commit: 0c46087add86facfccbc875e0064cbc167775249 Author: Thomas Deutschmann <whissi <AT> gentoo <DOT> org> AuthorDate: Mon Mar 4 00:28:44 2019 +0000 Commit: Thomas Deutschmann <whissi <AT> gentoo <DOT> org> CommitDate: Mon Mar 4 00:28:59 2019 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0c46087a
media-libs/gd: rev bump to add some security patches ossfuzz5700 fix CVE-2018-5711 CVE-2019-6977 CVE-2019-6978 Package-Manager: Portage-2.3.62, Repoman-2.3.12 Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org> media-libs/gd/Manifest | 2 + media-libs/gd/files/gd-2.2.5-CVE-2018-5711.patch | 124 ++++++++++ media-libs/gd/files/gd-2.2.5-CVE-2019-6977.patch | 28 +++ media-libs/gd/files/gd-2.2.5-CVE-2019-6978.patch | 278 +++++++++++++++++++++++ media-libs/gd/files/gd-2.2.5-ossfuzz5700.patch | 103 +++++++++ media-libs/gd/gd-2.2.5-r2.ebuild | 82 +++++++ 6 files changed, 617 insertions(+) diff --git a/media-libs/gd/Manifest b/media-libs/gd/Manifest index 9957e0f8f60..986a6d40524 100644 --- a/media-libs/gd/Manifest +++ b/media-libs/gd/Manifest @@ -1 +1,3 @@ +DIST libgd-2.2.5-ossfuzz5700.dat 30 BLAKE2B 5ddd3d2be2adf05e1e2eb1852cc689be57d4d77c57b471e8b6021877f2fb137d15b4c73445fbb23a9ed585974a96dd154759a48712c1e7b5bdc5750d534aee4a SHA512 2394e92ff7a42c818e13a1ac9ad15bc81aa401adc917366ec8c440bb7f27a63777ab059aa03c501dafef0ac16b462dd23c7fb9f8086ce558203384a98a235fff +DIST libgd-2.2.5-php_bug_75571.dat 1731 BLAKE2B 4b5d3f258b73e8089ede1b2c9f538855f410965a9e01e1f3f151ae52f072036172b184bd1a4d07b8355bb974bf088bebb0e812175a277bb67926274272bd80a0 SHA512 b3048640ce7828cca7901fadc989e867cfc6d31b44c0f5a1bda54d7428f317c8c8fc6403fef301e193869a95eb46eb7195d47710ec7f8c507ba049cb6cdcb281 DIST libgd-2.2.5.tar.xz 2594092 BLAKE2B 222a7e012fbf9924ac391ee96c7cd3dec96afd78c6d43dfb680b33e7143e7df87fe6be75bbfe8fb93e916302d7daf08271214c84da28712e93a36465566cb2bd SHA512 e4598e17a277a75e02255402182cab139cb3f2cffcd68ec05cc10bbeaf6bc7aa39162c3445cd4a7efc1a26b72b9152bbedb187351e3ed099ea51767319997a6b diff --git a/media-libs/gd/files/gd-2.2.5-CVE-2018-5711.patch b/media-libs/gd/files/gd-2.2.5-CVE-2018-5711.patch new file mode 100644 index 00000000000..6d9de06998a --- /dev/null +++ b/media-libs/gd/files/gd-2.2.5-CVE-2018-5711.patch @@ -0,0 +1,124 @@ +From a11f47475e6443b7f32d21f2271f28f417e2ac04 Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" <cmbecke...@gmx.de> +Date: Wed, 29 Nov 2017 19:37:38 +0100 +Subject: [PATCH] Fix #420: Potential infinite loop in gdImageCreateFromGifCtx + +Due to a signedness confusion in `GetCode_` a corrupt GIF file can +trigger an infinite loop. Furthermore we make sure that a GIF without +any palette entries is treated as invalid *after* open palette entries +have been removed. + +CVE-2018-5711 + +See also https://bugs.php.net/bug.php?id=75571. +--- + src/gd_gif_in.c | 12 ++++++------ + tests/gif/CMakeLists.txt | 1 + + tests/gif/Makemodule.am | 2 ++ + tests/gif/php_bug_75571.c | 28 ++++++++++++++++++++++++++++ + tests/gif/php_bug_75571.gif | Bin 0 -> 1731 bytes + 6 files changed, 38 insertions(+), 6 deletions(-) + create mode 100644 tests/gif/php_bug_75571.c + +diff --git a/src/gd_gif_in.c b/src/gd_gif_in.c +index daf26e79..0a8bd717 100644 +--- a/src/gd_gif_in.c ++++ b/src/gd_gif_in.c +@@ -335,11 +335,6 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromGifCtx(gdIOCtxPtr fd) + return 0; + } + +- if(!im->colorsTotal) { +- gdImageDestroy(im); +- return 0; +- } +- + /* Check for open colors at the end, so + * we can reduce colorsTotal and ultimately + * BitsPerPixel */ +@@ -351,6 +346,11 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromGifCtx(gdIOCtxPtr fd) + } + } + ++ if(!im->colorsTotal) { ++ gdImageDestroy(im); ++ return 0; ++ } ++ + return im; + } + +@@ -447,7 +447,7 @@ static int + GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_size, int flag, int *ZeroDataBlockP) + { + int i, j, ret; +- unsigned char count; ++ int count; + + if(flag) { + scd->curbit = 0; +diff --git a/tests/gif/CMakeLists.txt b/tests/gif/CMakeLists.txt +index 2b73749e..e58e6b09 100644 +--- a/tests/gif/CMakeLists.txt ++++ b/tests/gif/CMakeLists.txt +@@ -4,6 +4,7 @@ LIST(APPEND TESTS_FILES + bug00227 + gif_null + ossfuzz5700 ++ php_bug_75571 + uninitialized_memory_read + ) + +diff --git a/tests/gif/Makemodule.am b/tests/gif/Makemodule.am +index 3199438f..5dbeac53 100644 +--- a/tests/gif/Makemodule.am ++++ b/tests/gif/Makemodule.am +@@ -4,6 +4,7 @@ libgd_test_programs += \ + gif/bug00227 \ + gif/gif_null \ + gif/ossfuzz5700 \ ++ gif/php_bug_75571 \ + gif/uninitialized_memory_read + + if HAVE_LIBPNG +@@ -26,4 +27,5 @@ EXTRA_DIST += \ + gif/bug00066.gif \ + gif/bug00066_exp.png \ + gif/ossfuzz5700.gif \ ++ gif/php_bug_75571.gif \ + gif/unitialized_memory_read.gif +diff --git a/tests/gif/php_bug_75571.c b/tests/gif/php_bug_75571.c +new file mode 100644 +index 00000000..d4fae3ae +--- /dev/null ++++ b/tests/gif/php_bug_75571.c +@@ -0,0 +1,28 @@ ++/** ++ * Test that GIF reading does not loop infinitely ++ * ++ * We are reading a crafted GIF image which has been truncated. This would ++ * trigger an infinite loop formerly, but know bails out early, returning ++ * NULL from gdImageCreateFromGif(). ++ * ++ * See also https://bugs.php.net/bug.php?id=75571. ++ */ ++ ++ ++#include "gd.h" ++#include "gdtest.h" ++ ++ ++int main() ++{ ++ gdImagePtr im; ++ FILE *fp; ++ ++ fp = gdTestFileOpen2("gif", "php_bug_75571.gif"); ++ gdTestAssert(fp != NULL); ++ im = gdImageCreateFromGif(fp); ++ gdTestAssert(im == NULL); ++ fclose(fp); ++ ++ return gdNumFailures(); ++} + diff --git a/media-libs/gd/files/gd-2.2.5-CVE-2019-6977.patch b/media-libs/gd/files/gd-2.2.5-CVE-2019-6977.patch new file mode 100644 index 00000000000..0b67a596c6b --- /dev/null +++ b/media-libs/gd/files/gd-2.2.5-CVE-2019-6977.patch @@ -0,0 +1,28 @@ +Description: Heap-based buffer overflow in gdImageColorMatch +Origin: other, https://gist.github.com/cmb69/1f36d285eb297ed326f5c821d7aafced +Bug-PHP: https://bugs.php.net/bug.php?id=77270 +Bug-Debian: https://bugs.debian.org/920645 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-6977 +Forwarded: no +Author: "Christoph M. Becker" <cmbecke...@gmx.de> +Last-Update: 2019-02-01 + +At least some of the image reading functions may return images which +use color indexes greater than or equal to im->colorsTotal. We cater +to this by always using a buffer size which is sufficient for +`gdMaxColors` in `gdImageColorMatch()`. +--- + +--- a/src/gd_color_match.c ++++ b/src/gd_color_match.c +@@ -31,8 +31,8 @@ BGD_DECLARE(int) gdImageColorMatch (gdIm + return -4; /* At least 1 color must be allocated */ + } + +- buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * im2->colorsTotal); +- memset (buf, 0, sizeof(unsigned long) * 5 * im2->colorsTotal ); ++ buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * gdMaxColors); ++ memset (buf, 0, sizeof(unsigned long) * 5 * gdMaxColors ); + + for (x=0; x < im1->sx; x++) { + for( y=0; y<im1->sy; y++ ) { diff --git a/media-libs/gd/files/gd-2.2.5-CVE-2019-6978.patch b/media-libs/gd/files/gd-2.2.5-CVE-2019-6978.patch new file mode 100644 index 00000000000..2eb9369a0ba --- /dev/null +++ b/media-libs/gd/files/gd-2.2.5-CVE-2019-6978.patch @@ -0,0 +1,278 @@ +From 553702980ae89c83f2d6e254d62cf82e204956d0 Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" <cmbecke...@gmx.de> +Date: Thu, 17 Jan 2019 11:54:55 +0100 +Subject: [PATCH] Fix #492: Potential double-free in gdImage*Ptr() + +Whenever `gdImage*Ptr()` calls `gdImage*Ctx()` and the latter fails, we +must not call `gdDPExtractData()`; otherwise a double-free would +happen. Since `gdImage*Ctx()` are void functions, and we can't change +that for BC reasons, we're introducing static helpers which are used +internally. + +We're adding a regression test for `gdImageJpegPtr()`, but not for +`gdImageGifPtr()` and `gdImageWbmpPtr()` since we don't know how to +trigger failure of the respective `gdImage*Ctx()` calls. + +This potential security issue has been reported by Solmaz Salimi (aka. +Rooney). +--- + src/gd_gif_out.c | 18 +++++++++++++++--- + src/gd_jpeg.c | 20 ++++++++++++++++---- + src/gd_wbmp.c | 21 ++++++++++++++++++--- + tests/jpeg/CMakeLists.txt | 1 + + tests/jpeg/Makemodule.am | 3 ++- + tests/jpeg/jpeg_ptr_double_free.c | 31 +++++++++++++++++++++++++++++++ + 7 files changed, 84 insertions(+), 11 deletions(-) + create mode 100644 tests/jpeg/jpeg_ptr_double_free.c + +diff --git a/src/gd_gif_out.c b/src/gd_gif_out.c +index 298a5812..d5a95346 100644 +--- a/src/gd_gif_out.c ++++ b/src/gd_gif_out.c +@@ -99,6 +99,7 @@ static void char_init(GifCtx *ctx); + static void char_out(int c, GifCtx *ctx); + static void flush_char(GifCtx *ctx); + ++static int _gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out); + + + +@@ -131,8 +132,11 @@ BGD_DECLARE(void *) gdImageGifPtr(gdImagePtr im, int *size) + void *rv; + gdIOCtx *out = gdNewDynamicCtx(2048, NULL); + if (out == NULL) return NULL; +- gdImageGifCtx(im, out); +- rv = gdDPExtractData(out, size); ++ if (!_gdImageGifCtx(im, out)) { ++ rv = gdDPExtractData(out, size); ++ } else { ++ rv = NULL; ++ } + out->gd_free(out); + return rv; + } +@@ -220,6 +224,12 @@ BGD_DECLARE(void) gdImageGif(gdImagePtr im, FILE *outFile) + + */ + BGD_DECLARE(void) gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out) ++{ ++ _gdImageGifCtx(im, out); ++} ++ ++/* returns 0 on success, 1 on failure */ ++static int _gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out) + { + gdImagePtr pim = 0, tim = im; + int interlace, BitsPerPixel; +@@ -231,7 +241,7 @@ BGD_DECLARE(void) gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out) + based temporary image. */ + pim = gdImageCreatePaletteFromTrueColor(im, 1, 256); + if(!pim) { +- return; ++ return 1; + } + tim = pim; + } +@@ -247,6 +257,8 @@ BGD_DECLARE(void) gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out) + /* Destroy palette based temporary image. */ + gdImageDestroy( pim); + } ++ ++ return 0; + } + + +diff --git a/src/gd_jpeg.c b/src/gd_jpeg.c +index fc058420..96ef4302 100644 +--- a/src/gd_jpeg.c ++++ b/src/gd_jpeg.c +@@ -117,6 +117,8 @@ static void fatal_jpeg_error(j_common_ptr cinfo) + exit(99); + } + ++static int _gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality); ++ + /* + * Write IM to OUTFILE as a JFIF-formatted JPEG image, using quality + * QUALITY. If QUALITY is in the range 0-100, increasing values +@@ -231,8 +233,11 @@ BGD_DECLARE(void *) gdImageJpegPtr(gdImagePtr im, int *size, int quality) + void *rv; + gdIOCtx *out = gdNewDynamicCtx(2048, NULL); + if (out == NULL) return NULL; +- gdImageJpegCtx(im, out, quality); +- rv = gdDPExtractData(out, size); ++ if (!_gdImageJpegCtx(im, out, quality)) { ++ rv = gdDPExtractData(out, size); ++ } else { ++ rv = NULL; ++ } + out->gd_free(out); + return rv; + } +@@ -253,6 +258,12 @@ void jpeg_gdIOCtx_dest(j_compress_ptr cinfo, gdIOCtx *outfile); + + */ + BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality) ++{ ++ _gdImageJpegCtx(im, outfile, quality); ++} ++ ++/* returns 0 on success, 1 on failure */ ++static int _gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality) + { + struct jpeg_compress_struct cinfo; + struct jpeg_error_mgr jerr; +@@ -287,7 +298,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality) + if(row) { + gdFree(row); + } +- return; ++ return 1; + } + + cinfo.err->emit_message = jpeg_emit_message; +@@ -328,7 +339,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality) + if(row == 0) { + gd_error("gd-jpeg: error: unable to allocate JPEG row structure: gdCalloc returns NULL\n"); + jpeg_destroy_compress(&cinfo); +- return; ++ return 1; + } + + rowptr[0] = row; +@@ -405,6 +416,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality) + jpeg_finish_compress(&cinfo); + jpeg_destroy_compress(&cinfo); + gdFree(row); ++ return 0; + } + + +diff --git a/src/gd_wbmp.c b/src/gd_wbmp.c +index f19a1c96..a49bdbec 100644 +--- a/src/gd_wbmp.c ++++ b/src/gd_wbmp.c +@@ -88,6 +88,8 @@ int gd_getin(void *in) + return (gdGetC((gdIOCtx *)in)); + } + ++static int _gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out); ++ + /* + Function: gdImageWBMPCtx + +@@ -100,6 +102,12 @@ int gd_getin(void *in) + out - the stream where to write + */ + BGD_DECLARE(void) gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out) ++{ ++ _gdImageWBMPCtx(image, fg, out); ++} ++ ++/* returns 0 on success, 1 on failure */ ++static int _gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out) + { + int x, y, pos; + Wbmp *wbmp; +@@ -107,7 +115,7 @@ BGD_DECLARE(void) gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out) + /* create the WBMP */ + if((wbmp = createwbmp(gdImageSX(image), gdImageSY(image), WBMP_WHITE)) == NULL) { + gd_error("Could not create WBMP\n"); +- return; ++ return 1; + } + + /* fill up the WBMP structure */ +@@ -123,11 +131,15 @@ BGD_DECLARE(void) gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out) + + /* write the WBMP to a gd file descriptor */ + if(writewbmp(wbmp, &gd_putout, out)) { ++ freewbmp(wbmp); + gd_error("Could not save WBMP\n"); ++ return 1; + } + + /* des submitted this bugfix: gdFree the memory. */ + freewbmp(wbmp); ++ ++ return 0; + } + + /* +@@ -271,8 +283,11 @@ BGD_DECLARE(void *) gdImageWBMPPtr(gdImagePtr im, int *size, int fg) + void *rv; + gdIOCtx *out = gdNewDynamicCtx(2048, NULL); + if (out == NULL) return NULL; +- gdImageWBMPCtx(im, fg, out); +- rv = gdDPExtractData(out, size); ++ if (!_gdImageWBMPCtx(im, fg, out)) { ++ rv = gdDPExtractData(out, size); ++ } else { ++ rv = NULL; ++ } + out->gd_free(out); + return rv; + } +diff --git a/tests/jpeg/CMakeLists.txt b/tests/jpeg/CMakeLists.txt +index 19964b0c..a8d8162f 100644 +--- a/tests/jpeg/CMakeLists.txt ++++ b/tests/jpeg/CMakeLists.txt +@@ -2,6 +2,7 @@ IF(JPEG_FOUND) + LIST(APPEND TESTS_FILES + jpeg_empty_file + jpeg_im2im ++ jpeg_ptr_double_free + jpeg_null + ) + +diff --git a/tests/jpeg/Makemodule.am b/tests/jpeg/Makemodule.am +index 7e5d317b..b89e1695 100644 +--- a/tests/jpeg/Makemodule.am ++++ b/tests/jpeg/Makemodule.am +@@ -2,7 +2,8 @@ if HAVE_LIBJPEG + libgd_test_programs += \ + jpeg/jpeg_empty_file \ + jpeg/jpeg_im2im \ +- jpeg/jpeg_null ++ jpeg/jpeg_null \ ++ jpeg/jpeg_ptr_double_free + + if HAVE_LIBPNG + libgd_test_programs += \ +diff --git a/tests/jpeg/jpeg_ptr_double_free.c b/tests/jpeg/jpeg_ptr_double_free.c +new file mode 100644 +index 00000000..df5a510b +--- /dev/null ++++ b/tests/jpeg/jpeg_ptr_double_free.c +@@ -0,0 +1,31 @@ ++/** ++ * Test that failure to convert to JPEG returns NULL ++ * ++ * We are creating an image, set its width to zero, and pass this image to ++ * `gdImageJpegPtr()` which is supposed to fail, and as such should return NULL. ++ * ++ * See also <https://github.com/libgd/libgd/issues/381> ++ */ ++ ++ ++#include "gd.h" ++#include "gdtest.h" ++ ++ ++int main() ++{ ++ gdImagePtr src, dst; ++ int size; ++ ++ src = gdImageCreateTrueColor(1, 10); ++ gdTestAssert(src != NULL); ++ ++ src->sx = 0; /* this hack forces gdImageJpegPtr() to fail */ ++ ++ dst = gdImageJpegPtr(src, &size, 0); ++ gdTestAssert(dst == NULL); ++ ++ gdImageDestroy(src); ++ ++ return gdNumFailures(); ++} diff --git a/media-libs/gd/files/gd-2.2.5-ossfuzz5700.patch b/media-libs/gd/files/gd-2.2.5-ossfuzz5700.patch new file mode 100644 index 00000000000..891c232115e --- /dev/null +++ b/media-libs/gd/files/gd-2.2.5-ossfuzz5700.patch @@ -0,0 +1,103 @@ +From 9fa3abd2e61da18ed2b889704e4e252f0f5a95fe Mon Sep 17 00:00:00 2001 +From: Mike Frysinger <vap...@gentoo.org> +Date: Fri, 26 Jan 2018 01:57:52 -0500 +Subject: [PATCH] gif: fix out-of-bounds read w/corrupted lzw data + +oss-fuzz pointed out: +gd_gif_in.c:605:16: runtime error: index 5595 out of bounds for type 'int [4096]' + +Add some bounds checking on each code that we read from the file. +--- + src/gd_gif_in.c | 8 ++++++++ + tests/gif/CMakeLists.txt | 3 ++- + tests/gif/Makemodule.am | 2 ++ + tests/gif/ossfuzz5700.c | 13 +++++++++++++ + tests/gif/ossfuzz5700.gif | Bin 0 -> 30 bytes + 6 files changed, 26 insertions(+), 1 deletion(-) + create mode 100644 tests/gif/ossfuzz5700.c + +diff --git a/src/gd_gif_in.c b/src/gd_gif_in.c +index afc08bf7..daf26e79 100644 +--- a/src/gd_gif_in.c ++++ b/src/gd_gif_in.c +@@ -601,6 +601,10 @@ LWZReadByte_(gdIOCtx *fd, LZW_STATIC_DATA *sd, char flag, int input_code_size, i + /* Bad compressed data stream */ + return -1; + } ++ if(code >= (1 << MAX_LWZ_BITS)) { ++ /* Corrupted code */ ++ return -1; ++ } + + *sd->sp++ = sd->table[1][code]; + +@@ -610,6 +614,10 @@ LWZReadByte_(gdIOCtx *fd, LZW_STATIC_DATA *sd, char flag, int input_code_size, i + + code = sd->table[0][code]; + } ++ if(code >= (1 << MAX_LWZ_BITS)) { ++ /* Corrupted code */ ++ return -1; ++ } + + *sd->sp++ = sd->firstcode = sd->table[1][code]; + +diff --git a/tests/gif/CMakeLists.txt b/tests/gif/CMakeLists.txt +index 7d40cddc..2b73749e 100644 +--- a/tests/gif/CMakeLists.txt ++++ b/tests/gif/CMakeLists.txt +@@ -3,6 +3,8 @@ LIST(APPEND TESTS_FILES + bug00181 + bug00227 + gif_null ++ ossfuzz5700 ++ uninitialized_memory_read + ) + + IF(PNG_FOUND) +@@ -12,7 +14,6 @@ LIST(APPEND TESTS_FILES + bug00060 + bug00066 + gif_im2im +- uninitialized_memory_read + ) + ENDIF(PNG_FOUND) + +diff --git a/tests/gif/Makemodule.am b/tests/gif/Makemodule.am +index 0bdeab7e..3199438f 100644 +--- a/tests/gif/Makemodule.am ++++ b/tests/gif/Makemodule.am +@@ -3,6 +3,7 @@ libgd_test_programs += \ + gif/bug00181 \ + gif/bug00227 \ + gif/gif_null \ ++ gif/ossfuzz5700 \ + gif/uninitialized_memory_read + + if HAVE_LIBPNG +@@ -24,4 +25,5 @@ EXTRA_DIST += \ + gif/bug00060.gif \ + gif/bug00066.gif \ + gif/bug00066_exp.png \ ++ gif/ossfuzz5700.gif \ + gif/unitialized_memory_read.gif +diff --git a/tests/gif/ossfuzz5700.c b/tests/gif/ossfuzz5700.c +new file mode 100644 +index 00000000..8fc9f88c +--- /dev/null ++++ b/tests/gif/ossfuzz5700.c +@@ -0,0 +1,13 @@ ++#include <stdio.h> ++#include "gd.h" ++#include "gdtest.h" ++ ++int main() ++{ ++ gdImagePtr im; ++ FILE *fp = gdTestFileOpen("gif/ossfuzz5700.gif"); ++ im = gdImageCreateFromGif(fp); ++ fclose(fp); ++ gdImageDestroy(im); ++ return 0; ++} + diff --git a/media-libs/gd/gd-2.2.5-r2.ebuild b/media-libs/gd/gd-2.2.5-r2.ebuild new file mode 100644 index 00000000000..7686c2013da --- /dev/null +++ b/media-libs/gd/gd-2.2.5-r2.ebuild @@ -0,0 +1,82 @@ +# Copyright 1999-2019 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI="7" + +inherit autotools multilib-minimal + +DESCRIPTION="Graphics library for fast image creation" +HOMEPAGE="https://libgd.org/ https://www.boutell.com/gd/"; +SRC_URI="https://github.com/libgd/libgd/releases/download/${P}/lib${P}.tar.xz + test? ( + https://github.com/libgd/libgd/raw/e0cb1b76c305db68b251fe782faa12da5d357593/tests/gif/ossfuzz5700.gif -> lib$P-ossfuzz5700.dat + https://github.com/libgd/libgd/raw/e0cb1b76c305db68b251fe782faa12da5d357593/tests/gif/php_bug_75571.gif -> lib$P-php_bug_75571.dat + )" + +LICENSE="gd IJG HPND BSD" +SLOT="2/3" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris" +IUSE="fontconfig jpeg png static-libs test tiff truetype webp xpm zlib" + +# fontconfig has prefixed font paths, details see bug #518970 +REQUIRED_USE="prefix? ( fontconfig )" + +RDEPEND="fontconfig? ( >=media-libs/fontconfig-2.10.92[${MULTILIB_USEDEP}] ) + jpeg? ( >=virtual/jpeg-0-r2:0=[${MULTILIB_USEDEP}] ) + png? ( >=media-libs/libpng-1.6.10:0=[${MULTILIB_USEDEP}] ) + tiff? ( media-libs/tiff:0[${MULTILIB_USEDEP}] ) + truetype? ( >=media-libs/freetype-2.5.0.1[${MULTILIB_USEDEP}] ) + webp? ( media-libs/libwebp:=[${MULTILIB_USEDEP}] ) + xpm? ( >=x11-libs/libXpm-3.5.10-r1[${MULTILIB_USEDEP}] >=x11-libs/libXt-1.1.4[${MULTILIB_USEDEP}] ) + zlib? ( >=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}] )" +DEPEND="${RDEPEND} + >=virtual/pkgconfig-0-r1[${MULTILIB_USEDEP}]" + +S="${WORKDIR}/lib${P}" + +PATCHES=( + "${FILESDIR}/${P}-ossfuzz5700.patch" + "${FILESDIR}/${P}-CVE-2018-5711.patch" + "${FILESDIR}/${P}-CVE-2018-1000222.patch" + "${FILESDIR}/${P}-CVE-2019-6977.patch" + "${FILESDIR}/${P}-CVE-2019-6978.patch" +) + +src_unpack() { + default + + cp "${DISTDIR}"/lib${P}-ossfuzz5700.dat "${S}"/tests/gif/ossfuzz5700.gif || die + cp "${DISTDIR}"/lib${P}-php_bug_75571.dat "${S}"/tests/gif/php_bug_75571.gif || die +} + +src_prepare() { + default + + eautoreconf +} + +multilib_src_configure() { + # we aren't actually {en,dis}abling X here ... the configure + # script uses it just to add explicit -I/-L paths which we + # don't care about on Gentoo systems. + local myeconfargs=( + --disable-werror + --without-x + --without-liq + $(use_enable static-libs static) + $(use_with fontconfig) + $(use_with png) + $(use_with tiff) + $(use_with truetype freetype) + $(use_with jpeg) + $(use_with webp) + $(use_with xpm) + $(use_with zlib) + ) + ECONF_SOURCE="${S}" econf "${myeconfargs[@]}" +} + +multilib_src_install_all() { + dodoc README.md + find "${D}" -name '*.la' -delete || die +}
