1 |
commit: 6f62811e7f813c38a3e576f1ceee8f27a5f5da6a |
2 |
Author: Michael Mair-Keimberger <m.mairkeimberger <AT> gmail <DOT> com> |
3 |
AuthorDate: Fri Jun 26 06:50:51 2020 +0000 |
4 |
Commit: Aaron Bauman <bman <AT> gentoo <DOT> org> |
5 |
CommitDate: Sat Jun 27 20:49:26 2020 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6f62811e |
7 |
|
8 |
media-libs/gd: remove unused patches |
9 |
|
10 |
Package-Manager: Portage-2.3.101, Repoman-2.3.22 |
11 |
Signed-off-by: Michael Mair-Keimberger <m.mairkeimberger <AT> gmail.com> |
12 |
Closes: https://github.com/gentoo/gentoo/pull/16425 |
13 |
Signed-off-by: Aaron Bauman <bman <AT> gentoo.org> |
14 |
|
15 |
.../gd/files/gd-2.2.5-CVE-2018-1000222.patch | 73 ------ |
16 |
media-libs/gd/files/gd-2.2.5-CVE-2018-5711.patch | 124 --------- |
17 |
media-libs/gd/files/gd-2.2.5-CVE-2019-6977.patch | 28 --- |
18 |
media-libs/gd/files/gd-2.2.5-CVE-2019-6978.patch | 278 --------------------- |
19 |
media-libs/gd/files/gd-2.2.5-ossfuzz5700.patch | 103 -------- |
20 |
5 files changed, 606 deletions(-) |
21 |
|
22 |
diff --git a/media-libs/gd/files/gd-2.2.5-CVE-2018-1000222.patch b/media-libs/gd/files/gd-2.2.5-CVE-2018-1000222.patch |
23 |
deleted file mode 100644 |
24 |
index 80f9712bf8e..00000000000 |
25 |
--- a/media-libs/gd/files/gd-2.2.5-CVE-2018-1000222.patch |
26 |
+++ /dev/null |
27 |
@@ -1,73 +0,0 @@ |
28 |
-From ac16bdf2d41724b5a65255d4c28fb0ec46bc42f5 Mon Sep 17 00:00:00 2001 |
29 |
-From: Mike Frysinger <vapier@g.o> |
30 |
-Date: Sat, 14 Jul 2018 13:54:08 -0400 |
31 |
-Subject: [PATCH] bmp: check return value in gdImageBmpPtr |
32 |
- |
33 |
-Closes #447. |
34 |
---- |
35 |
- src/gd_bmp.c | 17 ++++++++++++++--- |
36 |
- 1 file changed, 14 insertions(+), 3 deletions(-) |
37 |
- |
38 |
-diff --git a/src/gd_bmp.c b/src/gd_bmp.c |
39 |
-index bde0b9d3..78f40d9a 100644 |
40 |
---- a/src/gd_bmp.c |
41 |
-+++ b/src/gd_bmp.c |
42 |
-@@ -47,6 +47,8 @@ static int bmp_read_4bit(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info, bmp |
43 |
- static int bmp_read_8bit(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info, bmp_hdr_t *header); |
44 |
- static int bmp_read_rle(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info); |
45 |
- |
46 |
-+static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression); |
47 |
-+ |
48 |
- #define BMP_DEBUG(s) |
49 |
- |
50 |
- static int gdBMPPutWord(gdIOCtx *out, int w) |
51 |
-@@ -87,8 +89,10 @@ BGD_DECLARE(void *) gdImageBmpPtr(gdImagePtr im, int *size, int compression) |
52 |
- void *rv; |
53 |
- gdIOCtx *out = gdNewDynamicCtx(2048, NULL); |
54 |
- if (out == NULL) return NULL; |
55 |
-- gdImageBmpCtx(im, out, compression); |
56 |
-- rv = gdDPExtractData(out, size); |
57 |
-+ if (!_gdImageBmpCtx(im, out, compression)) |
58 |
-+ rv = gdDPExtractData(out, size); |
59 |
-+ else |
60 |
-+ rv = NULL; |
61 |
- out->gd_free(out); |
62 |
- return rv; |
63 |
- } |
64 |
-@@ -141,6 +145,11 @@ BGD_DECLARE(void) gdImageBmp(gdImagePtr im, FILE *outFile, int compression) |
65 |
- compression - whether to apply RLE or not. |
66 |
- */ |
67 |
- BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression) |
68 |
-+{ |
69 |
-+ _gdImageBmpCtx(im, out, compression); |
70 |
-+} |
71 |
-+ |
72 |
-+static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression) |
73 |
- { |
74 |
- int bitmap_size = 0, info_size, total_size, padding; |
75 |
- int i, row, xpos, pixel; |
76 |
-@@ -148,6 +157,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression) |
77 |
- unsigned char *uncompressed_row = NULL, *uncompressed_row_start = NULL; |
78 |
- FILE *tmpfile_for_compression = NULL; |
79 |
- gdIOCtxPtr out_original = NULL; |
80 |
-+ int ret = 1; |
81 |
- |
82 |
- /* No compression if its true colour or we don't support seek */ |
83 |
- if (im->trueColor) { |
84 |
-@@ -325,6 +335,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression) |
85 |
- out_original = NULL; |
86 |
- } |
87 |
- |
88 |
-+ ret = 0; |
89 |
- cleanup: |
90 |
- if (tmpfile_for_compression) { |
91 |
- #ifdef _WIN32 |
92 |
-@@ -338,7 +349,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression) |
93 |
- if (out_original) { |
94 |
- out_original->gd_free(out_original); |
95 |
- } |
96 |
-- return; |
97 |
-+ return ret; |
98 |
- } |
99 |
- |
100 |
- static int compress_row(unsigned char *row, int length) |
101 |
|
102 |
diff --git a/media-libs/gd/files/gd-2.2.5-CVE-2018-5711.patch b/media-libs/gd/files/gd-2.2.5-CVE-2018-5711.patch |
103 |
deleted file mode 100644 |
104 |
index 6d9de06998a..00000000000 |
105 |
--- a/media-libs/gd/files/gd-2.2.5-CVE-2018-5711.patch |
106 |
+++ /dev/null |
107 |
@@ -1,124 +0,0 @@ |
108 |
-From a11f47475e6443b7f32d21f2271f28f417e2ac04 Mon Sep 17 00:00:00 2001 |
109 |
-From: "Christoph M. Becker" <cmbecker69@×××.de> |
110 |
-Date: Wed, 29 Nov 2017 19:37:38 +0100 |
111 |
-Subject: [PATCH] Fix #420: Potential infinite loop in gdImageCreateFromGifCtx |
112 |
- |
113 |
-Due to a signedness confusion in `GetCode_` a corrupt GIF file can |
114 |
-trigger an infinite loop. Furthermore we make sure that a GIF without |
115 |
-any palette entries is treated as invalid *after* open palette entries |
116 |
-have been removed. |
117 |
- |
118 |
-CVE-2018-5711 |
119 |
- |
120 |
-See also https://bugs.php.net/bug.php?id=75571. |
121 |
---- |
122 |
- src/gd_gif_in.c | 12 ++++++------ |
123 |
- tests/gif/CMakeLists.txt | 1 + |
124 |
- tests/gif/Makemodule.am | 2 ++ |
125 |
- tests/gif/php_bug_75571.c | 28 ++++++++++++++++++++++++++++ |
126 |
- tests/gif/php_bug_75571.gif | Bin 0 -> 1731 bytes |
127 |
- 6 files changed, 38 insertions(+), 6 deletions(-) |
128 |
- create mode 100644 tests/gif/php_bug_75571.c |
129 |
- |
130 |
-diff --git a/src/gd_gif_in.c b/src/gd_gif_in.c |
131 |
-index daf26e79..0a8bd717 100644 |
132 |
---- a/src/gd_gif_in.c |
133 |
-+++ b/src/gd_gif_in.c |
134 |
-@@ -335,11 +335,6 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromGifCtx(gdIOCtxPtr fd) |
135 |
- return 0; |
136 |
- } |
137 |
- |
138 |
-- if(!im->colorsTotal) { |
139 |
-- gdImageDestroy(im); |
140 |
-- return 0; |
141 |
-- } |
142 |
-- |
143 |
- /* Check for open colors at the end, so |
144 |
- * we can reduce colorsTotal and ultimately |
145 |
- * BitsPerPixel */ |
146 |
-@@ -351,6 +346,11 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromGifCtx(gdIOCtxPtr fd) |
147 |
- } |
148 |
- } |
149 |
- |
150 |
-+ if(!im->colorsTotal) { |
151 |
-+ gdImageDestroy(im); |
152 |
-+ return 0; |
153 |
-+ } |
154 |
-+ |
155 |
- return im; |
156 |
- } |
157 |
- |
158 |
-@@ -447,7 +447,7 @@ static int |
159 |
- GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_size, int flag, int *ZeroDataBlockP) |
160 |
- { |
161 |
- int i, j, ret; |
162 |
-- unsigned char count; |
163 |
-+ int count; |
164 |
- |
165 |
- if(flag) { |
166 |
- scd->curbit = 0; |
167 |
-diff --git a/tests/gif/CMakeLists.txt b/tests/gif/CMakeLists.txt |
168 |
-index 2b73749e..e58e6b09 100644 |
169 |
---- a/tests/gif/CMakeLists.txt |
170 |
-+++ b/tests/gif/CMakeLists.txt |
171 |
-@@ -4,6 +4,7 @@ LIST(APPEND TESTS_FILES |
172 |
- bug00227 |
173 |
- gif_null |
174 |
- ossfuzz5700 |
175 |
-+ php_bug_75571 |
176 |
- uninitialized_memory_read |
177 |
- ) |
178 |
- |
179 |
-diff --git a/tests/gif/Makemodule.am b/tests/gif/Makemodule.am |
180 |
-index 3199438f..5dbeac53 100644 |
181 |
---- a/tests/gif/Makemodule.am |
182 |
-+++ b/tests/gif/Makemodule.am |
183 |
-@@ -4,6 +4,7 @@ libgd_test_programs += \ |
184 |
- gif/bug00227 \ |
185 |
- gif/gif_null \ |
186 |
- gif/ossfuzz5700 \ |
187 |
-+ gif/php_bug_75571 \ |
188 |
- gif/uninitialized_memory_read |
189 |
- |
190 |
- if HAVE_LIBPNG |
191 |
-@@ -26,4 +27,5 @@ EXTRA_DIST += \ |
192 |
- gif/bug00066.gif \ |
193 |
- gif/bug00066_exp.png \ |
194 |
- gif/ossfuzz5700.gif \ |
195 |
-+ gif/php_bug_75571.gif \ |
196 |
- gif/unitialized_memory_read.gif |
197 |
-diff --git a/tests/gif/php_bug_75571.c b/tests/gif/php_bug_75571.c |
198 |
-new file mode 100644 |
199 |
-index 00000000..d4fae3ae |
200 |
---- /dev/null |
201 |
-+++ b/tests/gif/php_bug_75571.c |
202 |
-@@ -0,0 +1,28 @@ |
203 |
-+/** |
204 |
-+ * Test that GIF reading does not loop infinitely |
205 |
-+ * |
206 |
-+ * We are reading a crafted GIF image which has been truncated. This would |
207 |
-+ * trigger an infinite loop formerly, but know bails out early, returning |
208 |
-+ * NULL from gdImageCreateFromGif(). |
209 |
-+ * |
210 |
-+ * See also https://bugs.php.net/bug.php?id=75571. |
211 |
-+ */ |
212 |
-+ |
213 |
-+ |
214 |
-+#include "gd.h" |
215 |
-+#include "gdtest.h" |
216 |
-+ |
217 |
-+ |
218 |
-+int main() |
219 |
-+{ |
220 |
-+ gdImagePtr im; |
221 |
-+ FILE *fp; |
222 |
-+ |
223 |
-+ fp = gdTestFileOpen2("gif", "php_bug_75571.gif"); |
224 |
-+ gdTestAssert(fp != NULL); |
225 |
-+ im = gdImageCreateFromGif(fp); |
226 |
-+ gdTestAssert(im == NULL); |
227 |
-+ fclose(fp); |
228 |
-+ |
229 |
-+ return gdNumFailures(); |
230 |
-+} |
231 |
- |
232 |
|
233 |
diff --git a/media-libs/gd/files/gd-2.2.5-CVE-2019-6977.patch b/media-libs/gd/files/gd-2.2.5-CVE-2019-6977.patch |
234 |
deleted file mode 100644 |
235 |
index 0b67a596c6b..00000000000 |
236 |
--- a/media-libs/gd/files/gd-2.2.5-CVE-2019-6977.patch |
237 |
+++ /dev/null |
238 |
@@ -1,28 +0,0 @@ |
239 |
-Description: Heap-based buffer overflow in gdImageColorMatch |
240 |
-Origin: other, https://gist.github.com/cmb69/1f36d285eb297ed326f5c821d7aafced |
241 |
-Bug-PHP: https://bugs.php.net/bug.php?id=77270 |
242 |
-Bug-Debian: https://bugs.debian.org/920645 |
243 |
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-6977 |
244 |
-Forwarded: no |
245 |
-Author: "Christoph M. Becker" <cmbecker69@×××.de> |
246 |
-Last-Update: 2019-02-01 |
247 |
- |
248 |
-At least some of the image reading functions may return images which |
249 |
-use color indexes greater than or equal to im->colorsTotal. We cater |
250 |
-to this by always using a buffer size which is sufficient for |
251 |
-`gdMaxColors` in `gdImageColorMatch()`. |
252 |
---- |
253 |
- |
254 |
---- a/src/gd_color_match.c |
255 |
-+++ b/src/gd_color_match.c |
256 |
-@@ -31,8 +31,8 @@ BGD_DECLARE(int) gdImageColorMatch (gdIm |
257 |
- return -4; /* At least 1 color must be allocated */ |
258 |
- } |
259 |
- |
260 |
-- buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * im2->colorsTotal); |
261 |
-- memset (buf, 0, sizeof(unsigned long) * 5 * im2->colorsTotal ); |
262 |
-+ buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * gdMaxColors); |
263 |
-+ memset (buf, 0, sizeof(unsigned long) * 5 * gdMaxColors ); |
264 |
- |
265 |
- for (x=0; x < im1->sx; x++) { |
266 |
- for( y=0; y<im1->sy; y++ ) { |
267 |
|
268 |
diff --git a/media-libs/gd/files/gd-2.2.5-CVE-2019-6978.patch b/media-libs/gd/files/gd-2.2.5-CVE-2019-6978.patch |
269 |
deleted file mode 100644 |
270 |
index 2eb9369a0ba..00000000000 |
271 |
--- a/media-libs/gd/files/gd-2.2.5-CVE-2019-6978.patch |
272 |
+++ /dev/null |
273 |
@@ -1,278 +0,0 @@ |
274 |
-From 553702980ae89c83f2d6e254d62cf82e204956d0 Mon Sep 17 00:00:00 2001 |
275 |
-From: "Christoph M. Becker" <cmbecker69@×××.de> |
276 |
-Date: Thu, 17 Jan 2019 11:54:55 +0100 |
277 |
-Subject: [PATCH] Fix #492: Potential double-free in gdImage*Ptr() |
278 |
- |
279 |
-Whenever `gdImage*Ptr()` calls `gdImage*Ctx()` and the latter fails, we |
280 |
-must not call `gdDPExtractData()`; otherwise a double-free would |
281 |
-happen. Since `gdImage*Ctx()` are void functions, and we can't change |
282 |
-that for BC reasons, we're introducing static helpers which are used |
283 |
-internally. |
284 |
- |
285 |
-We're adding a regression test for `gdImageJpegPtr()`, but not for |
286 |
-`gdImageGifPtr()` and `gdImageWbmpPtr()` since we don't know how to |
287 |
-trigger failure of the respective `gdImage*Ctx()` calls. |
288 |
- |
289 |
-This potential security issue has been reported by Solmaz Salimi (aka. |
290 |
-Rooney). |
291 |
---- |
292 |
- src/gd_gif_out.c | 18 +++++++++++++++--- |
293 |
- src/gd_jpeg.c | 20 ++++++++++++++++---- |
294 |
- src/gd_wbmp.c | 21 ++++++++++++++++++--- |
295 |
- tests/jpeg/CMakeLists.txt | 1 + |
296 |
- tests/jpeg/Makemodule.am | 3 ++- |
297 |
- tests/jpeg/jpeg_ptr_double_free.c | 31 +++++++++++++++++++++++++++++++ |
298 |
- 7 files changed, 84 insertions(+), 11 deletions(-) |
299 |
- create mode 100644 tests/jpeg/jpeg_ptr_double_free.c |
300 |
- |
301 |
-diff --git a/src/gd_gif_out.c b/src/gd_gif_out.c |
302 |
-index 298a5812..d5a95346 100644 |
303 |
---- a/src/gd_gif_out.c |
304 |
-+++ b/src/gd_gif_out.c |
305 |
-@@ -99,6 +99,7 @@ static void char_init(GifCtx *ctx); |
306 |
- static void char_out(int c, GifCtx *ctx); |
307 |
- static void flush_char(GifCtx *ctx); |
308 |
- |
309 |
-+static int _gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out); |
310 |
- |
311 |
- |
312 |
- |
313 |
-@@ -131,8 +132,11 @@ BGD_DECLARE(void *) gdImageGifPtr(gdImagePtr im, int *size) |
314 |
- void *rv; |
315 |
- gdIOCtx *out = gdNewDynamicCtx(2048, NULL); |
316 |
- if (out == NULL) return NULL; |
317 |
-- gdImageGifCtx(im, out); |
318 |
-- rv = gdDPExtractData(out, size); |
319 |
-+ if (!_gdImageGifCtx(im, out)) { |
320 |
-+ rv = gdDPExtractData(out, size); |
321 |
-+ } else { |
322 |
-+ rv = NULL; |
323 |
-+ } |
324 |
- out->gd_free(out); |
325 |
- return rv; |
326 |
- } |
327 |
-@@ -220,6 +224,12 @@ BGD_DECLARE(void) gdImageGif(gdImagePtr im, FILE *outFile) |
328 |
- |
329 |
- */ |
330 |
- BGD_DECLARE(void) gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out) |
331 |
-+{ |
332 |
-+ _gdImageGifCtx(im, out); |
333 |
-+} |
334 |
-+ |
335 |
-+/* returns 0 on success, 1 on failure */ |
336 |
-+static int _gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out) |
337 |
- { |
338 |
- gdImagePtr pim = 0, tim = im; |
339 |
- int interlace, BitsPerPixel; |
340 |
-@@ -231,7 +241,7 @@ BGD_DECLARE(void) gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out) |
341 |
- based temporary image. */ |
342 |
- pim = gdImageCreatePaletteFromTrueColor(im, 1, 256); |
343 |
- if(!pim) { |
344 |
-- return; |
345 |
-+ return 1; |
346 |
- } |
347 |
- tim = pim; |
348 |
- } |
349 |
-@@ -247,6 +257,8 @@ BGD_DECLARE(void) gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out) |
350 |
- /* Destroy palette based temporary image. */ |
351 |
- gdImageDestroy( pim); |
352 |
- } |
353 |
-+ |
354 |
-+ return 0; |
355 |
- } |
356 |
- |
357 |
- |
358 |
-diff --git a/src/gd_jpeg.c b/src/gd_jpeg.c |
359 |
-index fc058420..96ef4302 100644 |
360 |
---- a/src/gd_jpeg.c |
361 |
-+++ b/src/gd_jpeg.c |
362 |
-@@ -117,6 +117,8 @@ static void fatal_jpeg_error(j_common_ptr cinfo) |
363 |
- exit(99); |
364 |
- } |
365 |
- |
366 |
-+static int _gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality); |
367 |
-+ |
368 |
- /* |
369 |
- * Write IM to OUTFILE as a JFIF-formatted JPEG image, using quality |
370 |
- * QUALITY. If QUALITY is in the range 0-100, increasing values |
371 |
-@@ -231,8 +233,11 @@ BGD_DECLARE(void *) gdImageJpegPtr(gdImagePtr im, int *size, int quality) |
372 |
- void *rv; |
373 |
- gdIOCtx *out = gdNewDynamicCtx(2048, NULL); |
374 |
- if (out == NULL) return NULL; |
375 |
-- gdImageJpegCtx(im, out, quality); |
376 |
-- rv = gdDPExtractData(out, size); |
377 |
-+ if (!_gdImageJpegCtx(im, out, quality)) { |
378 |
-+ rv = gdDPExtractData(out, size); |
379 |
-+ } else { |
380 |
-+ rv = NULL; |
381 |
-+ } |
382 |
- out->gd_free(out); |
383 |
- return rv; |
384 |
- } |
385 |
-@@ -253,6 +258,12 @@ void jpeg_gdIOCtx_dest(j_compress_ptr cinfo, gdIOCtx *outfile); |
386 |
- |
387 |
- */ |
388 |
- BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality) |
389 |
-+{ |
390 |
-+ _gdImageJpegCtx(im, outfile, quality); |
391 |
-+} |
392 |
-+ |
393 |
-+/* returns 0 on success, 1 on failure */ |
394 |
-+static int _gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality) |
395 |
- { |
396 |
- struct jpeg_compress_struct cinfo; |
397 |
- struct jpeg_error_mgr jerr; |
398 |
-@@ -287,7 +298,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality) |
399 |
- if(row) { |
400 |
- gdFree(row); |
401 |
- } |
402 |
-- return; |
403 |
-+ return 1; |
404 |
- } |
405 |
- |
406 |
- cinfo.err->emit_message = jpeg_emit_message; |
407 |
-@@ -328,7 +339,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality) |
408 |
- if(row == 0) { |
409 |
- gd_error("gd-jpeg: error: unable to allocate JPEG row structure: gdCalloc returns NULL\n"); |
410 |
- jpeg_destroy_compress(&cinfo); |
411 |
-- return; |
412 |
-+ return 1; |
413 |
- } |
414 |
- |
415 |
- rowptr[0] = row; |
416 |
-@@ -405,6 +416,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality) |
417 |
- jpeg_finish_compress(&cinfo); |
418 |
- jpeg_destroy_compress(&cinfo); |
419 |
- gdFree(row); |
420 |
-+ return 0; |
421 |
- } |
422 |
- |
423 |
- |
424 |
-diff --git a/src/gd_wbmp.c b/src/gd_wbmp.c |
425 |
-index f19a1c96..a49bdbec 100644 |
426 |
---- a/src/gd_wbmp.c |
427 |
-+++ b/src/gd_wbmp.c |
428 |
-@@ -88,6 +88,8 @@ int gd_getin(void *in) |
429 |
- return (gdGetC((gdIOCtx *)in)); |
430 |
- } |
431 |
- |
432 |
-+static int _gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out); |
433 |
-+ |
434 |
- /* |
435 |
- Function: gdImageWBMPCtx |
436 |
- |
437 |
-@@ -100,6 +102,12 @@ int gd_getin(void *in) |
438 |
- out - the stream where to write |
439 |
- */ |
440 |
- BGD_DECLARE(void) gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out) |
441 |
-+{ |
442 |
-+ _gdImageWBMPCtx(image, fg, out); |
443 |
-+} |
444 |
-+ |
445 |
-+/* returns 0 on success, 1 on failure */ |
446 |
-+static int _gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out) |
447 |
- { |
448 |
- int x, y, pos; |
449 |
- Wbmp *wbmp; |
450 |
-@@ -107,7 +115,7 @@ BGD_DECLARE(void) gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out) |
451 |
- /* create the WBMP */ |
452 |
- if((wbmp = createwbmp(gdImageSX(image), gdImageSY(image), WBMP_WHITE)) == NULL) { |
453 |
- gd_error("Could not create WBMP\n"); |
454 |
-- return; |
455 |
-+ return 1; |
456 |
- } |
457 |
- |
458 |
- /* fill up the WBMP structure */ |
459 |
-@@ -123,11 +131,15 @@ BGD_DECLARE(void) gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out) |
460 |
- |
461 |
- /* write the WBMP to a gd file descriptor */ |
462 |
- if(writewbmp(wbmp, &gd_putout, out)) { |
463 |
-+ freewbmp(wbmp); |
464 |
- gd_error("Could not save WBMP\n"); |
465 |
-+ return 1; |
466 |
- } |
467 |
- |
468 |
- /* des submitted this bugfix: gdFree the memory. */ |
469 |
- freewbmp(wbmp); |
470 |
-+ |
471 |
-+ return 0; |
472 |
- } |
473 |
- |
474 |
- /* |
475 |
-@@ -271,8 +283,11 @@ BGD_DECLARE(void *) gdImageWBMPPtr(gdImagePtr im, int *size, int fg) |
476 |
- void *rv; |
477 |
- gdIOCtx *out = gdNewDynamicCtx(2048, NULL); |
478 |
- if (out == NULL) return NULL; |
479 |
-- gdImageWBMPCtx(im, fg, out); |
480 |
-- rv = gdDPExtractData(out, size); |
481 |
-+ if (!_gdImageWBMPCtx(im, fg, out)) { |
482 |
-+ rv = gdDPExtractData(out, size); |
483 |
-+ } else { |
484 |
-+ rv = NULL; |
485 |
-+ } |
486 |
- out->gd_free(out); |
487 |
- return rv; |
488 |
- } |
489 |
-diff --git a/tests/jpeg/CMakeLists.txt b/tests/jpeg/CMakeLists.txt |
490 |
-index 19964b0c..a8d8162f 100644 |
491 |
---- a/tests/jpeg/CMakeLists.txt |
492 |
-+++ b/tests/jpeg/CMakeLists.txt |
493 |
-@@ -2,6 +2,7 @@ IF(JPEG_FOUND) |
494 |
- LIST(APPEND TESTS_FILES |
495 |
- jpeg_empty_file |
496 |
- jpeg_im2im |
497 |
-+ jpeg_ptr_double_free |
498 |
- jpeg_null |
499 |
- ) |
500 |
- |
501 |
-diff --git a/tests/jpeg/Makemodule.am b/tests/jpeg/Makemodule.am |
502 |
-index 7e5d317b..b89e1695 100644 |
503 |
---- a/tests/jpeg/Makemodule.am |
504 |
-+++ b/tests/jpeg/Makemodule.am |
505 |
-@@ -2,7 +2,8 @@ if HAVE_LIBJPEG |
506 |
- libgd_test_programs += \ |
507 |
- jpeg/jpeg_empty_file \ |
508 |
- jpeg/jpeg_im2im \ |
509 |
-- jpeg/jpeg_null |
510 |
-+ jpeg/jpeg_null \ |
511 |
-+ jpeg/jpeg_ptr_double_free |
512 |
- |
513 |
- if HAVE_LIBPNG |
514 |
- libgd_test_programs += \ |
515 |
-diff --git a/tests/jpeg/jpeg_ptr_double_free.c b/tests/jpeg/jpeg_ptr_double_free.c |
516 |
-new file mode 100644 |
517 |
-index 00000000..df5a510b |
518 |
---- /dev/null |
519 |
-+++ b/tests/jpeg/jpeg_ptr_double_free.c |
520 |
-@@ -0,0 +1,31 @@ |
521 |
-+/** |
522 |
-+ * Test that failure to convert to JPEG returns NULL |
523 |
-+ * |
524 |
-+ * We are creating an image, set its width to zero, and pass this image to |
525 |
-+ * `gdImageJpegPtr()` which is supposed to fail, and as such should return NULL. |
526 |
-+ * |
527 |
-+ * See also <https://github.com/libgd/libgd/issues/381> |
528 |
-+ */ |
529 |
-+ |
530 |
-+ |
531 |
-+#include "gd.h" |
532 |
-+#include "gdtest.h" |
533 |
-+ |
534 |
-+ |
535 |
-+int main() |
536 |
-+{ |
537 |
-+ gdImagePtr src, dst; |
538 |
-+ int size; |
539 |
-+ |
540 |
-+ src = gdImageCreateTrueColor(1, 10); |
541 |
-+ gdTestAssert(src != NULL); |
542 |
-+ |
543 |
-+ src->sx = 0; /* this hack forces gdImageJpegPtr() to fail */ |
544 |
-+ |
545 |
-+ dst = gdImageJpegPtr(src, &size, 0); |
546 |
-+ gdTestAssert(dst == NULL); |
547 |
-+ |
548 |
-+ gdImageDestroy(src); |
549 |
-+ |
550 |
-+ return gdNumFailures(); |
551 |
-+} |
552 |
|
553 |
diff --git a/media-libs/gd/files/gd-2.2.5-ossfuzz5700.patch b/media-libs/gd/files/gd-2.2.5-ossfuzz5700.patch |
554 |
deleted file mode 100644 |
555 |
index 891c232115e..00000000000 |
556 |
--- a/media-libs/gd/files/gd-2.2.5-ossfuzz5700.patch |
557 |
+++ /dev/null |
558 |
@@ -1,103 +0,0 @@ |
559 |
-From 9fa3abd2e61da18ed2b889704e4e252f0f5a95fe Mon Sep 17 00:00:00 2001 |
560 |
-From: Mike Frysinger <vapier@g.o> |
561 |
-Date: Fri, 26 Jan 2018 01:57:52 -0500 |
562 |
-Subject: [PATCH] gif: fix out-of-bounds read w/corrupted lzw data |
563 |
- |
564 |
-oss-fuzz pointed out: |
565 |
-gd_gif_in.c:605:16: runtime error: index 5595 out of bounds for type 'int [4096]' |
566 |
- |
567 |
-Add some bounds checking on each code that we read from the file. |
568 |
---- |
569 |
- src/gd_gif_in.c | 8 ++++++++ |
570 |
- tests/gif/CMakeLists.txt | 3 ++- |
571 |
- tests/gif/Makemodule.am | 2 ++ |
572 |
- tests/gif/ossfuzz5700.c | 13 +++++++++++++ |
573 |
- tests/gif/ossfuzz5700.gif | Bin 0 -> 30 bytes |
574 |
- 6 files changed, 26 insertions(+), 1 deletion(-) |
575 |
- create mode 100644 tests/gif/ossfuzz5700.c |
576 |
- |
577 |
-diff --git a/src/gd_gif_in.c b/src/gd_gif_in.c |
578 |
-index afc08bf7..daf26e79 100644 |
579 |
---- a/src/gd_gif_in.c |
580 |
-+++ b/src/gd_gif_in.c |
581 |
-@@ -601,6 +601,10 @@ LWZReadByte_(gdIOCtx *fd, LZW_STATIC_DATA *sd, char flag, int input_code_size, i |
582 |
- /* Bad compressed data stream */ |
583 |
- return -1; |
584 |
- } |
585 |
-+ if(code >= (1 << MAX_LWZ_BITS)) { |
586 |
-+ /* Corrupted code */ |
587 |
-+ return -1; |
588 |
-+ } |
589 |
- |
590 |
- *sd->sp++ = sd->table[1][code]; |
591 |
- |
592 |
-@@ -610,6 +614,10 @@ LWZReadByte_(gdIOCtx *fd, LZW_STATIC_DATA *sd, char flag, int input_code_size, i |
593 |
- |
594 |
- code = sd->table[0][code]; |
595 |
- } |
596 |
-+ if(code >= (1 << MAX_LWZ_BITS)) { |
597 |
-+ /* Corrupted code */ |
598 |
-+ return -1; |
599 |
-+ } |
600 |
- |
601 |
- *sd->sp++ = sd->firstcode = sd->table[1][code]; |
602 |
- |
603 |
-diff --git a/tests/gif/CMakeLists.txt b/tests/gif/CMakeLists.txt |
604 |
-index 7d40cddc..2b73749e 100644 |
605 |
---- a/tests/gif/CMakeLists.txt |
606 |
-+++ b/tests/gif/CMakeLists.txt |
607 |
-@@ -3,6 +3,8 @@ LIST(APPEND TESTS_FILES |
608 |
- bug00181 |
609 |
- bug00227 |
610 |
- gif_null |
611 |
-+ ossfuzz5700 |
612 |
-+ uninitialized_memory_read |
613 |
- ) |
614 |
- |
615 |
- IF(PNG_FOUND) |
616 |
-@@ -12,7 +14,6 @@ LIST(APPEND TESTS_FILES |
617 |
- bug00060 |
618 |
- bug00066 |
619 |
- gif_im2im |
620 |
-- uninitialized_memory_read |
621 |
- ) |
622 |
- ENDIF(PNG_FOUND) |
623 |
- |
624 |
-diff --git a/tests/gif/Makemodule.am b/tests/gif/Makemodule.am |
625 |
-index 0bdeab7e..3199438f 100644 |
626 |
---- a/tests/gif/Makemodule.am |
627 |
-+++ b/tests/gif/Makemodule.am |
628 |
-@@ -3,6 +3,7 @@ libgd_test_programs += \ |
629 |
- gif/bug00181 \ |
630 |
- gif/bug00227 \ |
631 |
- gif/gif_null \ |
632 |
-+ gif/ossfuzz5700 \ |
633 |
- gif/uninitialized_memory_read |
634 |
- |
635 |
- if HAVE_LIBPNG |
636 |
-@@ -24,4 +25,5 @@ EXTRA_DIST += \ |
637 |
- gif/bug00060.gif \ |
638 |
- gif/bug00066.gif \ |
639 |
- gif/bug00066_exp.png \ |
640 |
-+ gif/ossfuzz5700.gif \ |
641 |
- gif/unitialized_memory_read.gif |
642 |
-diff --git a/tests/gif/ossfuzz5700.c b/tests/gif/ossfuzz5700.c |
643 |
-new file mode 100644 |
644 |
-index 00000000..8fc9f88c |
645 |
---- /dev/null |
646 |
-+++ b/tests/gif/ossfuzz5700.c |
647 |
-@@ -0,0 +1,13 @@ |
648 |
-+#include <stdio.h> |
649 |
-+#include "gd.h" |
650 |
-+#include "gdtest.h" |
651 |
-+ |
652 |
-+int main() |
653 |
-+{ |
654 |
-+ gdImagePtr im; |
655 |
-+ FILE *fp = gdTestFileOpen("gif/ossfuzz5700.gif"); |
656 |
-+ im = gdImageCreateFromGif(fp); |
657 |
-+ fclose(fp); |
658 |
-+ gdImageDestroy(im); |
659 |
-+ return 0; |
660 |
-+} |
661 |
- |