +224,12 @@ BGD_DECLARE(void) gdImageGif(gdImagePtr im, FILE *outFile) |
| 328 |
- |
| 329 |
- */ |
| 330 |
- BGD_DECLARE(void) gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out) |
| 331 |
-+{ |
| 332 |
-+ _gdImageGifCtx(im, out); |
| 333 |
-+} |
| 334 |
-+ |
| 335 |
-+/* returns 0 on success, 1 on failure */ |
| 336 |
-+static int _gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out) |
| 337 |
- { |
| 338 |
- gdImagePtr pim = 0, tim = im; |
| 339 |
- int interlace, BitsPerPixel; |
| 340 |
-@@ -231,7 +241,7 @@ BGD_DECLARE(void) gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out) |
| 341 |
- based temporary image. */ |
| 342 |
- pim = gdImageCreatePaletteFromTrueColor(im, 1, 256); |
| 343 |
- if(!pim) { |
| 344 |
-- return; |
| 345 |
-+ return 1; |
| 346 |
- } |
| 347 |
- tim = pim; |
| 348 |
- } |
| 349 |
-@@ -247,6 +257,8 @@ BGD_DECLARE(void) gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out) |
| 350 |
- /* Destroy palette based temporary image. */ |
| 351 |
- gdImageDestroy( pim); |
| 352 |
- } |
| 353 |
-+ |
| 354 |
-+ return 0; |
| 355 |
- } |
| 356 |
- |
| 357 |
- |
| 358 |
-diff --git a/src/gd_jpeg.c b/src/gd_jpeg.c |
| 359 |
-index fc058420..96ef4302 100644 |
| 360 |
---- a/src/gd_jpeg.c |
| 361 |
-+++ b/src/gd_jpeg.c |
| 362 |
-@@ -117,6 +117,8 @@ static void fatal_jpeg_error(j_common_ptr cinfo) |
| 363 |
- exit(99); |
| 364 |
- } |
| 365 |
- |
| 366 |
-+static int _gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality); |
| 367 |
-+ |
| 368 |
- /* |
| 369 |
- * Write IM to OUTFILE as a JFIF-formatted JPEG image, using quality |
| 370 |
- * QUALITY. If QUALITY is in the range 0-100, increasing values |
| 371 |
-@@ -231,8 +233,11 @@ BGD_DECLARE(void *) gdImageJpegPtr(gdImagePtr im, int *size, int quality) |
| 372 |
- void *rv; |
| 373 |
- gdIOCtx *out = gdNewDynamicCtx(2048, NULL); |
| 374 |
- if (out == NULL) return NULL; |
| 375 |
-- gdImageJpegCtx(im, out, quality); |
| 376 |
-- rv = gdDPExtractData(out, size); |
| 377 |
-+ if (!_gdImageJpegCtx(im, out, quality)) { |
| 378 |
-+ rv = gdDPExtractData(out, size); |
| 379 |
-+ } else { |
| 380 |
-+ rv = NULL; |
| 381 |
-+ } |
| 382 |
- out->gd_free(out); |
| 383 |
- return rv; |
| 384 |
- } |
| 385 |
-@@ -253,6 +258,12 @@ void jpeg_gdIOCtx_dest(j_compress_ptr cinfo, gdIOCtx *outfile); |
| 386 |
- |
| 387 |
- */ |
| 388 |
- BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality) |
| 389 |
-+{ |
| 390 |
-+ _gdImageJpegCtx(im, outfile, quality); |
| 391 |
-+} |
| 392 |
-+ |
| 393 |
-+/* returns 0 on success, 1 on failure */ |
| 394 |
-+static int _gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality) |
| 395 |
- { |
| 396 |
- struct jpeg_compress_struct cinfo; |
| 397 |
- struct jpeg_error_mgr jerr; |
| 398 |
-@@ -287,7 +298,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality) |
| 399 |
- if(row) { |
| 400 |
- gdFree(row); |
| 401 |
- } |
| 402 |
-- return; |
| 403 |
-+ return 1; |
| 404 |
- } |
| 405 |
- |
| 406 |
- cinfo.err->emit_message = jpeg_emit_message; |
| 407 |
-@@ -328,7 +339,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality) |
| 408 |
- if(row == 0) { |
| 409 |
- gd_error("gd-jpeg: error: unable to allocate JPEG row structure: gdCalloc returns NULL\n"); |
| 410 |
- jpeg_destroy_compress(&cinfo); |
| 411 |
-- return; |
| 412 |
-+ return 1; |
| 413 |
- } |
| 414 |
- |
| 415 |
- rowptr[0] = row; |
| 416 |
-@@ -405,6 +416,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality) |
| 417 |
- jpeg_finish_compress(&cinfo); |
| 418 |
- jpeg_destroy_compress(&cinfo); |
| 419 |
- gdFree(row); |
| 420 |
-+ return 0; |
| 421 |
- } |
| 422 |
- |
| 423 |
- |
| 424 |
-diff --git a/src/gd_wbmp.c b/src/gd_wbmp.c |
| 425 |
-index f19a1c96..a49bdbec 100644 |
| 426 |
---- a/src/gd_wbmp.c |
| 427 |
-+++ b/src/gd_wbmp.c |
| 428 |
-@@ -88,6 +88,8 @@ int gd_getin(void *in) |
| 429 |
- return (gdGetC((gdIOCtx *)in)); |
| 430 |
- } |
| 431 |
- |
| 432 |
-+static int _gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out); |
| 433 |
-+ |
| 434 |
- /* |
| 435 |
- Function: gdImageWBMPCtx |
| 436 |
- |
| 437 |
-@@ -100,6 +102,12 @@ int gd_getin(void *in) |
| 438 |
- out - the stream where to write |
| 439 |
- */ |
| 440 |
- BGD_DECLARE(void) gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out) |
| 441 |
-+{ |
| 442 |
-+ _gdImageWBMPCtx(image, fg, out); |
| 443 |
-+} |
| 444 |
-+ |
| 445 |
-+/* returns 0 on success, 1 on failure */ |
| 446 |
-+static int _gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out) |
| 447 |
- { |
| 448 |
- int x, y, pos; |
| 449 |
- Wbmp *wbmp; |
| 450 |
-@@ -107,7 +115,7 @@ BGD_DECLARE(void) gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out) |
| 451 |
- /* create the WBMP */ |
| 452 |
- if((wbmp = createwbmp(gdImageSX(image), gdImageSY(image), WBMP_WHITE)) == NULL) { |
| 453 |
- gd_error("Could not create WBMP\n"); |
| 454 |
-- return; |
| 455 |
-+ return 1; |
| 456 |
- } |
| 457 |
- |
| 458 |
- /* fill up the WBMP structure */ |
| 459 |
-@@ -123,11 +131,15 @@ BGD_DECLARE(void) gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out) |
| 460 |
- |
| 461 |
- /* write the WBMP to a gd file descriptor */ |
| 462 |
- if(writewbmp(wbmp, &gd_putout, out)) { |
| 463 |
-+ freewbmp(wbmp); |
| 464 |
- gd_error("Could not save WBMP\n"); |
| 465 |
-+ return 1; |
| 466 |
- } |
| 467 |
- |
| 468 |
- /* des submitted this bugfix: gdFree the memory. */ |
| 469 |
- freewbmp(wbmp); |
| 470 |
-+ |
| 471 |
-+ return 0; |
| 472 |
- } |
| 473 |
- |
| 474 |
- /* |
| 475 |
-@@ -271,8 +283,11 @@ BGD_DECLARE(void *) gdImageWBMPPtr(gdImagePtr im, int *size, int fg) |
| 476 |
- void *rv; |
| 477 |
- gdIOCtx *out = gdNewDynamicCtx(2048, NULL); |
| 478 |
- if (out == NULL) return NULL; |
| 479 |
-- gdImageWBMPCtx(im, fg, out); |
| 480 |
-- rv = gdDPExtractData(out, size); |
| 481 |
-+ if (!_gdImageWBMPCtx(im, fg, out)) { |
| 482 |
-+ rv = gdDPExtractData(out, size); |
| 483 |
-+ } else { |
| 484 |
-+ rv = NULL; |
| 485 |
-+ } |
| 486 |
- out->gd_free(out); |
| 487 |
- return rv; |
| 488 |
- } |
| 489 |
-diff --git a/tests/jpeg/CMakeLists.txt b/tests/jpeg/CMakeLists.txt |
| 490 |
-index 19964b0c..a8d8162f 100644 |
| 491 |
---- a/tests/jpeg/CMakeLists.txt |
| 492 |
-+++ b/tests/jpeg/CMakeLists.txt |
| 493 |
-@@ -2,6 +2,7 @@ IF(JPEG_FOUND) |
| 494 |
- LIST(APPEND TESTS_FILES |
| 495 |
- jpeg_empty_file |
| 496 |
- jpeg_im2im |
| 497 |
-+ jpeg_ptr_double_free |
| 498 |
- jpeg_null |
| 499 |
- ) |
| 500 |
- |
| 501 |
-diff --git a/tests/jpeg/Makemodule.am b/tests/jpeg/Makemodule.am |
| 502 |
-index 7e5d317b..b89e1695 100644 |
| 503 |
---- a/tests/jpeg/Makemodule.am |
| 504 |
-+++ b/tests/jpeg/Makemodule.am |
| 505 |
-@@ -2,7 +2,8 @@ if HAVE_LIBJPEG |
| 506 |
- libgd_test_programs += \ |
| 507 |
- jpeg/jpeg_empty_file \ |
| 508 |
- jpeg/jpeg_im2im \ |
| 509 |
-- jpeg/jpeg_null |
| 510 |
-+ jpeg/jpeg_null \ |
| 511 |
-+ jpeg/jpeg_ptr_double_free |
| 512 |
- |
| 513 |
- if HAVE_LIBPNG |
| 514 |
- libgd_test_programs += \ |
| 515 |
-diff --git a/tests/jpeg/jpeg_ptr_double_free.c b/tests/jpeg/jpeg_ptr_double_free.c |
| 516 |
-new file mode 100644 |
| 517 |
-index 00000000..df5a510b |
| 518 |
---- /dev/null |
| 519 |
-+++ b/tests/jpeg/jpeg_ptr_double_free.c |
| 520 |
-@@ -0,0 +1,31 @@ |
| 521 |
-+/** |
| 522 |
-+ * Test that failure to convert to JPEG returns NULL |
| 523 |
-+ * |
| 524 |
-+ * We are creating an image, set its width to zero, and pass this image to |
| 525 |
-+ * `gdImageJpegPtr()` which is supposed to fail, and as such should return NULL. |
| 526 |
-+ * |
| 527 |
-+ * See also <https://github.com/libgd/libgd/issues/381> |
| 528 |
-+ */ |
| 529 |
-+ |
| 530 |
-+ |
| 531 |
-+#include "gd.h" |
| 532 |
-+#include "gdtest.h" |
| 533 |
-+ |
| 534 |
-+ |
| 535 |
-+int main() |
| 536 |
-+{ |
| 537 |
-+ gdImagePtr src, dst; |
| 538 |
-+ int size; |
| 539 |
-+ |
| 540 |
-+ src = gdImageCreateTrueColor(1, 10); |
| 541 |
-+ gdTestAssert(src != NULL); |
| 542 |
-+ |
| 543 |
-+ src->sx = 0; /* this hack forces gdImageJpegPtr() to fail */ |
| 544 |
-+ |
| 545 |
-+ dst = gdImageJpegPtr(src, &size, 0); |
| 546 |
-+ gdTestAssert(dst == NULL); |
| 547 |
-+ |
| 548 |
-+ gdImageDestroy(src); |
| 549 |
-+ |
| 550 |
-+ return gdNumFailures(); |
| 551 |
-+} |
| 552 |
|
| 553 |
diff --git a/media-libs/gd/files/gd-2.2.5-ossfuzz5700.patch b/media-libs/gd/files/gd-2.2.5-ossfuzz5700.patch |
| 554 |
deleted file mode 100644 |
| 555 |
index 891c232115e..00000000000 |
| 556 |
--- a/media-libs/gd/files/gd-2.2.5-ossfuzz5700.patch |
| 557 |
+++ /dev/null |
| 558 |
@@ -1,103 +0,0 @@ |
| 559 |
-From 9fa3abd2e61da18ed2b889704e4e252f0f5a95fe Mon Sep 17 00:00:00 2001 |
| 560 |
-From: Mike Frysinger <vapier@g.o> |
| 561 |
-Date: Fri, 26 Jan 2018 01:57:52 -0500 |
| 562 |
-Subject: [PATCH] gif: fix out-of-bounds read w/corrupted lzw data |
| 563 |
- |
| 564 |
-oss-fuzz pointed out: |
| 565 |
-gd_gif_in.c:605:16: runtime error: index 5595 out of bounds for type 'int [4096]' |
| 566 |
- |
| 567 |
-Add some bounds checking on each code that we read from the file. |
| 568 |
---- |
| 569 |
- src/gd_gif_in.c | 8 ++++++++ |
| 570 |
- tests/gif/CMakeLists.txt | 3 ++- |
| 571 |
- tests/gif/Makemodule.am | 2 ++ |
| 572 |
- tests/gif/ossfuzz5700.c | 13 +++++++++++++ |
| 573 |
- tests/gif/ossfuzz5700.gif | Bin 0 -> 30 bytes |
| 574 |
- 6 files changed, 26 insertions(+), 1 deletion(-) |
| 575 |
- create mode 100644 tests/gif/ossfuzz5700.c |
| 576 |
- |
| 577 |
-diff --git a/src/gd_gif_in.c b/src/gd_gif_in.c |
| 578 |
-index afc08bf7..daf26e79 100644 |
| 579 |
---- a/src/gd_gif_in.c |
| 580 |
-+++ b/src/gd_gif_in.c |
| 581 |
-@@ -601,6 +601,10 @@ LWZReadByte_(gdIOCtx *fd, LZW_STATIC_DATA *sd, char flag, int input_code_size, i |
| 582 |
- /* Bad compressed data stream */ |
| 583 |
- return -1; |
| 584 |
- } |
| 585 |
-+ if(code >= (1 << MAX_LWZ_BITS)) { |
| 586 |
-+ /* Corrupted code */ |
| 587 |
-+ return -1; |
| 588 |
-+ } |
| 589 |
- |
| 590 |
- *sd->sp++ = sd->table[1][code]; |
| 591 |
- |
| 592 |
-@@ -610,6 +614,10 @@ LWZReadByte_(gdIOCtx *fd, LZW_STATIC_DATA *sd, char flag, int input_code_size, i |
| 593 |
- |
| 594 |
- code = sd->table[0][code]; |
| 595 |
- } |
| 596 |
-+ if(code >= (1 << MAX_LWZ_BITS)) { |
| 597 |
-+ /* Corrupted code */ |
| 598 |
-+ return -1; |
| 599 |
-+ } |
| 600 |
- |
| 601 |
- *sd->sp++ = sd->firstcode = sd->table[1][code]; |
| 602 |
- |
| 603 |
-diff --git a/tests/gif/CMakeLists.txt b/tests/gif/CMakeLists.txt |
| 604 |
-index 7d40cddc..2b73749e 100644 |
| 605 |
---- a/tests/gif/CMakeLists.txt |
| 606 |
-+++ b/tests/gif/CMakeLists.txt |
| 607 |
-@@ -3,6 +3,8 @@ LIST(APPEND TESTS_FILES |
| 608 |
- bug00181 |
| 609 |
- bug00227 |
| 610 |
- gif_null |
| 611 |
-+ ossfuzz5700 |
| 612 |
-+ uninitialized_memory_read |
| 613 |
- ) |
| 614 |
- |
| 615 |
- IF(PNG_FOUND) |
| 616 |
-@@ -12,7 +14,6 @@ LIST(APPEND TESTS_FILES |
| 617 |
- bug00060 |
| 618 |
- bug00066 |
| 619 |
- gif_im2im |
| 620 |
-- uninitialized_memory_read |
| 621 |
- ) |
| 622 |
- ENDIF(PNG_FOUND) |
| 623 |
- |
| 624 |
-diff --git a/tests/gif/Makemodule.am b/tests/gif/Makemodule.am |
| 625 |
-index 0bdeab7e..3199438f 100644 |
| 626 |
---- a/tests/gif/Makemodule.am |
| 627 |
-+++ b/tests/gif/Makemodule.am |
| 628 |
-@@ -3,6 +3,7 @@ libgd_test_programs += \ |
| 629 |
- gif/bug00181 \ |
| 630 |
- gif/bug00227 \ |
| 631 |
- gif/gif_null \ |
| 632 |
-+ gif/ossfuzz5700 \ |
| 633 |
- gif/uninitialized_memory_read |
| 634 |
- |
| 635 |
- if HAVE_LIBPNG |
| 636 |
-@@ -24,4 +25,5 @@ EXTRA_DIST += \ |
| 637 |
- gif/bug00060.gif \ |
| 638 |
- gif/bug00066.gif \ |
| 639 |
- gif/bug00066_exp.png \ |
| 640 |
-+ gif/ossfuzz5700.gif \ |
| 641 |
- gif/unitialized_memory_read.gif |
| 642 |
-diff --git a/tests/gif/ossfuzz5700.c b/tests/gif/ossfuzz5700.c |
| 643 |
-new file mode 100644 |
| 644 |
-index 00000000..8fc9f88c |
| 645 |
---- /dev/null |
| 646 |
-+++ b/tests/gif/ossfuzz5700.c |
| 647 |
-@@ -0,0 +1,13 @@ |
| 648 |
-+#include <stdio.h> |
| 649 |
-+#include "gd.h" |
| 650 |
-+#include "gdtest.h" |
| 651 |
-+ |
| 652 |
-+int main() |
| 653 |
-+{ |
| 654 |
-+ gdImagePtr im; |
| 655 |
-+ FILE *fp = gdTestFileOpen("gif/ossfuzz5700.gif"); |
| 656 |
-+ im = gdImageCreateFromGif(fp); |
| 657 |
-+ fclose(fp); |
| 658 |
-+ gdImageDestroy(im); |
| 659 |
-+ return 0; |
| 660 |
-+} |
| 661 |
- |
Archives