Commit 87a5a2c4 authored by Natanael Copa's avatar Natanael Copa

main/gd: security upgrade to 2.2.4

fixes #7202

CVE-2016-6906
CVE-2016-9317
CVE-2016-6912
CVE-2016-10166
CVE-2016-10167
CVE-2016-10168
parent 2eccc618
# Contributor: Carlo Landmeter <clandmeter@gmail.com>
# Maintainer: Carlo Landmeter <clandmeter@gmail.com>
pkgname=gd
pkgver=2.1.1
pkgver=2.2.4
_myver=${pkgver/_rc/RC}
pkgrel=2
pkgrel=0
pkgdesc="Library for the dynamic creation of images by programmers"
url="http://www.libgd.org/"
arch="all"
......@@ -11,21 +11,17 @@ license="custom"
depends=
makedepends="libpng-dev libjpeg-turbo-dev freetype-dev zlib-dev"
subpackages="$pkgname-dev $pkgname-doc"
source="http://bitbucket.org/libgd/gd-libgd/downloads/libgd-$pkgver.tar.xz
invalid_neg_size.gd2
CVE-2015-8874.patch
CVE-2016-3074.patch
CVE-2016-5116.patch
CVE-2016-5766.patch
CVE-2016-6128.patch
CVE-2016-6161.patch
CVE-2016-6214.patch
Fix_out-of-bounds_read_in_read_image_tga.patch
gdlib-config-uses-pkgconfig.patch
read_out-of-bands_in_the_parsing_of_TGA_files.patch
source="https://github.com/libgd/libgd/releases/download/gd-$pkgver/libgd-$pkgver.tar.xz
"
# secfixes:
# 2.2.4-r0:
# - CVE-2016-6906
# - CVE-2016-9317
# - CVE-2016-6912
# - CVE-2016-10166
# - CVE-2016-10167
# - CVE-2016-10168
# 2.2.1-r2:
# - CVE-2015-8874
# - CVE-2016-3074
......@@ -44,9 +40,6 @@ prepare() {
*.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
esac
done
update_config_sub || return 1
# Binary file included in CVE
cp "$srcdir"/invalid_neg_size.gd2 "$_builddir"/tests/gd2/ || return 1
}
build() {
......@@ -74,39 +67,6 @@ package() {
rm -r "$pkgdir"/usr/lib/libgd.la
}
md5sums="9076f3abd1f9815d106da36467ea15bc libgd-2.1.1.tar.xz
5d47f93d43e04fd29e758a1cda35fd4a invalid_neg_size.gd2
ffdea036b5dc25d2b4686e028cc0bcdc CVE-2015-8874.patch
1302aaf334899f086c707ebff7b27c96 CVE-2016-3074.patch
c76949031da145d6e40e9a65794f86c0 CVE-2016-5116.patch
fe62c60ecdbbe58407108a8241d6b64b CVE-2016-5766.patch
b5855d707396a59de730af7df9ff4e5f CVE-2016-6128.patch
e26e08aa74179306d216c7ac1e56e122 CVE-2016-6161.patch
99ce876835b32791270da65814a96c6b CVE-2016-6214.patch
a5948cb2f199d78a9616a7d6eaf6b7e7 Fix_out-of-bounds_read_in_read_image_tga.patch
f63f2d68fd047cb78c67af552ddfd90b gdlib-config-uses-pkgconfig.patch
bd87c73fe724b03ee0ffc0882ae02753 read_out-of-bands_in_the_parsing_of_TGA_files.patch"
sha256sums="9ada1ed45594abc998ebc942cef12b032fbad672e73efc22bc9ff54f5df2b285 libgd-2.1.1.tar.xz
a90b3a76ca00e6766a600feeecf3c3fb1a6c71b256b44fe0d6e7268e54e758f3 invalid_neg_size.gd2
d9676b643d78d25fcc76dd89934a7ceeebed4c5c3aeeda17c97901288f5ba6b5 CVE-2015-8874.patch
98908d8dda9b82c28c5903e1d42ba0f4c4604742b3648cfa224267e0a56cebfd CVE-2016-3074.patch
05f48d46bbc8f2edb6175c394f1b1968a9e486c672c7f0034f386546783086c5 CVE-2016-5116.patch
a9c43998f804f670103c388603d4b567445722fff464e1192306622ac485ddbf CVE-2016-5766.patch
33c234de245f058f83a3349b57c296755ba128e346c153df19417250f640d586 CVE-2016-6128.patch
6b57bc5ec9427abdb9daef8463ace7d213d39efc3a0c7179ab9c35d2cab9b17e CVE-2016-6161.patch
02db388e6304c457259eb280618b03175aa7a667288a6d1976f4431a61c5e178 CVE-2016-6214.patch
794f6977709e75295e3b19f7c9574bb8dc13aaf06b77cf36e512e1f1d4dd95a1 Fix_out-of-bounds_read_in_read_image_tga.patch
2ea89fdbd443ab2a3b38e762e99c598389a12373fdcc59182fbaad0e22779270 gdlib-config-uses-pkgconfig.patch
addf67d8e251243b19a02c91d4346cebf684e4de8e75ac0e229b9839486e99cd read_out-of-bands_in_the_parsing_of_TGA_files.patch"
sha512sums="48f444402a4b89e412870f9091b92eb26136c5c0d795722262ad973c7d4103476204a2de36133a2634b8f410d6bccdcf60afb829a74ac2fddfb96aff2cd2567b libgd-2.1.1.tar.xz
c2402dd19525468b41f5424d42237ead46f108d8ef7f70fc8f11afa715972b474c53d792f92dd27f044f1be9b2e6a9c33eeb9434249f63055f52ac4a68b970b4 invalid_neg_size.gd2
fd0e6094a968e16b3cc37ba5ce25118e0f1e6bcaa2ecf42834120f15dcd9b7bc8788258d774ced02677b25accbdb187b4add9bb09deab78669972aa12c583fce CVE-2015-8874.patch
91e13a5f9d2009707258613fec0549021c397b9f0b92a0e63dca9874a8f4041de1a2e04693da5e34668b154069d952735c5a4c8de9e3b6ab57b97297f8eab832 CVE-2016-3074.patch
4010a85dc298292da3e82061390e6eb81578f059ae40ccac319e4e2bacfd804567cb36f162d7e5753a511f00285d15a0cf28bed381b01e268bb4398eed5705ef CVE-2016-5116.patch
e08c7e351d6982c43f3852c4d6c174615d3e81292929d330082704d2469bfa2563db2c34bbe6dece2a2af351c89c7f4964a8723ca4453ebb75875aced61c778a CVE-2016-5766.patch
2d028aade6b39f62bf587719031a280064006723bc6060c11266df0c8391fbd90456e0c7c0c1081b35291b58aa60b47b012278160a987c6b1659fc562c298e4f CVE-2016-6128.patch
2df0665aecd454343c9bd801f096cd46b44d5dcc632bd0a1b03de01d797f2ebda078e4dcb20279ba33a86f30f6ae5819ad7a5c02902174cc1f185416159cf046 CVE-2016-6161.patch
f5afe3434010b5d7e77d33b60cbc02bf7455cd0e469705900da3d4dc5451022cdaeb315ebe902bb80ddef2379bd851b57f5216e5e024a9cb2085f2932c0a3e12 CVE-2016-6214.patch
013cb2d4751685ae0c64cdce2ddd120c209a9f6b60a20404c58c67e4a36f168a918bc048b7833c37279900255e3e687607f0740ccd0f33ee12bffe284c9dd6af Fix_out-of-bounds_read_in_read_image_tga.patch
cbd01fa281c32806d3dac43e80760e4fb34a45d86035d7dbcdca987fdf341819708960c9aa20e2d075d97bb3b9de2652a787eab73f755d955ad4f437cb38eee3 gdlib-config-uses-pkgconfig.patch
87468dd7b310e5488f2b877f766b2eac90561d77c44ad79df98f61d07a40f76ed7621d1f2772afeeb00bc032d144e0302ecdae8cfd442a8e0b748b039b1d27df read_out-of-bands_in_the_parsing_of_TGA_files.patch"
md5sums="a244855a323a3ea1975d708eb1e12b7a libgd-2.2.4.tar.xz"
sha256sums="137f13a7eb93ce72e32ccd7cebdab6874f8cf7ddf31d3a455a68e016ecd9e4e6 libgd-2.2.4.tar.xz"
sha512sums="07903f322c4f6ab392508b0f60c38ca133699111ea92995dc6cd9379210d598bcb24a46c19657884d9e252f8663d0ee8c89c600e3a382a5ae598198c190f39b5 libgd-2.2.4.tar.xz"
From: =?utf-8?q?Ond=C5=99ej_Sur=C3=BD?= <ondrej@sury.org>
Date: Fri, 20 May 2016 09:39:38 +0200
Subject: CVE-2015-8874
---
src/gd.c | 11 +++++++++++
1 file changed, 11 insertions(+)
--- libgd2.orig/src/gd.c
+++ libgd2/src/gd.c
@@ -1840,6 +1840,17 @@ BGD_DECLARE(void) gdImageFillToBorder (g
restoreAlphaBleding = im->alphaBlendingFlag;
im->alphaBlendingFlag = 0;
+ if (x >= im->sx) {
+ x = im->sx - 1;
+ } else if (x < 0) {
+ x = 0;
+ }
+ if (y >= im->sy) {
+ y = im->sy - 1;
+ } else if (y < 0) {
+ y = 0;
+ }
+
for (i = x; (i >= 0); i--) {
if (gdImageGetPixel (im, i, y) == border) {
break;
From 2bb97f407c1145c850416a3bfbcc8cf124e68a19 Mon Sep 17 00:00:00 2001
From: Mike Frysinger <vapier@gentoo.org>
Date: Sat, 16 Apr 2016 03:51:22 -0400
Subject: [PATCH] gd2: handle corrupt images better (CVE-2016-3074)
Make sure we do some range checking on corrupted chunks.
Thanks to Hans Jerry Illikainen <hji@dyntopia.com> for indepth report
and reproducer information. Made for easy test case writing :).
---
.gitignore | 1 +
src/gd_gd2.c | 2 ++
tests/Makefile.am | 3 ++-
tests/gd2/gd2_read_corrupt.c | 25 +++++++++++++++++++++++++
tests/gd2/invalid_neg_size.gd2 | Bin 0 -> 1676 bytes
5 files changed, 30 insertions(+), 1 deletion(-)
create mode 100644 tests/gd2/gd2_read_corrupt.c
create mode 100644 tests/gd2/invalid_neg_size.gd2
diff --git a/src/gd_gd2.c b/src/gd_gd2.c
index 6f28461..a50b33d 100644
--- a/src/gd_gd2.c
+++ b/src/gd_gd2.c
@@ -165,6 +165,8 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy,
if (gdGetInt (&cidx[i].size, in) != 1) {
goto fail2;
};
+ if (cidx[i].offset < 0 || cidx[i].size < 0)
+ goto fail2;
};
*chunkIdx = cidx;
};
diff --git a/tests/Makefile.am b/tests/Makefile.am
index ed2c35b..b582266 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -129,7 +129,8 @@ endif
if HAVE_LIBZ
check_PROGRAMS += \
- gd2/gd2_null
+ gd2/gd2_null \
+ gd2/gd2_read_corrupt
endif
if HAVE_LIBPNG
diff --git a/tests/gd2/gd2_read_corrupt.c b/tests/gd2/gd2_read_corrupt.c
new file mode 100644
index 0000000..11f6a67
--- /dev/null
+++ b/tests/gd2/gd2_read_corrupt.c
@@ -0,0 +1,25 @@
+/* Just try to read the invalid gd2 image & not crash. */
+#include "gd.h"
+#include <stdio.h>
+#include <stdlib.h>
+#include "gdtest.h"
+
+int main()
+{
+ gdImagePtr im;
+ FILE *fp;
+ char path[1024];
+
+ /* Read the corrupt image. */
+ sprintf(path, "%s/gd2/invalid_neg_size.gd2", GDTEST_TOP_DIR);
+ fp = fopen(path, "rb");
+ if (!fp) {
+ printf("failed, cannot open file\n");
+ return 1;
+ }
+ im = gdImageCreateFromGd2(fp);
+ fclose(fp);
+
+ /* Should have failed & rejected it. */
+ return im == NULL ? 0 : 1;
+}
From 4dc1a2d7931017d3625f2d7cff70a17ce58b53b4 Mon Sep 17 00:00:00 2001
From: Mike Frysinger <vapier@gentoo.org>
Date: Sat, 14 May 2016 01:38:18 -0400
Subject: [PATCH] xbm: avoid stack overflow (read) with large names #211
We use the name passed in to printf into a local stack buffer which is
limited to 4000 bytes. So given a large enough value, lots of stack
data is leaked. Rewrite the code to do simple memory copies with most
of the strings to avoid that issue, and only use stack buffer for small
numbers of constant size.
This closes #211.
---
src/gd_xbm.c | 34 +++++++++++++++++++++++++++-------
1 file changed, 27 insertions(+), 7 deletions(-)
--- libgd2.orig/src/gd_xbm.c
+++ libgd2/src/gd_xbm.c
@@ -147,7 +147,7 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFro
/* {{{ gdCtxPrintf */
static void gdCtxPrintf(gdIOCtx * out, const char *format, ...)
{
- char buf[4096];
+ char buf[1024];
int len;
va_list args;
@@ -158,6 +158,9 @@ static void gdCtxPrintf(gdIOCtx * out, c
}
/* }}} */
+/* The compiler will optimize strlen(constant) to a constant number. */
+#define gdCtxPuts(out, s) out->putBuf(out, s, strlen(s))
+
/* {{{ gdImageXbmCtx */
BGD_DECLARE(void) gdImageXbmCtx(gdImagePtr image, char* file_name, int fg, gdIOCtx * out)
{
@@ -182,9 +185,26 @@ BGD_DECLARE(void) gdImageXbmCtx(gdImageP
}
}
- gdCtxPrintf(out, "#define %s_width %d\n", name, gdImageSX(image));
- gdCtxPrintf(out, "#define %s_height %d\n", name, gdImageSY(image));
- gdCtxPrintf(out, "static unsigned char %s_bits[] = {\n ", name);
+ /* Since "name" comes from the user, run it through a direct puts.
+ * Trying to printf it into a local buffer means we'd need a large
+ * or dynamic buffer to hold it all. */
+
+ /* #define <name>_width 1234 */
+ gdCtxPuts(out, "#define ");
+ gdCtxPuts(out, name);
+ gdCtxPuts(out, "_width ");
+ gdCtxPrintf(out, "%d\n", gdImageSX(image));
+
+ /* #define <name>_height 1234 */
+ gdCtxPuts(out, "#define ");
+ gdCtxPuts(out, name);
+ gdCtxPuts(out, "_height ");
+ gdCtxPrintf(out, "%d\n", gdImageSY(image));
+
+ /* static unsigned char <name>_bits[] = {\n */
+ gdCtxPuts(out, "static unsigned char ");
+ gdCtxPuts(out, name);
+ gdCtxPuts(out, "_bits[] = {\n ");
free(name);
@@ -201,9 +221,9 @@ BGD_DECLARE(void) gdImageXbmCtx(gdImageP
if ((b == 128) || (x == sx && y == sy)) {
b = 1;
if (p) {
- gdCtxPrintf(out, ", ");
+ gdCtxPuts(out, ", ");
if (!(p%12)) {
- gdCtxPrintf(out, "\n ");
+ gdCtxPuts(out, "\n ");
p = 12;
}
}
@@ -215,6 +235,6 @@ BGD_DECLARE(void) gdImageXbmCtx(gdImageP
}
}
}
- gdCtxPrintf(out, "};\n");
+ gdCtxPuts(out, "};\n");
}
/* }}} */
From aba3db8ba159465ecec1089027a24835a6da9cc0 Mon Sep 17 00:00:00 2001
From: Pierre Joye <pierre.php@gmail.com>
Date: Tue, 28 Jun 2016 16:23:42 +0700
Subject: [PATCH] fix php bug 72339 (CVE-2016-5766), Integer Overflow in
_gd2GetHeader() resulting in heap overflow
--- libgd2.orig/src/gd_gd2.c
+++ libgd2/src/gd_gd2.c
@@ -156,8 +156,11 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, i
nc = (*ncx) * (*ncy);
GD2_DBG (printf ("Reading %d chunk index entries\n", nc));
sidx = sizeof (t_chunk_info) * nc;
+ if (overflow2(sidx, nc)) {
+ goto fail1;
+ }
cidx = gdCalloc (sidx, 1);
- if (!cidx) {
+ if (cidx == NULL) {
goto fail1;
}
for (i = 0; i < nc; i++) {
From 1ccfe21e14c4d18336f9da8515cd17db88c3de61 Mon Sep 17 00:00:00 2001
From: Pierre Joye <pierre.php@gmail.com>
Date: Mon, 27 Jun 2016 11:17:39 +0700
Subject: [PATCH 1/5] fix php 72494, invalid color index not handled, can lead
to crash
--- libgd2.orig/src/gd_crop.c
+++ libgd2/src/gd_crop.c
@@ -136,6 +136,10 @@ BGD_DECLARE(gdImagePtr) gdImageCropThres
return NULL;
}
+ if (color < 0 || (!gdImageTrueColor(im) && color >= gdImageColorsTotal(im))) {
+ return NULL;
+ }
+
/* TODO: Add gdImageGetRowPtr and works with ptr at the row level
* for the true color and palette images
* new formats will simply work with ptr
From 82b80dcb70a7ca8986125ff412bceddafc896842 Mon Sep 17 00:00:00 2001
From: Mike Frysinger <vapier@gentoo.org>
Date: Sat, 14 May 2016 02:13:15 -0400
Subject: [PATCH] gif: avoid out-of-bound reads of masks array #209
When given invalid inputs, we might be fed the EOF marker before it is
actually the EOF. The gif logic assumes once it sees the EOF marker,
there won't be any more data, so it leaves the cur_bits index possibly
negative. So when we get more data, we underflow the masks array.
Flag it so we don't try to output anything more. The image is invalid,
so we shouldn't be truncating any valid inputs.
This fixes #209.
---
src/gd_gif_out.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
--- libgd2.orig/src/gd_gif_out.c
+++ libgd2/src/gd_gif_out.c
@@ -1000,15 +1000,23 @@ nomatch:
* code in turn. When the buffer fills up empty it and start over.
*/
-static unsigned long masks[] = {
+static const unsigned long masks[] = {
0x0000, 0x0001, 0x0003, 0x0007, 0x000F,
0x001F, 0x003F, 0x007F, 0x00FF,
0x01FF, 0x03FF, 0x07FF, 0x0FFF,
0x1FFF, 0x3FFF, 0x7FFF, 0xFFFF
};
+/* Arbitrary value to mark output is done. When we see EOFCode, then we don't
+ * expect to see any more data. If we do (e.g. corrupt image inputs), cur_bits
+ * might be negative, so flag it to return early.
+ */
+#define CUR_BITS_FINISHED -1000
+
static void output(code_int code, GifCtx *ctx)
{
+ if (ctx->cur_bits == CUR_BITS_FINISHED)
+ return;
ctx->cur_accum &= masks[ctx->cur_bits];
if(ctx->cur_bits > 0) {
@@ -1050,6 +1058,8 @@ static void output(code_int code, GifCtx
ctx->cur_accum >>= 8;
ctx->cur_bits -= 8;
}
+ /* Flag that it's done to prevent re-entry. */
+ ctx->cur_bits = CUR_BITS_FINISHED;
flush_char(ctx);
}
From 341aa68843ceceae9ba6e083431f14a07bd92308 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Tue, 12 Jul 2016 19:23:13 +0200
Subject: [PATCH] Unsupported TGA bpp/alphabit combinations should error
gracefully
Currently, only 24bpp without alphabits and 32bpp with 8 alphabits are
really supported. All other combinations will be rejected with a warning.
(cherry picked from commit cb1a0b7e54e9aa118270c23a4a6fe560e4590dc9)
---
src/gd_tga.c | 16 ++++++----------
tests/tga/.gitignore | 1 +
tests/tga/CMakeLists.txt | 1 +
tests/tga/Makemodule.am | 4 +++-
tests/tga/bug00247a.c | 19 +++++++++++++++++++
tests/tga/bug00247a.tga | Bin 0 -> 36 bytes
6 files changed, 30 insertions(+), 11 deletions(-)
create mode 100644 tests/tga/bug00247a.c
create mode 100644 tests/tga/bug00247a.tga
--- libgd2.orig/src/gd_tga.c
+++ libgd2/src/gd_tga.c
@@ -99,7 +99,7 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFro
if (tga->bits == TGA_BPP_24) {
*tpix = gdTrueColor(tga->bitmap[bitmap_caret + 2], tga->bitmap[bitmap_caret + 1], tga->bitmap[bitmap_caret]);
bitmap_caret += 3;
- } else if (tga->bits == TGA_BPP_32 || tga->alphabits) {
+ } else if (tga->bits == TGA_BPP_32 && tga->alphabits) {
register int a = tga->bitmap[bitmap_caret + 3];
*tpix = gdTrueColorAlpha(tga->bitmap[bitmap_caret + 2], tga->bitmap[bitmap_caret + 1], tga->bitmap[bitmap_caret], gdAlphaMax - (a >> 1));
@@ -159,16 +159,12 @@ int read_header_tga(gdIOCtx *ctx, oTga *
printf("wxh: %i %i\n", tga->width, tga->height);
#endif
- switch(tga->bits) {
- case 8:
- case 16:
- case 24:
- case 32:
- break;
- default:
- gd_error("bps %i not supported", tga->bits);
+ if (!((tga->bits == TGA_BPP_24 && tga->alphabits == 0)
+ || (tga->bits == TGA_BPP_32 && tga->alphabits == 8)))
+ {
+ gd_error_ex(GD_WARNING, "gd-tga: %u bits per pixel with %u alpha bits not supported\n",
+ tga->bits, tga->alphabits);
return -1;
- break;
}
tga->ident = NULL;
From 2580f5df5c4a038018b28682b71923bedd5294d1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
Date: Tue, 12 Jul 2016 14:20:16 +0200
Subject: [PATCH] bug #248, fix Out-Of-Bounds Read in read_image_tga
---
src/gd_tga.c | 34 ++++++++++++++++++++++++++--------
1 file changed, 26 insertions(+), 8 deletions(-)
--- libgd2.orig/src/gd_tga.c
+++ libgd2/src/gd_tga.c
@@ -200,7 +200,6 @@ int read_image_tga( gdIOCtx *ctx, oTga *
int buffer_caret = 0;
int bitmap_caret = 0;
int i = 0;
- int j = 0;
uint8_t encoded_pixels;
if(overflow2(tga->width, tga->height)) {
@@ -292,27 +291,35 @@ int read_image_tga( gdIOCtx *ctx, oTga *
buffer_caret = 0;
while( bitmap_caret < image_block_size ) {
-
+
if ((decompression_buffer[buffer_caret] & TGA_RLE_FLAG) == TGA_RLE_FLAG) {
- encoded_pixels = ( ( decompression_buffer[ buffer_caret ] & 127 ) + 1 );
+ encoded_pixels = ( ( decompression_buffer[ buffer_caret ] & !TGA_RLE_FLAG ) + 1 );
buffer_caret++;
+ if ((bitmap_caret + (encoded_pixels * pixel_block_size)) >= image_block_size) {
+ gdFree( decompression_buffer );
+ gdFree( conversion_buffer );
+ return -1;
+ }
+
for (i = 0; i < encoded_pixels; i++) {
- for (j = 0; j < pixel_block_size; j++, bitmap_caret++) {
- tga->bitmap[ bitmap_caret ] = decompression_buffer[ buffer_caret + j ];
- }
+ memcpy(tga->bitmap + bitmap_caret, decompression_buffer + buffer_caret, pixel_block_size);
+ bitmap_caret += pixel_block_size;
}
buffer_caret += pixel_block_size;
} else {
encoded_pixels = decompression_buffer[ buffer_caret ] + 1;
buffer_caret++;
- for (i = 0; i < encoded_pixels; i++) {
- for( j = 0; j < pixel_block_size; j++, bitmap_caret++ ) {
- tga->bitmap[ bitmap_caret ] = decompression_buffer[ buffer_caret + j ];
- }
- buffer_caret += pixel_block_size;
+ if ((bitmap_caret + (encoded_pixels * pixel_block_size)) >= image_block_size) {
+ gdFree( decompression_buffer );
+ gdFree( conversion_buffer );
+ return -1;
}
+
+ memcpy(tga->bitmap + bitmap_caret, decompression_buffer + buffer_caret, encoded_pixels * pixel_block_size);
+ bitmap_caret += (encoded_pixels * pixel_block_size);
+ buffer_caret += (encoded_pixels * pixel_block_size);
}
}
--- a/config/gdlib-config.in
+++ b/config/gdlib-config.in
@@ -2,14 +2,9 @@
#
# Return information about the local GD library installation
#
-# Modeled after pdflib-config
+# Modified to use pkgconfig
-# installation directories
-prefix=@prefix@
-exec_prefix=@exec_prefix@
-libdir=@libdir@
-includedir=@includedir@
-bindir=@bindir@
+pkg=gdlib
usage()
{
@@ -50,43 +45,43 @@ while test $# -gt 0; do
case $1 in
--libdir)
- echo $libdir
+ pkg-config --variable=libdir ${pkg}
;;
--includedir)
- echo $includedir
+ pkg-config --variable=includedir ${pkg}
;;
--version)
- echo @VERSION@
+ pkg-config --modversion ${pkg}
;;
--majorversion)
- echo @GDLIB_MAJOR@
+ pkg-config --modversion ${pkg} | cut -f 1 -d .
;;
--minorversion)
- echo @GDLIB_MINOR@
+ pkg-config --modversion ${pkg} | cut -f 2 -d .
;;
--revision)
- echo @GDLIB_REVISION@
+ pkg-config --modversion ${pkg} | cut -f 3 -d .
;;
--ldflags)
- echo @LDFLAGS@
+ pkg-config --libs-only-L ${pkg}
;;
--libs)
- echo -lgd @LIBS@ @LIBICONV@
+ pkg-config --libs ${pkg}
;;
--cflags|--includes)
- echo -I@includedir@
+ pkg-config --cflags ${pkg}
;;
--features)
echo @FEATURES@
;;
--all)
- echo "GD library @VERSION@"
- echo "includedir: $includedir"
- echo "cflags: -I@includedir@"
- echo "ldflags: @LDFLAGS@"
- echo "libs: @LIBS@ @LIBICONV@"
- echo "libdir: $libdir"
- echo "features: @FEATURES@"
+ echo "GD library $($0 --version)@"
+ echo "includedir: $($0 --includedir)"
+ echo "cflags: $($0 --cflags)"
+ echo "ldflags: $($0 --ldflags)"
+ echo "libs: $($0 --libs)"
+ echo "libdir: $($0 --libdir)"
+ echo "features: $($0 --features)"
;;
*)
usage 1 1>&2
<html><body>You are being <a href="https://raw.githubusercontent.com/libgd/libgd/master/tests/gd2/invalid_neg_size.gd2">redirected</a>.</body></html>
\ No newline at end of file
From 921e590565deb033acafcfa9063b4563200b14b5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
Date: Tue, 12 Jul 2016 11:24:09 +0200
Subject: [PATCH 1/2] Fix #247, A read out-of-bands was found in the parsing of
TGA files
---
src/gd_tga.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
--- libgd2.orig/src/gd_tga.c
+++ libgd2/src/gd_tga.c
@@ -247,7 +247,10 @@ int read_image_tga( gdIOCtx *ctx, oTga *
return -1;
}
- gdGetBuf(conversion_buffer, image_block_size, ctx);
+ if (gdGetBuf(conversion_buffer, image_block_size, ctx) != image_block_size) {
+ gdFree(conversion_buffer);
+ return -1;
+ }
while (buffer_caret < image_block_size) {
tga->bitmap[buffer_caret] = (int) conversion_buffer[buffer_caret];
@@ -273,7 +276,11 @@ int read_image_tga( gdIOCtx *ctx, oTga *
return -1;
}
- gdGetBuf( conversion_buffer, image_block_size, ctx );
+ if (gdGetBuf(conversion_buffer, image_block_size, ctx) != image_block_size) {
+ gdFree(conversion_buffer);
+ gdFree(decompression_buffer);
+ return -1;
+ }
buffer_caret = 0;
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment