commit 27e4968cb1e75daf1e463806fba9235a1b174eb5
parent 31cecc6e7a1afcd4b8da056696d83eb12aaa1866
Author: aabacchus <ben@bvnf.space>
Date: Wed, 12 May 2021 00:10:41 +0100
gd: bump to 2.3.2
Diffstat:
8 files changed, 3 insertions(+), 375 deletions(-)
diff --git a/gd/build b/gd/build
@@ -1,9 +1,5 @@
#!/bin/sh -e
-for patch in *.patch; do
- patch -p1 < "$patch"
-done
-
autoreconf -fis
./configure \
diff --git a/gd/checksums b/gd/checksums
@@ -1,5 +1 @@
-199874fdb006de0911819234104ffa84338e98e82fefbac042a58a3f8272a7df
-43b665d906b16693ca6dfacdf16fcce4e0ff55442d1eae7ff6b70f689c3c08f1
-84dd86ea6f8409e9bf152e3fff56e170b5249a3584d34327c0425f84c8136cc4
-dda3bb5f3582f09c5d013e800a37e38b8e817d4d036c52e169944646fe513ece
-4f191c9db122edf3aaba24b7ad6efce4e839ae30ec004c24621b2e0b5261359c
+dcc22244d775f469bee21dce1ea42552adbb72ba0cc423f9fa6a64601b3a1893
diff --git a/gd/patches/CVE-2018-1000222.patch b/gd/patches/CVE-2018-1000222.patch
@@ -1,73 +0,0 @@
-From ac16bdf2d41724b5a65255d4c28fb0ec46bc42f5 Mon Sep 17 00:00:00 2001
-From: Mike Frysinger <vapier@gentoo.org>
-Date: Sat, 14 Jul 2018 13:54:08 -0400
-Subject: [PATCH] bmp: check return value in gdImageBmpPtr
-
-Closes #447.
----
- src/gd_bmp.c | 17 ++++++++++++++---
- 1 file changed, 14 insertions(+), 3 deletions(-)
-
-diff --git a/src/gd_bmp.c b/src/gd_bmp.c
-index bde0b9d3..78f40d9a 100644
---- a/src/gd_bmp.c
-+++ b/src/gd_bmp.c
-@@ -47,6 +47,8 @@ static int bmp_read_4bit(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info, bmp
- static int bmp_read_8bit(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info, bmp_hdr_t *header);
- static int bmp_read_rle(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info);
-
-+static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression);
-+
- #define BMP_DEBUG(s)
-
- static int gdBMPPutWord(gdIOCtx *out, int w)
-@@ -87,8 +89,10 @@ BGD_DECLARE(void *) gdImageBmpPtr(gdImagePtr im, int *size, int compression)
- void *rv;
- gdIOCtx *out = gdNewDynamicCtx(2048, NULL);
- if (out == NULL) return NULL;
-- gdImageBmpCtx(im, out, compression);
-- rv = gdDPExtractData(out, size);
-+ if (!_gdImageBmpCtx(im, out, compression))
-+ rv = gdDPExtractData(out, size);
-+ else
-+ rv = NULL;
- out->gd_free(out);
- return rv;
- }
-@@ -141,6 +145,11 @@ BGD_DECLARE(void) gdImageBmp(gdImagePtr im, FILE *outFile, int compression)
- compression - whether to apply RLE or not.
- */
- BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
-+{
-+ _gdImageBmpCtx(im, out, compression);
-+}
-+
-+static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
- {
- int bitmap_size = 0, info_size, total_size, padding;
- int i, row, xpos, pixel;
-@@ -148,6 +157,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
- unsigned char *uncompressed_row = NULL, *uncompressed_row_start = NULL;
- FILE *tmpfile_for_compression = NULL;
- gdIOCtxPtr out_original = NULL;
-+ int ret = 1;
-
- /* No compression if its true colour or we don't support seek */
- if (im->trueColor) {
-@@ -325,6 +335,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
- out_original = NULL;
- }
-
-+ ret = 0;
- cleanup:
- if (tmpfile_for_compression) {
- #ifdef _WIN32
-@@ -338,7 +349,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
- if (out_original) {
- out_original->gd_free(out_original);
- }
-- return;
-+ return ret;
- }
-
- static int compress_row(unsigned char *row, int length)
diff --git a/gd/patches/CVE-2018-5711.patch b/gd/patches/CVE-2018-5711.patch
@@ -1,53 +0,0 @@
-From: "Christoph M. Becker" <cmbecker69@gmx.de>
-Date: Wed, 29 Nov 2017 19:37:38 +0100
-Subject: Fix #420: Potential infinite loop in gdImageCreateFromGifCtx
-origin: https://github.com/libgd/libgd/commit/a11f47475e6443b7f32d21f2271f28f417e2ac04
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-5711
-Bug-Debian: https://bugs.debian.org/887485
-Bug: https://github.com/libgd/libgd/issues/420
-
-Due to a signedness confusion in `GetCode_` a corrupt GIF file can
-trigger an infinite loop. Furthermore we make sure that a GIF without
-any palette entries is treated as invalid *after* open palette entries
-have been removed.
-
-CVE-2018-5711
-
-See also https://bugs.php.net/bug.php?id=75571.
----
-
---- a/src/gd_gif_in.c
-+++ b/src/gd_gif_in.c
-@@ -335,11 +335,6 @@ terminated:
- return 0;
- }
-
-- if(!im->colorsTotal) {
-- gdImageDestroy(im);
-- return 0;
-- }
--
- /* Check for open colors at the end, so
- * we can reduce colorsTotal and ultimately
- * BitsPerPixel */
-@@ -351,6 +346,11 @@ terminated:
- }
- }
-
-+ if(!im->colorsTotal) {
-+ gdImageDestroy(im);
-+ return 0;
-+ }
-+
- return im;
- }
-
-@@ -447,7 +447,7 @@ static int
- GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_size, int flag, int *ZeroDataBlockP)
- {
- int i, j, ret;
-- unsigned char count;
-+ int count;
-
- if(flag) {
- scd->curbit = 0;
diff --git a/gd/patches/CVE-2019-6977.patch b/gd/patches/CVE-2019-6977.patch
@@ -1,28 +0,0 @@
-Description: Heap-based buffer overflow in gdImageColorMatch
-Origin: other, https://gist.github.com/cmb69/1f36d285eb297ed326f5c821d7aafced
-Bug-PHP: https://bugs.php.net/bug.php?id=77270
-Bug-Debian: https://bugs.debian.org/920645
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-6977
-Forwarded: no
-Author: "Christoph M. Becker" <cmbecker69@gmx.de>
-Last-Update: 2019-02-01
-
-At least some of the image reading functions may return images which
-use color indexes greater than or equal to im->colorsTotal. We cater
-to this by always using a buffer size which is sufficient for
-`gdMaxColors` in `gdImageColorMatch()`.
----
-
---- a/src/gd_color_match.c
-+++ b/src/gd_color_match.c
-@@ -31,8 +31,8 @@ BGD_DECLARE(int) gdImageColorMatch (gdIm
- return -4; /* At least 1 color must be allocated */
- }
-
-- buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * im2->colorsTotal);
-- memset (buf, 0, sizeof(unsigned long) * 5 * im2->colorsTotal );
-+ buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * gdMaxColors);
-+ memset (buf, 0, sizeof(unsigned long) * 5 * gdMaxColors );
-
- for (x=0; x < im1->sx; x++) {
- for( y=0; y<im1->sy; y++ ) {
diff --git a/gd/patches/CVE-2019-6978.patch b/gd/patches/CVE-2019-6978.patch
@@ -1,206 +0,0 @@
-From 553702980ae89c83f2d6e254d62cf82e204956d0 Mon Sep 17 00:00:00 2001
-From: "Christoph M. Becker" <cmbecker69@gmx.de>
-Date: Thu, 17 Jan 2019 11:54:55 +0100
-Subject: [PATCH] Fix #492: Potential double-free in gdImage*Ptr()
-
-Whenever `gdImage*Ptr()` calls `gdImage*Ctx()` and the latter fails, we
-must not call `gdDPExtractData()`; otherwise a double-free would
-happen. Since `gdImage*Ctx()` are void functions, and we can't change
-that for BC reasons, we're introducing static helpers which are used
-internally.
-
-We're adding a regression test for `gdImageJpegPtr()`, but not for
-`gdImageGifPtr()` and `gdImageWbmpPtr()` since we don't know how to
-trigger failure of the respective `gdImage*Ctx()` calls.
-
-This potential security issue has been reported by Solmaz Salimi (aka.
-Rooney).
-
-diff --git a/src/gd_gif_out.c b/src/gd_gif_out.c
-index 298a5812..d5a95346 100644
---- a/src/gd_gif_out.c
-+++ b/src/gd_gif_out.c
-@@ -99,6 +99,7 @@ static void char_init(GifCtx *ctx);
- static void char_out(int c, GifCtx *ctx);
- static void flush_char(GifCtx *ctx);
-
-+static int _gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out);
-
-
-
-@@ -131,8 +132,11 @@ BGD_DECLARE(void *) gdImageGifPtr(gdImagePtr im, int *size)
- void *rv;
- gdIOCtx *out = gdNewDynamicCtx(2048, NULL);
- if (out == NULL) return NULL;
-- gdImageGifCtx(im, out);
-- rv = gdDPExtractData(out, size);
-+ if (!_gdImageGifCtx(im, out)) {
-+ rv = gdDPExtractData(out, size);
-+ } else {
-+ rv = NULL;
-+ }
- out->gd_free(out);
- return rv;
- }
-@@ -220,6 +224,12 @@ BGD_DECLARE(void) gdImageGif(gdImagePtr im, FILE *outFile)
-
- */
- BGD_DECLARE(void) gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out)
-+{
-+ _gdImageGifCtx(im, out);
-+}
-+
-+/* returns 0 on success, 1 on failure */
-+static int _gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out)
- {
- gdImagePtr pim = 0, tim = im;
- int interlace, BitsPerPixel;
-@@ -231,7 +241,7 @@ BGD_DECLARE(void) gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out)
- based temporary image. */
- pim = gdImageCreatePaletteFromTrueColor(im, 1, 256);
- if(!pim) {
-- return;
-+ return 1;
- }
- tim = pim;
- }
-@@ -247,6 +257,8 @@ BGD_DECLARE(void) gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out)
- /* Destroy palette based temporary image. */
- gdImageDestroy( pim);
- }
-+
-+ return 0;
- }
-
-
-diff --git a/src/gd_jpeg.c b/src/gd_jpeg.c
-index fc058420..96ef4302 100644
---- a/src/gd_jpeg.c
-+++ b/src/gd_jpeg.c
-@@ -117,6 +117,8 @@ static void fatal_jpeg_error(j_common_ptr cinfo)
- exit(99);
- }
-
-+static int _gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality);
-+
- /*
- * Write IM to OUTFILE as a JFIF-formatted JPEG image, using quality
- * QUALITY. If QUALITY is in the range 0-100, increasing values
-@@ -231,8 +233,11 @@ BGD_DECLARE(void *) gdImageJpegPtr(gdImagePtr im, int *size, int quality)
- void *rv;
- gdIOCtx *out = gdNewDynamicCtx(2048, NULL);
- if (out == NULL) return NULL;
-- gdImageJpegCtx(im, out, quality);
-- rv = gdDPExtractData(out, size);
-+ if (!_gdImageJpegCtx(im, out, quality)) {
-+ rv = gdDPExtractData(out, size);
-+ } else {
-+ rv = NULL;
-+ }
- out->gd_free(out);
- return rv;
- }
-@@ -253,6 +258,12 @@ void jpeg_gdIOCtx_dest(j_compress_ptr cinfo, gdIOCtx *outfile);
-
- */
- BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality)
-+{
-+ _gdImageJpegCtx(im, outfile, quality);
-+}
-+
-+/* returns 0 on success, 1 on failure */
-+static int _gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality)
- {
- struct jpeg_compress_struct cinfo;
- struct jpeg_error_mgr jerr;
-@@ -287,7 +298,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality)
- if(row) {
- gdFree(row);
- }
-- return;
-+ return 1;
- }
-
- cinfo.err->emit_message = jpeg_emit_message;
-@@ -328,7 +339,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality)
- if(row == 0) {
- gd_error("gd-jpeg: error: unable to allocate JPEG row structure: gdCalloc returns NULL\n");
- jpeg_destroy_compress(&cinfo);
-- return;
-+ return 1;
- }
-
- rowptr[0] = row;
-@@ -405,6 +416,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality)
- jpeg_finish_compress(&cinfo);
- jpeg_destroy_compress(&cinfo);
- gdFree(row);
-+ return 0;
- }
-
-
-diff --git a/src/gd_wbmp.c b/src/gd_wbmp.c
-index f19a1c96..a49bdbec 100644
---- a/src/gd_wbmp.c
-+++ b/src/gd_wbmp.c
-@@ -88,6 +88,8 @@ int gd_getin(void *in)
- return (gdGetC((gdIOCtx *)in));
- }
-
-+static int _gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out);
-+
- /*
- Function: gdImageWBMPCtx
-
-@@ -100,6 +102,12 @@ int gd_getin(void *in)
- out - the stream where to write
- */
- BGD_DECLARE(void) gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out)
-+{
-+ _gdImageWBMPCtx(image, fg, out);
-+}
-+
-+/* returns 0 on success, 1 on failure */
-+static int _gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out)
- {
- int x, y, pos;
- Wbmp *wbmp;
-@@ -107,7 +115,7 @@ BGD_DECLARE(void) gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out)
- /* create the WBMP */
- if((wbmp = createwbmp(gdImageSX(image), gdImageSY(image), WBMP_WHITE)) == NULL) {
- gd_error("Could not create WBMP\n");
-- return;
-+ return 1;
- }
-
- /* fill up the WBMP structure */
-@@ -123,11 +131,15 @@ BGD_DECLARE(void) gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out)
-
- /* write the WBMP to a gd file descriptor */
- if(writewbmp(wbmp, &gd_putout, out)) {
-+ freewbmp(wbmp);
- gd_error("Could not save WBMP\n");
-+ return 1;
- }
-
- /* des submitted this bugfix: gdFree the memory. */
- freewbmp(wbmp);
-+
-+ return 0;
- }
-
- /*
-@@ -271,8 +283,11 @@ BGD_DECLARE(void *) gdImageWBMPPtr(gdImagePtr im, int *size, int fg)
- void *rv;
- gdIOCtx *out = gdNewDynamicCtx(2048, NULL);
- if (out == NULL) return NULL;
-- gdImageWBMPCtx(im, fg, out);
-- rv = gdDPExtractData(out, size);
-+ if (!_gdImageWBMPCtx(im, fg, out)) {
-+ rv = gdDPExtractData(out, size);
-+ } else {
-+ rv = NULL;
-+ }
- out->gd_free(out);
- return rv;
- }
diff --git a/gd/sources b/gd/sources
@@ -1,5 +1 @@
-https://github.com/libgd/libgd/archive/gd-2.2.5.tar.gz
-patches/CVE-2018-1000222.patch
-patches/CVE-2018-5711.patch
-patches/CVE-2019-6977.patch
-patches/CVE-2019-6978.patch
+https://github.com/libgd/libgd/archive/refs/tags/gd-2.3.2.tar.gz
diff --git a/gd/version b/gd/version
@@ -1 +1 @@
-2.2.5 1
+2.3.2 1
