- security update:

* CVE-2018-1000222 [bsc#1105434] + gd-CVE-2018-1000222.patch OBS-URL: https://build.opensuse.org/package/show/graphics/gd?expand=0&rev=47
2018-08-27 14:00:39 +00:00
parent 9d924ad019
commit 01b36df437
3 changed files with 73 additions and 0 deletions
--- a/gd-CVE-2018-1000222.patch
+++ b/gd-CVE-2018-1000222.patch
@@ -0,0 +1,64 @@
+diff --git a/src/gd_bmp.c b/src/gd_bmp.c
+index bde0b9d3..78f40d9a 100644
+--- a/src/gd_bmp.c
+++ b/src/gd_bmp.c
+@@ -47,6 +47,8 @@ static int bmp_read_4bit(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info, bmp
+ static int bmp_read_8bit(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info, bmp_hdr_t *header);
+ static int bmp_read_rle(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info);
+ 
+static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression);
+
+ #define BMP_DEBUG(s)
+ 
+ static int gdBMPPutWord(gdIOCtx *out, int w)
+@@ -87,8 +89,10 @@ BGD_DECLARE(void *) gdImageBmpPtr(gdImagePtr im, int *size, int compression)
+ 	void *rv;
+ 	gdIOCtx *out = gdNewDynamicCtx(2048, NULL);
+ 	if (out == NULL) return NULL;
+-	gdImageBmpCtx(im, out, compression);
+-	rv = gdDPExtractData(out, size);
+	if (!_gdImageBmpCtx(im, out, compression))
+		rv = gdDPExtractData(out, size);
+	else
+		rv = NULL;
+ 	out->gd_free(out);
+ 	return rv;
+ }
+@@ -141,6 +145,11 @@ BGD_DECLARE(void) gdImageBmp(gdImagePtr im, FILE *outFile, int compression)
+ 		compression - whether to apply RLE or not.
+ */
+ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
+{
+	_gdImageBmpCtx(im, out, compression);
+}
+
+static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
+ {
+ 	int bitmap_size = 0, info_size, total_size, padding;
+ 	int i, row, xpos, pixel;
+@@ -148,6 +157,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
+ 	unsigned char *uncompressed_row = NULL, *uncompressed_row_start = NULL;
+ 	FILE *tmpfile_for_compression = NULL;
+ 	gdIOCtxPtr out_original = NULL;
+	int ret = 1;
+ 
+ 	/* No compression if its true colour or we don't support seek */
+ 	if (im->trueColor) {
+@@ -325,6 +335,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
+ 		out_original = NULL;
+ 	}
+ 
+	ret = 0;
+ cleanup:
+ 	if (tmpfile_for_compression) {
+ #ifdef _WIN32
+@@ -338,7 +349,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
+ 	if (out_original) {
+ 		out_original->gd_free(out_original);
+ 	}
+-	return;
+	return ret;
+ }
+ 
+ static int compress_row(unsigned char *row, int length)
+
--- a/gd.changes
+++ b/gd.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Mon Aug 27 13:45:14 UTC 2018 - pgajdos@suse.com
+
+- security update:
+  * CVE-2018-1000222 [bsc#1105434]
+    + gd-CVE-2018-1000222.patch
+
 -------------------------------------------------------------------
 Tue Mar 13 13:31:37 UTC 2018 - crrodriguez@opensuse.org

--- a/gd.spec
+++ b/gd.spec
@@ -35,6 +35,7 @@ Patch2:         gd-format.patch
 Patch3:         gd-aliasing.patch
 Patch4:         gd-CVE-2018-5711.patch
 Patch5:         libgd-config.patch
+Patch6:         gd-CVE-2018-1000222.patch
 # needed for tests
 BuildRequires:  dejavu
 BuildRequires:  libjpeg-devel
@@ -84,6 +85,7 @@ the formats accepted for inline images by most browsers.
 %patch3
 %patch4 -p1
 %patch5 -p1
+%patch6 -p1
 chmod 644 COPYING

 %build