Commit 34bc5f16 authored by J0WI's avatar J0WI Committed by Leonardo Arena

main/gd: modernize and add security patches

CVE-2018-5711, CVE-2019-6977, CVE-2019-6978

Fixes #10086
parent 9cfec1dd
......@@ -2,23 +2,31 @@
# Maintainer: Carlo Landmeter <clandmeter@gmail.com>
pkgname=gd
pkgver=2.2.5
pkgrel=1
pkgrel=2
_pkgreal=lib$pkgname
pkgdesc="Library for the dynamic creation of images by programmers"
url="http://libgd.github.io/"
url="https://libgd.github.io/"
arch="all"
license="custom"
depends=
makedepends="bash libpng-dev libjpeg-turbo-dev libwebp-dev freetype-dev zlib-dev"
subpackages="$pkgname-dev $_pkgreal:libs"
source="https://github.com/$_pkgreal/$_pkgreal/releases/download/$pkgname-$pkgver/$_pkgreal-$pkgver.tar.xz
CVE-2016-7568.patch
CVE-2018-1000222.patch
CVE-2018-5711.patch
CVE-2019-6977.patch
CVE-2019-6978.patch
"
builddir="$srcdir/$_pkgreal-$pkgver"
options="!check"
case "$CARCH" in
aarch64|x86) options="!check" ;; # https://github.com/libgd/libgd/issues/359
esac
# secfixes:
# 2.2.5-r2:
# - CVE-2018-5711
# - CVE-2019-6977
# - CVE-2019-6978
# 2.2.5-r1:
# - CVE-2018-1000222
......@@ -32,26 +40,28 @@ build() {
--mandir=/usr/share/man \
--infodir=/usr/share/info \
--without-fontconfig \
--disable-werror \
|| return 1
make || return 1
--disable-werror
make
}
check() {
make -C "$builddir" check
return 0
cd "$builddir"
make check
}
package() {
make -C "$builddir" DESTDIR="$pkgdir" install || return 1
cd "$builddir"
DESTDIR="$pkgdir" make install
}
dev() {
default_dev || return 1
default_dev
depends="$pkgname perl"
mv "$pkgdir"/usr/bin/bdftogd "$subpkgdir"/usr/bin
}
sha512sums="e4598e17a277a75e02255402182cab139cb3f2cffcd68ec05cc10bbeaf6bc7aa39162c3445cd4a7efc1a26b72b9152bbedb187351e3ed099ea51767319997a6b libgd-2.2.5.tar.xz
8310d11a2398e8617c9defc4500b9ce3897ac1026002ffa36000f1d1f8df19336005e8c1f6587533f1d787a4a54d7a3a28ad25bddbc966a018aedf4d8704a716 CVE-2016-7568.patch
d12462f1b159d50b9032435e9767a5d76e1797a88be950ed33dda7aa17005b7cb60560d04b9520e46d8111e1669d42ce28cb2c508f9c8825d545ac0335d2a10b CVE-2018-1000222.patch"
d12462f1b159d50b9032435e9767a5d76e1797a88be950ed33dda7aa17005b7cb60560d04b9520e46d8111e1669d42ce28cb2c508f9c8825d545ac0335d2a10b CVE-2018-1000222.patch
b23929f10ad75fa97d2ff797ef44d185cfe6de4f26b649e8e507b6fc41ebdb527ab4633d10df955c92d677428d9ed1707d9997954a1bcfb0070995191211d886 CVE-2018-5711.patch
5214ac4148c618f3fef3bb3b6675e41a76e31465cd8dac326ee99dc1ae4cfe760749997d2941743efa48e79b8dbdb536d6b6d79d9bc4e5363f2c50da52ab5cac CVE-2019-6977.patch
2f70f041b531a23d0bac5c5370a3fb135ca8facaa7baf1554baf35135cc9c6e21de9c09400d939e133ad090b9aa23fa901ea7b5cd9ea20d11edc38257601eb97 CVE-2019-6978.patch"
From 2806adfdc27a94d333199345394d7c302952b95f Mon Sep 17 00:00:00 2001
From: trylab <trylab@users.noreply.github.com>
Date: Tue, 6 Sep 2016 18:35:32 +0800
Subject: [PATCH] Fix integer overflow in gdImageWebpCtx
Integer overflow can be happened in expression gdImageSX(im) * 4 *
gdImageSY(im). It could lead to heap buffer overflow in the following
code. This issue has been reported to the PHP Bug Tracking System. The
proof-of-concept file will be supplied some days later. This issue was
discovered by Ke Liu of Tencent's Xuanwu LAB.
---
src/gd_webp.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/src/gd_webp.c b/src/gd_webp.c
index 8eb4dee..9886399 100644
--- a/src/gd_webp.c
+++ b/src/gd_webp.c
@@ -199,6 +199,14 @@ BGD_DECLARE(void) gdImageWebpCtx (gdImagePtr im, gdIOCtx * outfile, int quality)
quality = 80;
}
+ if (overflow2(gdImageSX(im), 4)) {
+ return;
+ }
+
+ if (overflow2(gdImageSX(im) * 4, gdImageSY(im))) {
+ return;
+ }
+
argb = (uint8_t *)gdMalloc(gdImageSX(im) * 4 * gdImageSY(im));
if (!argb) {
return;
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Wed, 29 Nov 2017 19:37:38 +0100
Subject: Fix #420: Potential infinite loop in gdImageCreateFromGifCtx
origin: https://github.com/libgd/libgd/commit/a11f47475e6443b7f32d21f2271f28f417e2ac04
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-5711
Bug-Debian: https://bugs.debian.org/887485
Bug: https://github.com/libgd/libgd/issues/420
Due to a signedness confusion in `GetCode_` a corrupt GIF file can
trigger an infinite loop. Furthermore we make sure that a GIF without
any palette entries is treated as invalid *after* open palette entries
have been removed.
CVE-2018-5711
See also https://bugs.php.net/bug.php?id=75571.
---
--- a/src/gd_gif_in.c
+++ b/src/gd_gif_in.c
@@ -335,11 +335,6 @@ terminated:
return 0;
}
- if(!im->colorsTotal) {
- gdImageDestroy(im);
- return 0;
- }
-
/* Check for open colors at the end, so
* we can reduce colorsTotal and ultimately
* BitsPerPixel */
@@ -351,6 +346,11 @@ terminated:
}
}
+ if(!im->colorsTotal) {
+ gdImageDestroy(im);
+ return 0;
+ }
+
return im;
}
@@ -447,7 +447,7 @@ static int
GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_size, int flag, int *ZeroDataBlockP)
{
int i, j, ret;
- unsigned char count;
+ int count;
if(flag) {
scd->curbit = 0;
Description: Heap-based buffer overflow in gdImageColorMatch
Origin: other, https://gist.github.com/cmb69/1f36d285eb297ed326f5c821d7aafced
Bug-PHP: https://bugs.php.net/bug.php?id=77270
Bug-Debian: https://bugs.debian.org/920645
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-6977
Forwarded: no
Author: "Christoph M. Becker" <cmbecker69@gmx.de>
Last-Update: 2019-02-01
At least some of the image reading functions may return images which
use color indexes greater than or equal to im->colorsTotal. We cater
to this by always using a buffer size which is sufficient for
`gdMaxColors` in `gdImageColorMatch()`.
---
--- a/src/gd_color_match.c
+++ b/src/gd_color_match.c
@@ -31,8 +31,8 @@ BGD_DECLARE(int) gdImageColorMatch (gdIm
return -4; /* At least 1 color must be allocated */
}
- buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * im2->colorsTotal);
- memset (buf, 0, sizeof(unsigned long) * 5 * im2->colorsTotal );
+ buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * gdMaxColors);
+ memset (buf, 0, sizeof(unsigned long) * 5 * gdMaxColors );
for (x=0; x < im1->sx; x++) {
for( y=0; y<im1->sy; y++ ) {
From 553702980ae89c83f2d6e254d62cf82e204956d0 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Thu, 17 Jan 2019 11:54:55 +0100
Subject: [PATCH] Fix #492: Potential double-free in gdImage*Ptr()
Whenever `gdImage*Ptr()` calls `gdImage*Ctx()` and the latter fails, we
must not call `gdDPExtractData()`; otherwise a double-free would
happen. Since `gdImage*Ctx()` are void functions, and we can't change
that for BC reasons, we're introducing static helpers which are used
internally.
We're adding a regression test for `gdImageJpegPtr()`, but not for
`gdImageGifPtr()` and `gdImageWbmpPtr()` since we don't know how to
trigger failure of the respective `gdImage*Ctx()` calls.
This potential security issue has been reported by Solmaz Salimi (aka.
Rooney).
diff --git a/src/gd_gif_out.c b/src/gd_gif_out.c
index 298a5812..d5a95346 100644
--- a/src/gd_gif_out.c
+++ b/src/gd_gif_out.c
@@ -99,6 +99,7 @@ static void char_init(GifCtx *ctx);
static void char_out(int c, GifCtx *ctx);
static void flush_char(GifCtx *ctx);
+static int _gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out);
@@ -131,8 +132,11 @@ BGD_DECLARE(void *) gdImageGifPtr(gdImagePtr im, int *size)
void *rv;
gdIOCtx *out = gdNewDynamicCtx(2048, NULL);
if (out == NULL) return NULL;
- gdImageGifCtx(im, out);
- rv = gdDPExtractData(out, size);
+ if (!_gdImageGifCtx(im, out)) {
+ rv = gdDPExtractData(out, size);
+ } else {
+ rv = NULL;
+ }
out->gd_free(out);
return rv;
}
@@ -220,6 +224,12 @@ BGD_DECLARE(void) gdImageGif(gdImagePtr im, FILE *outFile)
*/
BGD_DECLARE(void) gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out)
+{
+ _gdImageGifCtx(im, out);
+}
+
+/* returns 0 on success, 1 on failure */
+static int _gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out)
{
gdImagePtr pim = 0, tim = im;
int interlace, BitsPerPixel;
@@ -231,7 +241,7 @@ BGD_DECLARE(void) gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out)
based temporary image. */
pim = gdImageCreatePaletteFromTrueColor(im, 1, 256);
if(!pim) {
- return;
+ return 1;
}
tim = pim;
}
@@ -247,6 +257,8 @@ BGD_DECLARE(void) gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out)
/* Destroy palette based temporary image. */
gdImageDestroy( pim);
}
+
+ return 0;
}
diff --git a/src/gd_jpeg.c b/src/gd_jpeg.c
index fc058420..96ef4302 100644
--- a/src/gd_jpeg.c
+++ b/src/gd_jpeg.c
@@ -117,6 +117,8 @@ static void fatal_jpeg_error(j_common_ptr cinfo)
exit(99);
}
+static int _gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality);
+
/*
* Write IM to OUTFILE as a JFIF-formatted JPEG image, using quality
* QUALITY. If QUALITY is in the range 0-100, increasing values
@@ -231,8 +233,11 @@ BGD_DECLARE(void *) gdImageJpegPtr(gdImagePtr im, int *size, int quality)
void *rv;
gdIOCtx *out = gdNewDynamicCtx(2048, NULL);
if (out == NULL) return NULL;
- gdImageJpegCtx(im, out, quality);
- rv = gdDPExtractData(out, size);
+ if (!_gdImageJpegCtx(im, out, quality)) {
+ rv = gdDPExtractData(out, size);
+ } else {
+ rv = NULL;
+ }
out->gd_free(out);
return rv;
}
@@ -253,6 +258,12 @@ void jpeg_gdIOCtx_dest(j_compress_ptr cinfo, gdIOCtx *outfile);
*/
BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality)
+{
+ _gdImageJpegCtx(im, outfile, quality);
+}
+
+/* returns 0 on success, 1 on failure */
+static int _gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality)
{
struct jpeg_compress_struct cinfo;
struct jpeg_error_mgr jerr;
@@ -287,7 +298,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality)
if(row) {
gdFree(row);
}
- return;
+ return 1;
}
cinfo.err->emit_message = jpeg_emit_message;
@@ -328,7 +339,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality)
if(row == 0) {
gd_error("gd-jpeg: error: unable to allocate JPEG row structure: gdCalloc returns NULL\n");
jpeg_destroy_compress(&cinfo);
- return;
+ return 1;
}
rowptr[0] = row;
@@ -405,6 +416,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality)
jpeg_finish_compress(&cinfo);
jpeg_destroy_compress(&cinfo);
gdFree(row);
+ return 0;
}
diff --git a/src/gd_wbmp.c b/src/gd_wbmp.c
index f19a1c96..a49bdbec 100644
--- a/src/gd_wbmp.c
+++ b/src/gd_wbmp.c
@@ -88,6 +88,8 @@ int gd_getin(void *in)
return (gdGetC((gdIOCtx *)in));
}
+static int _gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out);
+
/*
Function: gdImageWBMPCtx
@@ -100,6 +102,12 @@ int gd_getin(void *in)
out - the stream where to write
*/
BGD_DECLARE(void) gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out)
+{
+ _gdImageWBMPCtx(image, fg, out);
+}
+
+/* returns 0 on success, 1 on failure */
+static int _gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out)
{
int x, y, pos;
Wbmp *wbmp;
@@ -107,7 +115,7 @@ BGD_DECLARE(void) gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out)
/* create the WBMP */
if((wbmp = createwbmp(gdImageSX(image), gdImageSY(image), WBMP_WHITE)) == NULL) {
gd_error("Could not create WBMP\n");
- return;
+ return 1;
}
/* fill up the WBMP structure */
@@ -123,11 +131,15 @@ BGD_DECLARE(void) gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out)
/* write the WBMP to a gd file descriptor */
if(writewbmp(wbmp, &gd_putout, out)) {
+ freewbmp(wbmp);
gd_error("Could not save WBMP\n");
+ return 1;
}
/* des submitted this bugfix: gdFree the memory. */
freewbmp(wbmp);
+
+ return 0;
}
/*
@@ -271,8 +283,11 @@ BGD_DECLARE(void *) gdImageWBMPPtr(gdImagePtr im, int *size, int fg)
void *rv;
gdIOCtx *out = gdNewDynamicCtx(2048, NULL);
if (out == NULL) return NULL;
- gdImageWBMPCtx(im, fg, out);
- rv = gdDPExtractData(out, size);
+ if (!_gdImageWBMPCtx(im, fg, out)) {
+ rv = gdDPExtractData(out, size);
+ } else {
+ rv = NULL;
+ }
out->gd_free(out);
return rv;
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment