pool/gd
SHA256
3
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 432049 from home:badshah400:branches:graphics

Browse Source 
- Update to version 2.2.3:
- Drop upstreamed patches:
- Add BuildRequires for automake and autoconf since
  gd-disable-freetype27-failed-tests.patch touches makefiles.
- Drop getver.pl from source: included in upstream tarball.
- Add "-msse -mfpmath=sse" to CFLAGS to fix tests on ix86
  architectures.
- Add "-ffp-contract=off" to CFLAGS for non-ix86 arch (ppc, arm)
  to fix a test: see gh#libgd/libgd#278.
- Add gd-test-unintialized-var.patch to fix an uninitialised
  variable in tests/gd2/gd2_read.c to prevent it from compiling
  with -Werror (only causes problems in no ix86 arch
  surprisingly); patch sent upstream.
- Rebase gd-disable-freetype27-failed-tests.patch for updated
  version.
- Update URL and Source to project's new github URL's.

OBS-URL: https://build.opensuse.org/request/show/432049
OBS-URL: https://build.opensuse.org/package/show/graphics/gd?expand=0&rev=32
This commit is contained in:
Ismail Dönmez 2016-09-30 17:02:24 +00:00 committed by Git OBS Bridge
parent 25745403db
commit 801d752d5d
12 changed files with 114 additions and 358 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

90
gd-CVE-2016-5116.patch
View File

@ -1,90 +0,0 @@
From 4dc1a2d7931017d3625f2d7cff70a17ce58b53b4 Mon Sep 17 00:00:00 2001
From: Mike Frysinger <vapier@gentoo.org>
Date: Sat, 14 May 2016 01:38:18 -0400
Subject: [PATCH] xbm: avoid stack overflow (read) with large names #211
We use the name passed in to printf into a local stack buffer which is
limited to 4000 bytes. So given a large enough value, lots of stack
data is leaked. Rewrite the code to do simple memory copies with most
of the strings to avoid that issue, and only use stack buffer for small
numbers of constant size.
This closes #211.
---
src/gd_xbm.c | 34 +++++++++++++++++++++++++++-------
1 file changed, 27 insertions(+), 7 deletions(-)
diff --git a/src/gd_xbm.c b/src/gd_xbm.c
index 74d839b..d28fdfc 100644
--- a/src/gd_xbm.c
+++ b/src/gd_xbm.c
@@ -180,7 +180,7 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromXbm(FILE * fd)
/* {{{ gdCtxPrintf */
static void gdCtxPrintf(gdIOCtx * out, const char *format, ...)
{
- char buf[4096];
+ char buf[1024];
int len;
va_list args;
@@ -191,6 +191,9 @@ static void gdCtxPrintf(gdIOCtx * out, const char *format, ...)
}
/* }}} */
+/* The compiler will optimize strlen(constant) to a constant number. */
+#define gdCtxPuts(out, s) out->putBuf(out, s, strlen(s))
+
/* {{{ gdImageXbmCtx */
BGD_DECLARE(void) gdImageXbmCtx(gdImagePtr image, char* file_name, int fg, gdIOCtx * out)
{
@@ -215,9 +218,26 @@ BGD_DECLARE(void) gdImageXbmCtx(gdImagePtr image, char* file_name, int fg, gdIOC
}
}
- gdCtxPrintf(out, "#define %s_width %d\n", name, gdImageSX(image));
- gdCtxPrintf(out, "#define %s_height %d\n", name, gdImageSY(image));
- gdCtxPrintf(out, "static unsigned char %s_bits[] = {\n ", name);
+ /* Since "name" comes from the user, run it through a direct puts.
+ * Trying to printf it into a local buffer means we'd need a large
+ * or dynamic buffer to hold it all. */
+
+ /* #define <name>_width 1234 */
+ gdCtxPuts(out, "#define ");
+ gdCtxPuts(out, name);
+ gdCtxPuts(out, "_width ");
+ gdCtxPrintf(out, "%d\n", gdImageSX(image));
+
+ /* #define <name>_height 1234 */
+ gdCtxPuts(out, "#define ");
+ gdCtxPuts(out, name);
+ gdCtxPuts(out, "_height ");
+ gdCtxPrintf(out, "%d\n", gdImageSY(image));
+
+ /* static unsigned char <name>_bits[] = {\n */
+ gdCtxPuts(out, "static unsigned char ");
+ gdCtxPuts(out, name);
+ gdCtxPuts(out, "_bits[] = {\n ");
free(name);
@@ -234,9 +254,9 @@ BGD_DECLARE(void) gdImageXbmCtx(gdImagePtr image, char* file_name, int fg, gdIOC
if ((b == 128) || (x == sx && y == sy)) {
b = 1;
if (p) {
- gdCtxPrintf(out, ", ");
+ gdCtxPuts(out, ", ");
if (!(p%12)) {
- gdCtxPrintf(out, "\n ");
+ gdCtxPuts(out, "\n ");
p = 12;
}
}
@@ -248,6 +268,6 @@ BGD_DECLARE(void) gdImageXbmCtx(gdImagePtr image, char* file_name, int fg, gdIOC
}
}
}
- gdCtxPrintf(out, "};\n");
+ gdCtxPuts(out, "};\n");
}
/* }}} */

40
gd-CVE-2016-6132.patch
View File

@ -1,40 +0,0 @@
From 921e590565deb033acafcfa9063b4563200b14b5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
Date: Tue, 12 Jul 2016 11:24:09 +0200
Subject: [PATCH] Fix #247, A read out-of-bands was found in the parsing of TGA
files
---
src/gd_tga.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/src/gd_tga.c b/src/gd_tga.c
index ef20f86..07f3c86 100644
--- a/src/gd_tga.c
+++ b/src/gd_tga.c
@@ -237,7 +237,10 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga )
return -1;
}
- gdGetBuf(conversion_buffer, image_block_size, ctx);
+ if (gdGetBuf(conversion_buffer, image_block_size, ctx) != image_block_size) {
+ gdFree(conversion_buffer);
+ return -1;
+ }
while (buffer_caret < image_block_size) {
tga->bitmap[buffer_caret] = (int) conversion_buffer[buffer_caret];
@@ -261,7 +264,11 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga )
return -1;
}
- gdGetBuf( conversion_buffer, image_block_size, ctx );
+ if (gdGetBuf(conversion_buffer, image_block_size, ctx) != image_block_size) {
+ gdFree(conversion_buffer);
+ gdFree(decompression_buffer);
+ return -1;
+ }
buffer_caret = 0;

54
gd-CVE-2016-6214.patch
View File

@ -1,54 +0,0 @@
From 10ef1dca63d62433fda13309b4a228782db823f7 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Tue, 12 Jul 2016 19:23:13 +0200
Subject: [PATCH] Unsupported TGA bpp/alphabit combinations should error
gracefully
Currently, only 24bpp without alphabits and 32bpp with 8 alphabits are
really supported. All other combinations will be rejected with a warning.
---
src/gd_tga.c | 16 ++++++----------
tests/tga/.gitignore | 1 +
tests/tga/CMakeLists.txt | 1 +
tests/tga/Makemodule.am | 4 +++-
tests/tga/bug00247a.c | 19 +++++++++++++++++++
tests/tga/bug00247a.tga | Bin 0 -> 36 bytes
6 files changed, 30 insertions(+), 11 deletions(-)
create mode 100644 tests/tga/bug00247a.c
create mode 100644 tests/tga/bug00247a.tga
diff --git a/src/gd_tga.c b/src/gd_tga.c
index 20fe2d2..b4f8fa6 100644
--- a/src/gd_tga.c
+++ b/src/gd_tga.c
@@ -99,7 +99,7 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromTgaCtx(gdIOCtx* ctx)
if (tga->bits == TGA_BPP_24) {
*tpix = gdTrueColor(tga->bitmap[bitmap_caret + 2], tga->bitmap[bitmap_caret + 1], tga->bitmap[bitmap_caret]);
bitmap_caret += 3;
- } else if (tga->bits == TGA_BPP_32 || tga->alphabits) {
+ } else if (tga->bits == TGA_BPP_32 && tga->alphabits) {
register int a = tga->bitmap[bitmap_caret + 3];
*tpix = gdTrueColorAlpha(tga->bitmap[bitmap_caret + 2], tga->bitmap[bitmap_caret + 1], tga->bitmap[bitmap_caret], gdAlphaMax - (a >> 1));
@@ -159,16 +159,12 @@ int read_header_tga(gdIOCtx *ctx, oTga *tga)
printf("wxh: %i %i\n", tga->width, tga->height);
#endif
- switch(tga->bits) {
- case 8:
- case 16:
- case 24:
- case 32:
- break;
- default:
- gd_error("bps %i not supported", tga->bits);
+ if (!((tga->bits == TGA_BPP_24 && tga->alphabits == 0)
+ || (tga->bits == TGA_BPP_32 && tga->alphabits == 8)))
+ {
+ gd_error_ex(GD_WARNING, "gd-tga: %u bits per pixel with %u alpha bits not supported\n",
+ tga->bits, tga->alphabits);
return -1;
- break;
}
tga->ident = NULL;

65
gd-CVE-2016-6905.patch
View File

@ -1,65 +0,0 @@
From 3c2b605d72e8b080dace1d98a6e50b46c1d12186 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
Date: Tue, 12 Jul 2016 14:20:16 +0200
Subject: [PATCH] bug #248, fix Out-Of-Bounds Read in read_image_tga
---
src/gd_tga.c | 34 ++++++++++++++++++++++++++--------
1 file changed, 26 insertions(+), 8 deletions(-)
Index: libgd-2.1.1/src/gd_tga.c
===================================================================
--- libgd-2.1.1.orig/src/gd_tga.c 2015-01-06 10:16:03.000000000 +0100
+++ libgd-2.1.1/src/gd_tga.c 2016-08-23 13:15:45.975724158 +0200
@@ -200,7 +200,6 @@ int read_image_tga( gdIOCtx *ctx, oTga *
int buffer_caret = 0;
int bitmap_caret = 0;
int i = 0;
- int j = 0;
uint8_t encoded_pixels;
if(overflow2(tga->width, tga->height)) {
@@ -287,25 +286,34 @@ int read_image_tga( gdIOCtx *ctx, oTga *
while( bitmap_caret < image_block_size ) {
if ((decompression_buffer[buffer_caret] & TGA_RLE_FLAG) == TGA_RLE_FLAG) {
- encoded_pixels = ( ( decompression_buffer[ buffer_caret ] & 127 ) + 1 );
+ encoded_pixels = ( ( decompression_buffer[ buffer_caret ] & !TGA_RLE_FLAG ) + 1 );
buffer_caret++;
+ if ((bitmap_caret + (encoded_pixels * pixel_block_size)) >= image_block_size) {
+ gdFree( decompression_buffer );
+ gdFree( conversion_buffer );
+ return -1;
+ }
+
for (i = 0; i < encoded_pixels; i++) {
- for (j = 0; j < pixel_block_size; j++, bitmap_caret++) {
- tga->bitmap[ bitmap_caret ] = decompression_buffer[ buffer_caret + j ];
- }
+ memcpy(tga->bitmap + bitmap_caret, decompression_buffer + buffer_caret, pixel_block_size);
+ bitmap_caret += pixel_block_size;
}
buffer_caret += pixel_block_size;
+
} else {
encoded_pixels = decompression_buffer[ buffer_caret ] + 1;
buffer_caret++;
- for (i = 0; i < encoded_pixels; i++) {
- for( j = 0; j < pixel_block_size; j++, bitmap_caret++ ) {
- tga->bitmap[ bitmap_caret ] = decompression_buffer[ buffer_caret + j ];
- }
- buffer_caret += pixel_block_size;
+ if ((bitmap_caret + (encoded_pixels * pixel_block_size)) >= image_block_size) {
+ gdFree( decompression_buffer );
+ gdFree( conversion_buffer );
+ return -1;
}
+
+ memcpy(tga->bitmap + bitmap_caret, decompression_buffer + buffer_caret, encoded_pixels * pixel_block_size);
+ bitmap_caret += (encoded_pixels * pixel_block_size);
+ buffer_caret += (encoded_pixels * pixel_block_size);
}
}

58
gd-disable-freetype27-failed-tests.patch
View File

@ -4,28 +4,44 @@ tests for now, as the impact is understood to be "slight". See discussion
in the issue tracker.
Issue: https://github.com/libgd/libgd/issues/302
Index: libgd-2.1.1/tests/Makefile.am
Index: libgd-2.2.3/tests/CMakeLists.txt
===================================================================
--- libgd-2.1.1.orig/tests/Makefile.am
+++ libgd-2.1.1/tests/Makefile.am
@@ -138,7 +138,6 @@ check_PROGRAMS += \
gdtiled/bug00032
endif
check_PROGRAMS += \
- gdimagestringft/gdimagestringft_bbox \
gdimagearc/bug00079 \
gdimageline/gdimageline_aa \
gdimageline/bug00072 \
@@ -200,11 +199,6 @@ check_PROGRAMS += \
tiff/tiff_im2im
endif
--- libgd-2.2.3.orig/tests/CMakeLists.txt
+++ libgd-2.2.3/tests/CMakeLists.txt
@@ -19,7 +19,6 @@ if (BUILD_TEST)
-if HAVE_LIBFREETYPE
-check_PROGRAMS +=
- freetype/bug00132
-endif
-
LDADD = libgdtest.a ../src/libgd.la
AM_CPPFLAGS = -I$(top_srcdir)/src -I $(top_srcdir)/tests/gdtest
SET(TESTS_DIRS
bmp
- freetype
gd
gd2
gdimagearc
@@ -50,7 +49,6 @@ if (BUILD_TEST)
gdimagescale
gdimagescatterex
gdimagesetpixel
- gdimagestringft
gdimagestringftex
gdimagetruecolortopalette
gdinterpolatedscale
Index: libgd-2.2.3/tests/Makefile.am
===================================================================
--- libgd-2.2.3.orig/tests/Makefile.am
+++ libgd-2.2.3/tests/Makefile.am
@@ -13,7 +13,6 @@ EXTRA_DIST =
TESTS =
include bmp/Makemodule.am
-include freetype/Makemodule.am
include gd/Makemodule.am
include gd2/Makemodule.am
include gdimagearc/Makemodule.am
@@ -44,7 +43,6 @@ include gdimagerotate/Makemodule.am
include gdimagescale/Makemodule.am
include gdimagescatterex/Makemodule.am
include gdimagesetpixel/Makemodule.am
-include gdimagestringft/Makemodule.am
include gdimagestringftex/Makemodule.am
include gdimagetruecolortopalette/Makemodule.am
include gdinterpolatedscale/Makemodule.am

24
gd-libvpx.patch
View File

@ -1,24 +0,0 @@
--- src/webpimg.c.orig 2015-01-06 10:16:03.000000000 +0100
+++ src/webpimg.c 2015-05-12 15:02:50.784722900 +0200
@@ -711,14 +711,14 @@
codec_ctl(&enc, VP8E_SET_STATIC_THRESHOLD, 0);
codec_ctl(&enc, VP8E_SET_TOKEN_PARTITIONS, 2);
- vpx_img_wrap(&img, IMG_FMT_I420,
+ vpx_img_wrap(&img, VPX_IMG_FMT_I420,
y_width, y_height, 16, (uint8*)(Y));
- img.planes[PLANE_Y] = (uint8*)(Y);
- img.planes[PLANE_U] = (uint8*)(U);
- img.planes[PLANE_V] = (uint8*)(V);
- img.stride[PLANE_Y] = y_stride;
- img.stride[PLANE_U] = uv_stride;
- img.stride[PLANE_V] = uv_stride;
+ img.planes[VPX_PLANE_Y] = (uint8*)(Y);
+ img.planes[VPX_PLANE_U] = (uint8*)(U);
+ img.planes[VPX_PLANE_V] = (uint8*)(V);
+ img.stride[VPX_PLANE_Y] = y_stride;
+ img.stride[VPX_PLANE_U] = uv_stride;
+ img.stride[VPX_PLANE_V] = uv_stride;
res = vpx_codec_encode(&enc, &img, 0, 1, 0, VPX_DL_BEST_QUALITY);

13
gd-test-unintialized-var.patch Normal file
View File

@ -0,0 +1,13 @@
Index: libgd-2.2.3/tests/gd2/gd2_read.c
===================================================================
--- libgd-2.2.3.orig/tests/gd2/gd2_read.c
+++ libgd-2.2.3/tests/gd2/gd2_read.c
@@ -5,7 +5,7 @@
int main(int argc, char *argv[])
{
- int error, i = 0;
+ int error = 0, i = 0;
gdImagePtr im, exp;
FILE *fp;
char *path[] = {

42
gd.changes
View File

@ -1,3 +1,45 @@
-------------------------------------------------------------------
Fri Sep 30 14:59:25 UTC 2016 - badshah400@gmail.com
- Update to version 2.2.3:
+ Security fixes:
- Php bug#72339, Integer Overflow in _gd2GetHeader
(CVE-2016-5766)
- Issue gh/libgd/libgd#247: A read out-of-bands was found in
the parsing of TGA files (CVE-2016-6132)
- Issue gh/libgd/libgd#247: Buffer over-read issue when
parsing crafted TGA file (CVE-2016-6214)
- Issue gh/libgd/libgd#248: fix Out-Of-Bounds Read in
read_image_tga
- Integer overflow error within _gdContributionsAlloc()
(CVE-2016-6207)
- Fix php bug#72494, invalid color index not handled, can lead
to crash (CVE-2016-6128)
+ Improve color check for CropThreshold
+ gdImageCopyResampled has been improved. Better handling of
images with alpha channel, also brings libgd in sync with
php's bundled gd.
- Drop patches:
+ gd-CVE-2016-5116.patch: upstreamed
+ gd-CVE-2016-6132.patch: upstreamed
+ gd-CVE-2016-6214.patch: upstreamed
+ gd-CVE-2016-6905.patch: upstreamed
+ gd-libvpx.patch: vpx support dropped.
- Add BuildRequires for automake and autoconf since
gd-disable-freetype27-failed-tests.patch touches makefiles.
- Drop getver.pl from source: included in upstream tarball.
- Add "-msse -mfpmath=sse" to CFLAGS to fix tests on ix86
architectures.
- Add "-ffp-contract=off" to CFLAGS for non-ix86 arch (ppc, arm)
to fix a test: see gh#libgd/libgd#278.
- Add gd-test-unintialized-var.patch to fix an uninitialised
variable in tests/gd2/gd2_read.c to prevent it from compiling
with -Werror (only causes problems in no ix86 arch
surprisingly); patch sent upstream.
- Rebase gd-disable-freetype27-failed-tests.patch for updated
version.
- Update URL and Source to project's new github URL's.
-------------------------------------------------------------------
Thu Sep 29 14:06:53 UTC 2016 - badshah400@gmail.com

38
gd.spec
View File

@ -21,15 +21,14 @@
%define lname libgd3
Name: gd
Version: 2.1.1
Version: 2.2.3
Release: 0
Summary: A Drawing Library for Programs That Use PNG and JPEG Output
License: MIT
Group: System/Libraries
Url: http://libgd.bitbucket.org/
Source: https://bitbucket.org/libgd/gd-libgd/downloads/libgd-%{version}.tar.xz
Url: https://libgd.github.io/
Source: https://github.com/libgd/libgd/releases/download/%{name}-%{version}/%{prjname}-%{version}.tar.xz
Source1: baselibs.conf
Source2: getver.pl
# to be upstreamed, gdlib-config --libs to return the same as pkg-config --libs gdlib
Patch0: gd-config.patch
# might be upstreamed, but could be suse specific also (/usr/share/fonts/Type1 font dir)
@ -38,14 +37,12 @@ Patch1: gd-fontpath.patch
Patch2: gd-format.patch
# could be upstreamed
Patch3: gd-aliasing.patch
# could be upstreamed
Patch4: gd-libvpx.patch
Patch5: gd-CVE-2016-5116.patch
Patch6: gd-CVE-2016-6132.patch
Patch7: gd-CVE-2016-6214.patch
Patch8: gd-CVE-2016-6905.patch
# PATCH-FIX-UPSTREAM gd-disable-freetype27-failed-tests.patch gh#libgd/libgd#302 badshah400@gmail.com -- Disable for now tests failing against freetype >= 2.7 for being too exact.
Patch9: gd-disable-freetype27-failed-tests.patch
Patch5: gd-disable-freetype27-failed-tests.patch
# PATCH-FIX-UPSTREAM gd-test-unintialized-var.patch badshah400@gmail.com -- Initialise a variable in tests/gd2/gd2_read.c to 0 to prevent it from failing to compile with -Werror (only causes problems in no ix86 arch surprisingly); patch sent upstream
Patch6: gd-test-unintialized-var.patch
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: fontconfig-devel
BuildRequires: freetype2-devel
BuildRequires: libjpeg-devel
@ -100,19 +97,20 @@ the formats accepted for inline images by most browsers.
%patch1
%patch2
%patch3
%patch4
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%build
# this file is errorneously forgotten from the tarball
# remove in next release to 2.1.1
cp %{SOURCE2} config/getver.pl
perl config/getver.pl
autoreconf -fiv
# ADDITIONAL CFLAGS ARE NEEDED TO FIX TEST FAILURES IN CASE OF i586, BUT HARMLESS TO APPLY GENERALLY FOR ALL ix86
%ifarch %{ix86}
CFLAGS="$CFLAGS -msse -mfpmath=sse"
export CFLAGS
%else
CFLAGS="$CFLAGS -ffp-contract=off"
%endif
# without-x -- useless switch which just mangles cflags
%configure \
--without-x \
@ -123,6 +121,7 @@ autoreconf -fiv
--with-xpm \
--disable-static \
--with-pic
make %{?_smp_mflags}
%check
@ -130,6 +129,7 @@ make check %{?_smp_mflags}
%install
make DESTDIR=%{buildroot} install %{?_smp_mflags}
find %{buildroot} -type f -name "*.la" -delete -print
%post -n %lname -p /sbin/ldconfig

42
getver.pl
View File

@ -1,42 +0,0 @@
#!/usr/bin/env perl
# Simple script to extract the version number parts from src/gd.h. If
# called with the middle word of the version macro, it prints the
# value of that macro. If called with no argument, it outputs a
# human-readable version string. This must be run in the project
# root. It is used by configure.ac and docs/naturaldocs/run_docs.sh.
use strict;
my $key = shift;
my @version_parts = ();
open FH, "<src/gd.h" # old-style filehandle for max. portability
or die "Unable to open 'version.h' for reading.\n";
while(<FH>) {
next unless m{version605b5d1778};
next unless /^#define\s+GD_([A-Z0-9]+)_VERSION+\s+(\S+)/;
my ($lk, $lv) = ($1, $2);
if ($lk eq $key) {
chomp $lv;
$lv =~ s/"//g;
print $lv; # no newline
exit(0); # success!
}
push @version_parts, $lv if (!$key);
}
close(FH);
if (scalar @version_parts == 4) {
my $result = join(".", @version_parts[0..2]);
$result .= $version_parts[3];
$result =~ s/"//g;
print $result;
exit(0);
}
exit(1); # failure

3
libgd-2.1.1.tar.xz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:9ada1ed45594abc998ebc942cef12b032fbad672e73efc22bc9ff54f5df2b285
size 2039132

3
libgd-2.2.3.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:746b6cbd6769a22ff3ba6f5756f3512a769bd4cdf4695dff17f4867f25fa7d3c
size 2164152