From 91249c3f3751f32ba6a47ac589d3b7e63ff692f323e1644360a4c82ccd16d10e Mon Sep 17 00:00:00 2001
From: Manfred Schwarb <manfred99@gmx.ch>
Date: Wed, 3 Jan 2018 21:28:33 +0000
Subject: [PATCH] Accepting request 561476 from home:manfred999

two additional null-deref fixes

OBS-URL: https://build.opensuse.org/request/show/561476
OBS-URL: https://build.opensuse.org/package/show/graphics/gifsicle?expand=0&rev=15
---
 fix_double-free.patch        | 24 +++++++++++++++++++++
 fix_gifdiff_null-deref.patch | 42 ++++++++++++++++++++++++++++++++++++
 gifsicle.changes             |  8 +++++++
 gifsicle.spec                |  8 ++++++-
 4 files changed, 81 insertions(+), 1 deletion(-)
 create mode 100644 fix_double-free.patch
 create mode 100644 fix_gifdiff_null-deref.patch

diff --git a/fix_double-free.patch b/fix_double-free.patch
new file mode 100644
index 0000000..b99bf5e
--- /dev/null
+++ b/fix_double-free.patch
@@ -0,0 +1,24 @@
+From 118a46090c50829dc543179019e6140e1235f909 Mon Sep 17 00:00:00 2001
+From: Eddie Kohler <ekohler@gmail.com>
+Date: Sat, 2 Dec 2017 23:08:51 -0500
+Subject: [PATCH] gif_read: Set last_name = NULL unconditionally.
+
+With a non-malicious GIF, last_name is set to NULL when a name
+extension is followed by an image. Reported in #117, via
+Debian, via a KAIST fuzzing program.
+---
+ src/gifread.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/gifread.c b/src/gifread.c
+index eec4e31..9c287dd 100644
+--- a/src/gifread.c
++++ b/src/gifread.c
+@@ -900,6 +900,7 @@ read_gif(Gif_Reader *grr, int read_flags,
+   Gif_DeleteArray(gfc.suffix);
+   Gif_DeleteArray(gfc.length);
+   gfc.gfi = 0;
++  last_name = 0;
+ 
+   if (gfs)
+     gfs->errors = gfc.errors[1];
diff --git a/fix_gifdiff_null-deref.patch b/fix_gifdiff_null-deref.patch
new file mode 100644
index 0000000..8fdca1e
--- /dev/null
+++ b/fix_gifdiff_null-deref.patch
@@ -0,0 +1,42 @@
+From 263cd4519f45bc6ecde74ee280eb1d68ee2de642 Mon Sep 17 00:00:00 2001
+From: Eddie Kohler <ekohler@gmail.com>
+Date: Sat, 2 Dec 2017 23:10:30 -0500
+Subject: [PATCH] Two GIFs with zero images are the same.
+
+Another KAIST report; we null-dereferenced previously.
+---
+ src/gifdiff.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/src/gifdiff.c b/src/gifdiff.c
+index 04721d8..40da3c1 100644
+--- a/src/gifdiff.c
++++ b/src/gifdiff.c
+@@ -248,12 +248,6 @@ compare(Gif_Stream *s1, Gif_Stream *s2)
+   Gif_CalculateScreenSize(s1, 0);
+   Gif_CalculateScreenSize(s2, 0);
+ 
+-  if (s1->nimages != s2->nimages
+-      && (s1->nimages == 0 || s2->nimages == 0)) {
+-    different("frame counts differ: <#%d >#%d", s1->nimages, s2->nimages);
+-    return DIFFERENT;
+-  }
+-
+   if (s1->screen_width != s2->screen_width
+       || s1->screen_height != s2->screen_height) {
+     different("screen sizes differ: <%dx%d >%dx%d", s1->screen_width,
+@@ -268,6 +262,14 @@ compare(Gif_Stream *s1, Gif_Stream *s2)
+     return DIFFERENT;
+   }
+ 
++  if (s1->nimages == 0 || s2->nimages == 0) {
++    if (s1->nimages != s2->nimages) {
++      different("frame counts differ: <#%d >#%d", s1->nimages, s2->nimages);
++      return DIFFERENT;
++    } else
++      return SAME;
++  }
++
+   /* Create arrays for the image data */
+   screen_width = s1->screen_width;
+   screen_height = s1->screen_height;
diff --git a/gifsicle.changes b/gifsicle.changes
index 292f11d..bc48039 100644
--- a/gifsicle.changes
+++ b/gifsicle.changes
@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Wed Jan  3 20:58:34 UTC 2018 - manfred99@gmx.ch
+
+- add fix_double-free.patch:
+    upstream fix, commit 118a46090c50829dc543179019e6140e1235f909
+- add fix_gifdiff_null-deref.patch:
+    upstream fix, commit 263cd4519f45bc6ecde74ee280eb1d68ee2de642
+
 -------------------------------------------------------------------
 Wed Sep 27 22:40:38 UTC 2017 - manfred99@gmx.ch
 
diff --git a/gifsicle.spec b/gifsicle.spec
index a384f63..034d263 100644
--- a/gifsicle.spec
+++ b/gifsicle.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package gifsicle
 #
-# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -26,6 +26,10 @@ Url:            https://www.lcdf.org/gifsicle/
 Source:         https://www.lcdf.org/gifsicle/%{name}-%{version}.tar.gz
 # PATCH-FIX-UPSTREAM fix-null-deref.patch
 Patch0:         fix-null-deref.patch
+# PATCH-FIX-UPSTREAM fix_double-free.patch
+Patch1:         fix_double-free.patch
+# PATCH-FIX-UPSTREAM fix_gifdiff_null-deref.patch
+Patch2:         fix_gifdiff_null-deref.patch
 Obsoletes:      ungifsicle < %{version}
 Provides:       ungifsicle = %{version}
 BuildRequires:  pkgconfig(x11)
@@ -53,6 +57,8 @@ appearance.
 %prep
 %setup -q
 %patch0 -p1
+%patch1 -p1
+%patch2 -p1
 
 %build
 %configure