- security update:

* CVE-2016-6905 [bsc#995034]
    + gd-CVE-2016-6905.patch

OBS-URL: https://build.opensuse.org/package/show/graphics/gd?expand=0&rev=28

gd-CVE-2016-6905.patch

@@ -0,0 +1,65 @@
+From 3c2b605d72e8b080dace1d98a6e50b46c1d12186 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
+Date: Tue, 12 Jul 2016 14:20:16 +0200
+Subject: [PATCH] bug #248, fix Out-Of-Bounds Read in read_image_tga
+
+---
+ src/gd_tga.c | 34 ++++++++++++++++++++++++++--------
+ 1 file changed, 26 insertions(+), 8 deletions(-)
+
+Index: libgd-2.1.1/src/gd_tga.c
+===================================================================
+--- libgd-2.1.1.orig/src/gd_tga.c	2015-01-06 10:16:03.000000000 +0100
++++ libgd-2.1.1/src/gd_tga.c	2016-08-23 13:15:45.975724158 +0200
+@@ -200,7 +200,6 @@ int read_image_tga( gdIOCtx *ctx, oTga *
+ 	int buffer_caret = 0;
+ 	int bitmap_caret = 0;
+ 	int i = 0;
+-	int j = 0;
+ 	uint8_t encoded_pixels;
+ 
+ 	if(overflow2(tga->width, tga->height)) {
+@@ -287,25 +286,34 @@ int read_image_tga( gdIOCtx *ctx, oTga *
+ 		while( bitmap_caret < image_block_size ) {
+ 
+ 			if ((decompression_buffer[buffer_caret] & TGA_RLE_FLAG) == TGA_RLE_FLAG) {
+-				encoded_pixels = ( ( decompression_buffer[ buffer_caret ] & 127 ) + 1 );
++				encoded_pixels = ( ( decompression_buffer[ buffer_caret ] & !TGA_RLE_FLAG ) + 1 );
+ 				buffer_caret++;
+ 
++				if ((bitmap_caret + (encoded_pixels * pixel_block_size)) >= image_block_size) {
++					gdFree( decompression_buffer );
++					gdFree( conversion_buffer );
++					return -1;
++				}
++
+ 				for (i = 0; i < encoded_pixels; i++) {
+-					for (j = 0; j < pixel_block_size; j++, bitmap_caret++) {
+-						tga->bitmap[ bitmap_caret ] = decompression_buffer[ buffer_caret + j ];
+-					}
++					memcpy(tga->bitmap + bitmap_caret, decompression_buffer + buffer_caret, pixel_block_size);
++					bitmap_caret += pixel_block_size;
+ 				}
+ 				buffer_caret += pixel_block_size;
++
+ 			} else {
+ 				encoded_pixels = decompression_buffer[ buffer_caret ] + 1;
+ 				buffer_caret++;
+ 
+-				for (i = 0; i < encoded_pixels; i++) {
+-					for( j = 0; j < pixel_block_size; j++, bitmap_caret++ ) {
+-						tga->bitmap[ bitmap_caret ] = decompression_buffer[ buffer_caret + j ];
+-					}
+-					buffer_caret += pixel_block_size;
++				if ((bitmap_caret + (encoded_pixels * pixel_block_size)) >= image_block_size) {
++					gdFree( decompression_buffer );
++					gdFree( conversion_buffer );
++					return -1;
+ 				}
++
++				memcpy(tga->bitmap + bitmap_caret, decompression_buffer + buffer_caret, encoded_pixels * pixel_block_size);
++				bitmap_caret += (encoded_pixels * pixel_block_size);
++				buffer_caret += (encoded_pixels * pixel_block_size);
+ 			}
+ 		}
+ 

gd.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Tue Aug 23 11:16:25 UTC 2016 - pgajdos@suse.com
+
+- security update:
+  * CVE-2016-6905 [bsc#995034]
+    + gd-CVE-2016-6905.patch
+
 -------------------------------------------------------------------
 Mon May 30 13:17:18 UTC 2016 - pgajdos@suse.com
 

gd.spec

@@ -41,6 +41,7 @@ Patch3:         gd-aliasing.patch
 # could be upstreamed
 Patch4:         gd-libvpx.patch
 Patch5:         gd-CVE-2016-5116.patch
+Patch6:         gd-CVE-2016-6905.patch
 BuildRequires:  fontconfig-devel
 BuildRequires:  freetype2-devel
 BuildRequires:  libjpeg-devel
@@ -98,6 +99,7 @@ the formats accepted for inline images by most browsers.
 %patch3
 %patch4
 %patch5 -p1
+%patch6 -p1
 
 %build
 # this file is errorneously forgotten from the tarball