diff --git a/main/gd/APKBUILD b/main/gd/APKBUILD
index b7460d4334b6197ed173619fee579f683e49726b..79ca821f9c96e9c7d6f719033513c48135907ee9 100644
--- a/main/gd/APKBUILD
+++ b/main/gd/APKBUILD
@@ -3,7 +3,7 @@
pkgname=gd
pkgver=2.1.1
_myver=${pkgver/_rc/RC}
-pkgrel=1
+pkgrel=2
pkgdesc="Library for the dynamic creation of images by programmers"
url="http://www.libgd.org/"
arch="all"
@@ -12,10 +12,29 @@ depends=
makedepends="libpng-dev libjpeg-turbo-dev freetype-dev zlib-dev"
subpackages="$pkgname-dev $pkgname-doc"
source="http://bitbucket.org/libgd/gd-libgd/downloads/libgd-$pkgver.tar.xz
- CVE-2016-3074.patch
invalid_neg_size.gd2
+ CVE-2015-8874.patch
+ CVE-2016-3074.patch
+ CVE-2016-5116.patch
+ CVE-2016-5766.patch
+ CVE-2016-6128.patch
+ CVE-2016-6161.patch
+ CVE-2016-6214.patch
+ Fix_out-of-bounds_read_in_read_image_tga.patch
+ gdlib-config-uses-pkgconfig.patch
+ read_out-of-bands_in_the_parsing_of_TGA_files.patch
"
+# secfixes:
+# 2.2.1-r2:
+# - CVE-2015-8874
+# - CVE-2016-3074
+# - CVE-2016-5116
+# - CVE-2016-5766
+# - CVE-2016-6128
+# - CVE-2016-6161
+# - CVE-2016-6214
+
_builddir="$srcdir"/lib$pkgname-$_myver
prepare() {
@@ -56,11 +75,38 @@ package() {
}
md5sums="9076f3abd1f9815d106da36467ea15bc libgd-2.1.1.tar.xz
+5d47f93d43e04fd29e758a1cda35fd4a invalid_neg_size.gd2
+ffdea036b5dc25d2b4686e028cc0bcdc CVE-2015-8874.patch
1302aaf334899f086c707ebff7b27c96 CVE-2016-3074.patch
-5d47f93d43e04fd29e758a1cda35fd4a invalid_neg_size.gd2"
+c76949031da145d6e40e9a65794f86c0 CVE-2016-5116.patch
+fe62c60ecdbbe58407108a8241d6b64b CVE-2016-5766.patch
+b5855d707396a59de730af7df9ff4e5f CVE-2016-6128.patch
+e26e08aa74179306d216c7ac1e56e122 CVE-2016-6161.patch
+99ce876835b32791270da65814a96c6b CVE-2016-6214.patch
+a5948cb2f199d78a9616a7d6eaf6b7e7 Fix_out-of-bounds_read_in_read_image_tga.patch
+f63f2d68fd047cb78c67af552ddfd90b gdlib-config-uses-pkgconfig.patch
+bd87c73fe724b03ee0ffc0882ae02753 read_out-of-bands_in_the_parsing_of_TGA_files.patch"
sha256sums="9ada1ed45594abc998ebc942cef12b032fbad672e73efc22bc9ff54f5df2b285 libgd-2.1.1.tar.xz
+a90b3a76ca00e6766a600feeecf3c3fb1a6c71b256b44fe0d6e7268e54e758f3 invalid_neg_size.gd2
+d9676b643d78d25fcc76dd89934a7ceeebed4c5c3aeeda17c97901288f5ba6b5 CVE-2015-8874.patch
98908d8dda9b82c28c5903e1d42ba0f4c4604742b3648cfa224267e0a56cebfd CVE-2016-3074.patch
-a90b3a76ca00e6766a600feeecf3c3fb1a6c71b256b44fe0d6e7268e54e758f3 invalid_neg_size.gd2"
+05f48d46bbc8f2edb6175c394f1b1968a9e486c672c7f0034f386546783086c5 CVE-2016-5116.patch
+a9c43998f804f670103c388603d4b567445722fff464e1192306622ac485ddbf CVE-2016-5766.patch
+33c234de245f058f83a3349b57c296755ba128e346c153df19417250f640d586 CVE-2016-6128.patch
+6b57bc5ec9427abdb9daef8463ace7d213d39efc3a0c7179ab9c35d2cab9b17e CVE-2016-6161.patch
+02db388e6304c457259eb280618b03175aa7a667288a6d1976f4431a61c5e178 CVE-2016-6214.patch
+794f6977709e75295e3b19f7c9574bb8dc13aaf06b77cf36e512e1f1d4dd95a1 Fix_out-of-bounds_read_in_read_image_tga.patch
+2ea89fdbd443ab2a3b38e762e99c598389a12373fdcc59182fbaad0e22779270 gdlib-config-uses-pkgconfig.patch
+addf67d8e251243b19a02c91d4346cebf684e4de8e75ac0e229b9839486e99cd read_out-of-bands_in_the_parsing_of_TGA_files.patch"
sha512sums="48f444402a4b89e412870f9091b92eb26136c5c0d795722262ad973c7d4103476204a2de36133a2634b8f410d6bccdcf60afb829a74ac2fddfb96aff2cd2567b libgd-2.1.1.tar.xz
+c2402dd19525468b41f5424d42237ead46f108d8ef7f70fc8f11afa715972b474c53d792f92dd27f044f1be9b2e6a9c33eeb9434249f63055f52ac4a68b970b4 invalid_neg_size.gd2
+fd0e6094a968e16b3cc37ba5ce25118e0f1e6bcaa2ecf42834120f15dcd9b7bc8788258d774ced02677b25accbdb187b4add9bb09deab78669972aa12c583fce CVE-2015-8874.patch
91e13a5f9d2009707258613fec0549021c397b9f0b92a0e63dca9874a8f4041de1a2e04693da5e34668b154069d952735c5a4c8de9e3b6ab57b97297f8eab832 CVE-2016-3074.patch
-c2402dd19525468b41f5424d42237ead46f108d8ef7f70fc8f11afa715972b474c53d792f92dd27f044f1be9b2e6a9c33eeb9434249f63055f52ac4a68b970b4 invalid_neg_size.gd2"
+4010a85dc298292da3e82061390e6eb81578f059ae40ccac319e4e2bacfd804567cb36f162d7e5753a511f00285d15a0cf28bed381b01e268bb4398eed5705ef CVE-2016-5116.patch
+e08c7e351d6982c43f3852c4d6c174615d3e81292929d330082704d2469bfa2563db2c34bbe6dece2a2af351c89c7f4964a8723ca4453ebb75875aced61c778a CVE-2016-5766.patch
+2d028aade6b39f62bf587719031a280064006723bc6060c11266df0c8391fbd90456e0c7c0c1081b35291b58aa60b47b012278160a987c6b1659fc562c298e4f CVE-2016-6128.patch
+2df0665aecd454343c9bd801f096cd46b44d5dcc632bd0a1b03de01d797f2ebda078e4dcb20279ba33a86f30f6ae5819ad7a5c02902174cc1f185416159cf046 CVE-2016-6161.patch
+f5afe3434010b5d7e77d33b60cbc02bf7455cd0e469705900da3d4dc5451022cdaeb315ebe902bb80ddef2379bd851b57f5216e5e024a9cb2085f2932c0a3e12 CVE-2016-6214.patch
+013cb2d4751685ae0c64cdce2ddd120c209a9f6b60a20404c58c67e4a36f168a918bc048b7833c37279900255e3e687607f0740ccd0f33ee12bffe284c9dd6af Fix_out-of-bounds_read_in_read_image_tga.patch
+cbd01fa281c32806d3dac43e80760e4fb34a45d86035d7dbcdca987fdf341819708960c9aa20e2d075d97bb3b9de2652a787eab73f755d955ad4f437cb38eee3 gdlib-config-uses-pkgconfig.patch
+87468dd7b310e5488f2b877f766b2eac90561d77c44ad79df98f61d07a40f76ed7621d1f2772afeeb00bc032d144e0302ecdae8cfd442a8e0b748b039b1d27df read_out-of-bands_in_the_parsing_of_TGA_files.patch"
diff --git a/main/gd/CVE-2015-8874.patch b/main/gd/CVE-2015-8874.patch
new file mode 100644
index 0000000000000000000000000000000000000000..2dc1547278be71e70d4fdc3521a0b5dcdc06dd13
--- /dev/null
+++ b/main/gd/CVE-2015-8874.patch
@@ -0,0 +1,28 @@
+From: =?utf-8?q?Ond=C5=99ej_Sur=C3=BD?= <ondrej@sury.org>
+Date: Fri, 20 May 2016 09:39:38 +0200
+Subject: CVE-2015-8874
+
+---
+ src/gd.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- libgd2.orig/src/gd.c
++++ libgd2/src/gd.c
+@@ -1840,6 +1840,17 @@ BGD_DECLARE(void) gdImageFillToBorder (g
+ restoreAlphaBleding = im->alphaBlendingFlag;
+ im->alphaBlendingFlag = 0;
+
++ if (x >= im->sx) {
++ x = im->sx - 1;
++ } else if (x < 0) {
++ x = 0;
++ }
++ if (y >= im->sy) {
++ y = im->sy - 1;
++ } else if (y < 0) {
++ y = 0;
++ }
++
+ for (i = x; (i >= 0); i--) {
+ if (gdImageGetPixel (im, i, y) == border) {
+ break;
diff --git a/main/gd/CVE-2016-5116.patch b/main/gd/CVE-2016-5116.patch
new file mode 100644
index 0000000000000000000000000000000000000000..b63885f03432912934be86728560218bd94fd4b2
--- /dev/null
+++ b/main/gd/CVE-2016-5116.patch
@@ -0,0 +1,87 @@
+From 4dc1a2d7931017d3625f2d7cff70a17ce58b53b4 Mon Sep 17 00:00:00 2001
+From: Mike Frysinger <vapier@gentoo.org>
+Date: Sat, 14 May 2016 01:38:18 -0400
+Subject: [PATCH] xbm: avoid stack overflow (read) with large names #211
+
+We use the name passed in to printf into a local stack buffer which is
+limited to 4000 bytes. So given a large enough value, lots of stack
+data is leaked. Rewrite the code to do simple memory copies with most
+of the strings to avoid that issue, and only use stack buffer for small
+numbers of constant size.
+
+This closes #211.
+---
+ src/gd_xbm.c | 34 +++++++++++++++++++++++++++-------
+ 1 file changed, 27 insertions(+), 7 deletions(-)
+
+--- libgd2.orig/src/gd_xbm.c
++++ libgd2/src/gd_xbm.c
+@@ -147,7 +147,7 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFro
+ /* {{{ gdCtxPrintf */
+ static void gdCtxPrintf(gdIOCtx * out, const char *format, ...)
+ {
+- char buf[4096];
++ char buf[1024];
+ int len;
+ va_list args;
+
+@@ -158,6 +158,9 @@ static void gdCtxPrintf(gdIOCtx * out, c
+ }
+ /* }}} */
+
++/* The compiler will optimize strlen(constant) to a constant number. */
++#define gdCtxPuts(out, s) out->putBuf(out, s, strlen(s))
++
+ /* {{{ gdImageXbmCtx */
+ BGD_DECLARE(void) gdImageXbmCtx(gdImagePtr image, char* file_name, int fg, gdIOCtx * out)
+ {
+@@ -182,9 +185,26 @@ BGD_DECLARE(void) gdImageXbmCtx(gdImageP
+ }
+ }
+
+- gdCtxPrintf(out, "#define %s_width %d\n", name, gdImageSX(image));
+- gdCtxPrintf(out, "#define %s_height %d\n", name, gdImageSY(image));
+- gdCtxPrintf(out, "static unsigned char %s_bits[] = {\n ", name);
++ /* Since "name" comes from the user, run it through a direct puts.
++ * Trying to printf it into a local buffer means we'd need a large
++ * or dynamic buffer to hold it all. */
++
++ /* #define <name>_width 1234 */
++ gdCtxPuts(out, "#define ");
++ gdCtxPuts(out, name);
++ gdCtxPuts(out, "_width ");
++ gdCtxPrintf(out, "%d\n", gdImageSX(image));
++
++ /* #define <name>_height 1234 */
++ gdCtxPuts(out, "#define ");
++ gdCtxPuts(out, name);
++ gdCtxPuts(out, "_height ");
++ gdCtxPrintf(out, "%d\n", gdImageSY(image));
++
++ /* static unsigned char <name>_bits[] = {\n */
++ gdCtxPuts(out, "static unsigned char ");
++ gdCtxPuts(out, name);
++ gdCtxPuts(out, "_bits[] = {\n ");
+
+ free(name);
+
+@@ -201,9 +221,9 @@ BGD_DECLARE(void) gdImageXbmCtx(gdImageP
+ if ((b == 128) || (x == sx && y == sy)) {
+ b = 1;
+ if (p) {
+- gdCtxPrintf(out, ", ");
++ gdCtxPuts(out, ", ");
+ if (!(p%12)) {
+- gdCtxPrintf(out, "\n ");
++ gdCtxPuts(out, "\n ");
+ p = 12;
+ }
+ }
+@@ -215,6 +235,6 @@ BGD_DECLARE(void) gdImageXbmCtx(gdImageP
+ }
+ }
+ }
+- gdCtxPrintf(out, "};\n");
++ gdCtxPuts(out, "};\n");
+ }
+ /* }}} */
diff --git a/main/gd/CVE-2016-5766.patch b/main/gd/CVE-2016-5766.patch
new file mode 100644
index 0000000000000000000000000000000000000000..57b0bcb66c6b8f8196cad17aa7e9af98c70ab84f
--- /dev/null
+++ b/main/gd/CVE-2016-5766.patch
@@ -0,0 +1,21 @@
+From aba3db8ba159465ecec1089027a24835a6da9cc0 Mon Sep 17 00:00:00 2001
+From: Pierre Joye <pierre.php@gmail.com>
+Date: Tue, 28 Jun 2016 16:23:42 +0700
+Subject: [PATCH] fix php bug 72339 (CVE-2016-5766), Integer Overflow in
+ _gd2GetHeader() resulting in heap overflow
+
+--- libgd2.orig/src/gd_gd2.c
++++ libgd2/src/gd_gd2.c
+@@ -156,8 +156,11 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, i
+ nc = (*ncx) * (*ncy);
+ GD2_DBG (printf ("Reading %d chunk index entries\n", nc));
+ sidx = sizeof (t_chunk_info) * nc;
++ if (overflow2(sidx, nc)) {
++ goto fail1;
++ }
+ cidx = gdCalloc (sidx, 1);
+- if (!cidx) {
++ if (cidx == NULL) {
+ goto fail1;
+ }
+ for (i = 0; i < nc; i++) {
diff --git a/main/gd/CVE-2016-6128.patch b/main/gd/CVE-2016-6128.patch
new file mode 100644
index 0000000000000000000000000000000000000000..83668001a7993809ad957f82016aa19cdc728ad9
--- /dev/null
+++ b/main/gd/CVE-2016-6128.patch
@@ -0,0 +1,19 @@
+From 1ccfe21e14c4d18336f9da8515cd17db88c3de61 Mon Sep 17 00:00:00 2001
+From: Pierre Joye <pierre.php@gmail.com>
+Date: Mon, 27 Jun 2016 11:17:39 +0700
+Subject: [PATCH 1/5] fix php 72494, invalid color index not handled, can lead
+ to crash
+
+--- libgd2.orig/src/gd_crop.c
++++ libgd2/src/gd_crop.c
+@@ -136,6 +136,10 @@ BGD_DECLARE(gdImagePtr) gdImageCropThres
+ return NULL;
+ }
+
++ if (color < 0 || (!gdImageTrueColor(im) && color >= gdImageColorsTotal(im))) {
++ return NULL;
++ }
++
+ /* TODO: Add gdImageGetRowPtr and works with ptr at the row level
+ * for the true color and palette images
+ * new formats will simply work with ptr
diff --git a/main/gd/CVE-2016-6161.patch b/main/gd/CVE-2016-6161.patch
new file mode 100644
index 0000000000000000000000000000000000000000..835d45d39106aab8289a2431915568ae974e8e00
--- /dev/null
+++ b/main/gd/CVE-2016-6161.patch
@@ -0,0 +1,54 @@
+From 82b80dcb70a7ca8986125ff412bceddafc896842 Mon Sep 17 00:00:00 2001
+From: Mike Frysinger <vapier@gentoo.org>
+Date: Sat, 14 May 2016 02:13:15 -0400
+Subject: [PATCH] gif: avoid out-of-bound reads of masks array #209
+
+When given invalid inputs, we might be fed the EOF marker before it is
+actually the EOF. The gif logic assumes once it sees the EOF marker,
+there won't be any more data, so it leaves the cur_bits index possibly
+negative. So when we get more data, we underflow the masks array.
+
+Flag it so we don't try to output anything more. The image is invalid,
+so we shouldn't be truncating any valid inputs.
+
+This fixes #209.
+---
+ src/gd_gif_out.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- libgd2.orig/src/gd_gif_out.c
++++ libgd2/src/gd_gif_out.c
+@@ -1000,15 +1000,23 @@ nomatch:
+ * code in turn. When the buffer fills up empty it and start over.
+ */
+
+-static unsigned long masks[] = {
++static const unsigned long masks[] = {
+ 0x0000, 0x0001, 0x0003, 0x0007, 0x000F,
+ 0x001F, 0x003F, 0x007F, 0x00FF,
+ 0x01FF, 0x03FF, 0x07FF, 0x0FFF,
+ 0x1FFF, 0x3FFF, 0x7FFF, 0xFFFF
+ };
+
++/* Arbitrary value to mark output is done. When we see EOFCode, then we don't
++ * expect to see any more data. If we do (e.g. corrupt image inputs), cur_bits
++ * might be negative, so flag it to return early.
++ */
++#define CUR_BITS_FINISHED -1000
++
+ static void output(code_int code, GifCtx *ctx)
+ {
++ if (ctx->cur_bits == CUR_BITS_FINISHED)
++ return;
+ ctx->cur_accum &= masks[ctx->cur_bits];
+
+ if(ctx->cur_bits > 0) {
+@@ -1050,6 +1058,8 @@ static void output(code_int code, GifCtx
+ ctx->cur_accum >>= 8;
+ ctx->cur_bits -= 8;
+ }
++ /* Flag that it's done to prevent re-entry. */
++ ctx->cur_bits = CUR_BITS_FINISHED;
+
+ flush_char(ctx);
+ }
diff --git a/main/gd/CVE-2016-6214.patch b/main/gd/CVE-2016-6214.patch
new file mode 100644
index 0000000000000000000000000000000000000000..194aacf3cc9b42540318ea2b2ab2dcc1d4240479
--- /dev/null
+++ b/main/gd/CVE-2016-6214.patch
@@ -0,0 +1,54 @@
+From 341aa68843ceceae9ba6e083431f14a07bd92308 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Tue, 12 Jul 2016 19:23:13 +0200
+Subject: [PATCH] Unsupported TGA bpp/alphabit combinations should error
+ gracefully
+
+Currently, only 24bpp without alphabits and 32bpp with 8 alphabits are
+really supported. All other combinations will be rejected with a warning.
+
+(cherry picked from commit cb1a0b7e54e9aa118270c23a4a6fe560e4590dc9)
+---
+ src/gd_tga.c | 16 ++++++----------
+ tests/tga/.gitignore | 1 +
+ tests/tga/CMakeLists.txt | 1 +
+ tests/tga/Makemodule.am | 4 +++-
+ tests/tga/bug00247a.c | 19 +++++++++++++++++++
+ tests/tga/bug00247a.tga | Bin 0 -> 36 bytes
+ 6 files changed, 30 insertions(+), 11 deletions(-)
+ create mode 100644 tests/tga/bug00247a.c
+ create mode 100644 tests/tga/bug00247a.tga
+
+--- libgd2.orig/src/gd_tga.c
++++ libgd2/src/gd_tga.c
+@@ -99,7 +99,7 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFro
+ if (tga->bits == TGA_BPP_24) {
+ *tpix = gdTrueColor(tga->bitmap[bitmap_caret + 2], tga->bitmap[bitmap_caret + 1], tga->bitmap[bitmap_caret]);
+ bitmap_caret += 3;
+- } else if (tga->bits == TGA_BPP_32 || tga->alphabits) {
++ } else if (tga->bits == TGA_BPP_32 && tga->alphabits) {
+ register int a = tga->bitmap[bitmap_caret + 3];
+
+ *tpix = gdTrueColorAlpha(tga->bitmap[bitmap_caret + 2], tga->bitmap[bitmap_caret + 1], tga->bitmap[bitmap_caret], gdAlphaMax - (a >> 1));
+@@ -159,16 +159,12 @@ int read_header_tga(gdIOCtx *ctx, oTga *
+ printf("wxh: %i %i\n", tga->width, tga->height);
+ #endif
+
+- switch(tga->bits) {
+- case 8:
+- case 16:
+- case 24:
+- case 32:
+- break;
+- default:
+- gd_error("bps %i not supported", tga->bits);
++ if (!((tga->bits == TGA_BPP_24 && tga->alphabits == 0)
++ || (tga->bits == TGA_BPP_32 && tga->alphabits == 8)))
++ {
++ gd_error_ex(GD_WARNING, "gd-tga: %u bits per pixel with %u alpha bits not supported\n",
++ tga->bits, tga->alphabits);
+ return -1;
+- break;
+ }
+
+ tga->ident = NULL;
diff --git a/main/gd/Fix_out-of-bounds_read_in_read_image_tga.patch b/main/gd/Fix_out-of-bounds_read_in_read_image_tga.patch
new file mode 100644
index 0000000000000000000000000000000000000000..c6f2941164bca16eccedf9603b328cf50f789997
--- /dev/null
+++ b/main/gd/Fix_out-of-bounds_read_in_read_image_tga.patch
@@ -0,0 +1,65 @@
+From 2580f5df5c4a038018b28682b71923bedd5294d1 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
+Date: Tue, 12 Jul 2016 14:20:16 +0200
+Subject: [PATCH] bug #248, fix Out-Of-Bounds Read in read_image_tga
+
+---
+ src/gd_tga.c | 34 ++++++++++++++++++++++++++--------
+ 1 file changed, 26 insertions(+), 8 deletions(-)
+
+--- libgd2.orig/src/gd_tga.c
++++ libgd2/src/gd_tga.c
+@@ -200,7 +200,6 @@ int read_image_tga( gdIOCtx *ctx, oTga *
+ int buffer_caret = 0;
+ int bitmap_caret = 0;
+ int i = 0;
+- int j = 0;
+ uint8_t encoded_pixels;
+
+ if(overflow2(tga->width, tga->height)) {
+@@ -292,27 +291,35 @@ int read_image_tga( gdIOCtx *ctx, oTga *
+ buffer_caret = 0;
+
+ while( bitmap_caret < image_block_size ) {
+-
++
+ if ((decompression_buffer[buffer_caret] & TGA_RLE_FLAG) == TGA_RLE_FLAG) {
+- encoded_pixels = ( ( decompression_buffer[ buffer_caret ] & 127 ) + 1 );
++ encoded_pixels = ( ( decompression_buffer[ buffer_caret ] & !TGA_RLE_FLAG ) + 1 );
+ buffer_caret++;
+
++ if ((bitmap_caret + (encoded_pixels * pixel_block_size)) >= image_block_size) {
++ gdFree( decompression_buffer );
++ gdFree( conversion_buffer );
++ return -1;
++ }
++
+ for (i = 0; i < encoded_pixels; i++) {
+- for (j = 0; j < pixel_block_size; j++, bitmap_caret++) {
+- tga->bitmap[ bitmap_caret ] = decompression_buffer[ buffer_caret + j ];
+- }
++ memcpy(tga->bitmap + bitmap_caret, decompression_buffer + buffer_caret, pixel_block_size);
++ bitmap_caret += pixel_block_size;
+ }
+ buffer_caret += pixel_block_size;
+ } else {
+ encoded_pixels = decompression_buffer[ buffer_caret ] + 1;
+ buffer_caret++;
+
+- for (i = 0; i < encoded_pixels; i++) {
+- for( j = 0; j < pixel_block_size; j++, bitmap_caret++ ) {
+- tga->bitmap[ bitmap_caret ] = decompression_buffer[ buffer_caret + j ];
+- }
+- buffer_caret += pixel_block_size;
++ if ((bitmap_caret + (encoded_pixels * pixel_block_size)) >= image_block_size) {
++ gdFree( decompression_buffer );
++ gdFree( conversion_buffer );
++ return -1;
+ }
++
++ memcpy(tga->bitmap + bitmap_caret, decompression_buffer + buffer_caret, encoded_pixels * pixel_block_size);
++ bitmap_caret += (encoded_pixels * pixel_block_size);
++ buffer_caret += (encoded_pixels * pixel_block_size);
+ }
+ }
+
diff --git a/main/gd/gdlib-config-uses-pkgconfig.patch b/main/gd/gdlib-config-uses-pkgconfig.patch
new file mode 100644
index 0000000000000000000000000000000000000000..8230b8857d62fe3e1a82202d78b20595a3071488
--- /dev/null
+++ b/main/gd/gdlib-config-uses-pkgconfig.patch
@@ -0,0 +1,79 @@
+--- a/config/gdlib-config.in
++++ b/config/gdlib-config.in
+@@ -2,14 +2,9 @@
+ #
+ # Return information about the local GD library installation
+ #
+-# Modeled after pdflib-config
++# Modified to use pkgconfig
+
+-# installation directories
+-prefix=@prefix@
+-exec_prefix=@exec_prefix@
+-libdir=@libdir@
+-includedir=@includedir@
+-bindir=@bindir@
++pkg=gdlib
+
+ usage()
+ {
+@@ -50,43 +45,43 @@ while test $# -gt 0; do
+
+ case $1 in
+ --libdir)
+- echo $libdir
++ pkg-config --variable=libdir ${pkg}
+ ;;
+ --includedir)
+- echo $includedir
++ pkg-config --variable=includedir ${pkg}
+ ;;
+ --version)
+- echo @VERSION@
++ pkg-config --modversion ${pkg}
+ ;;
+ --majorversion)
+- echo @GDLIB_MAJOR@
++ pkg-config --modversion ${pkg} | cut -f 1 -d .
+ ;;
+ --minorversion)
+- echo @GDLIB_MINOR@
++ pkg-config --modversion ${pkg} | cut -f 2 -d .
+ ;;
+ --revision)
+- echo @GDLIB_REVISION@
++ pkg-config --modversion ${pkg} | cut -f 3 -d .
+ ;;
+ --ldflags)
+- echo @LDFLAGS@
++ pkg-config --libs-only-L ${pkg}
+ ;;
+ --libs)
+- echo -lgd @LIBS@ @LIBICONV@
++ pkg-config --libs ${pkg}
+ ;;
+ --cflags|--includes)
+- echo -I@includedir@
++ pkg-config --cflags ${pkg}
+ ;;
+ --features)
+ echo @FEATURES@
+ ;;
+ --all)
+- echo "GD library @VERSION@"
+- echo "includedir: $includedir"
+- echo "cflags: -I@includedir@"
+- echo "ldflags: @LDFLAGS@"
+- echo "libs: @LIBS@ @LIBICONV@"
+- echo "libdir: $libdir"
+- echo "features: @FEATURES@"
++ echo "GD library $($0 --version)@"
++ echo "includedir: $($0 --includedir)"
++ echo "cflags: $($0 --cflags)"
++ echo "ldflags: $($0 --ldflags)"
++ echo "libs: $($0 --libs)"
++ echo "libdir: $($0 --libdir)"
++ echo "features: $($0 --features)"
+ ;;
+ *)
+ usage 1 1>&2
diff --git a/main/gd/read_out-of-bands_in_the_parsing_of_TGA_files.patch b/main/gd/read_out-of-bands_in_the_parsing_of_TGA_files.patch
new file mode 100644
index 0000000000000000000000000000000000000000..150642ccbf09810d7fe3cbd56b08801461755d16
--- /dev/null
+++ b/main/gd/read_out-of-bands_in_the_parsing_of_TGA_files.patch
@@ -0,0 +1,37 @@
+From 921e590565deb033acafcfa9063b4563200b14b5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
+Date: Tue, 12 Jul 2016 11:24:09 +0200
+Subject: [PATCH 1/2] Fix #247, A read out-of-bands was found in the parsing of
+ TGA files
+
+---
+ src/gd_tga.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- libgd2.orig/src/gd_tga.c
++++ libgd2/src/gd_tga.c
+@@ -247,7 +247,10 @@ int read_image_tga( gdIOCtx *ctx, oTga *
+ return -1;
+ }
+
+- gdGetBuf(conversion_buffer, image_block_size, ctx);
++ if (gdGetBuf(conversion_buffer, image_block_size, ctx) != image_block_size) {
++ gdFree(conversion_buffer);
++ return -1;
++ }
+
+ while (buffer_caret < image_block_size) {
+ tga->bitmap[buffer_caret] = (int) conversion_buffer[buffer_caret];
+@@ -273,7 +276,11 @@ int read_image_tga( gdIOCtx *ctx, oTga *
+ return -1;
+ }
+
+- gdGetBuf( conversion_buffer, image_block_size, ctx );
++ if (gdGetBuf(conversion_buffer, image_block_size, ctx) != image_block_size) {
++ gdFree(conversion_buffer);
++ gdFree(decompression_buffer);
++ return -1;
++ }
+
+ buffer_caret = 0;
+