From b4e3dcda6cdb6182ef63e1f01b21ac53e5aed1b3 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Jan 19 2017 08:38:12 +0000 Subject: v2.2.4 --- diff --git a/.gitignore b/.gitignore index ab5574d..60452a2 100644 --- a/.gitignore +++ b/.gitignore @@ -7,3 +7,4 @@ gd-2.0.35.tar.bz2 /libgd-2.2.1.tar.xz /libgd-2.2.2.tar.xz /libgd-2.2.3.tar.xz +/libgd-2.2.4.tar.xz diff --git a/gd-2.2.3-dynamicGetbuf-negative-rlen.patch b/gd-2.2.3-dynamicGetbuf-negative-rlen.patch deleted file mode 100644 index 24ebd9b..0000000 --- a/gd-2.2.3-dynamicGetbuf-negative-rlen.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 53110871935244816bbb9d131da0bccff734bfe9 Mon Sep 17 00:00:00 2001 -From: "Christoph M. Becker" -Date: Wed, 12 Oct 2016 11:15:32 +0200 -Subject: [PATCH] Avoid potentially dangerous signed to unsigned conversion - -We make sure to never pass a negative `rlen` as size to memcpy(). See -also . - -Patch provided by Emmanuel Law. ---- - src/gd_io_dp.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/gd_io_dp.c b/src/gd_io_dp.c -index 135eda3..228bfa5 100644 ---- a/src/gd_io_dp.c -+++ b/src/gd_io_dp.c -@@ -276,7 +276,7 @@ static int dynamicGetbuf(gdIOCtxPtr ctx, void *buf, int len) - if(remain >= len) { - rlen = len; - } else { -- if(remain == 0) { -+ if(remain <= 0) { - /* 2.0.34: EOF is incorrect. We use 0 for - * errors and EOF, just like fileGetbuf, - * which is a simple fread() wrapper. diff --git a/gd-2.2.3-overflow-in-gdImageWebpCtx.patch b/gd-2.2.3-overflow-in-gdImageWebpCtx.patch deleted file mode 100644 index fdf522c..0000000 --- a/gd-2.2.3-overflow-in-gdImageWebpCtx.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 2806adfdc27a94d333199345394d7c302952b95f Mon Sep 17 00:00:00 2001 -From: trylab -Date: Tue, 6 Sep 2016 18:35:32 +0800 -Subject: [PATCH] Fix integer overflow in gdImageWebpCtx - -Integer overflow can be happened in expression gdImageSX(im) * 4 * -gdImageSY(im). It could lead to heap buffer overflow in the following -code. This issue has been reported to the PHP Bug Tracking System. The -proof-of-concept file will be supplied some days later. This issue was -discovered by Ke Liu of Tencent's Xuanwu LAB. ---- - src/gd_webp.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/src/gd_webp.c b/src/gd_webp.c -index 8eb4dee..9886399 100644 ---- a/src/gd_webp.c -+++ b/src/gd_webp.c -@@ -199,6 +199,14 @@ BGD_DECLARE(void) gdImageWebpCtx (gdImagePtr im, gdIOCtx * outfile, int quality) - quantization = 80; - } - -+ if (overflow2(gdImageSX(im), 4)) { -+ return; -+ } -+ -+ if (overflow2(gdImageSX(im) * 4, gdImageSY(im))) { -+ return; -+ } -+ - argb = (uint8_t *)gdMalloc(gdImageSX(im) * 4 * gdImageSY(im)); - if (!argb) { - return; diff --git a/gd-2.2.4-upstream.patch b/gd-2.2.4-upstream.patch new file mode 100644 index 0000000..8aee1a0 --- /dev/null +++ b/gd-2.2.4-upstream.patch @@ -0,0 +1,50 @@ +From c9b601a658a79e6ea2aad29fbf60ca6e24ccef1e Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" +Date: Wed, 18 Jan 2017 13:59:02 +0100 +Subject: [PATCH] Fix build issue regarding INT_MAX + +For portability gd_gd2.c needs to include . +--- + src/gd_gd2.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/gd_gd2.c b/src/gd_gd2.c +index c2904ca..049c4c5 100644 +--- a/src/gd_gd2.c ++++ b/src/gd_gd2.c +@@ -74,6 +74,7 @@ + + /* 2.0.29: no more errno.h, makes windows happy */ + #include ++#include + #include + #include "gd.h" + #include "gd_errors.h" + + +From 55ac28a293eaa8c531870c8bb8ecc04b333975f4 Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" +Date: Thu, 19 Jan 2017 01:02:58 +0100 +Subject: [PATCH] Fix #357: 2.2.4: Segfault in test suite. + +We make sure to never pass a negative `int` as argument to a `size_t` +parameter. +--- + src/gd_io_dp.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/gd_io_dp.c b/src/gd_io_dp.c +index eda2eeb..cb38794 100644 +--- a/src/gd_io_dp.c ++++ b/src/gd_io_dp.c +@@ -292,6 +292,10 @@ static int dynamicGetbuf(gdIOCtxPtr ctx, void *buf, int len) + rlen = dp->realSize - dp->pos; + } + ++ if (rlen < 0) { ++ return 0; ++ } ++ + memcpy(buf, (void *) ((char *)dp->data + dp->pos), rlen); + dp->pos += rlen; + diff --git a/gd-2.2.x-fix-invalid-read-in-gdImageCreateFromTiffPtr.patch b/gd-2.2.x-fix-invalid-read-in-gdImageCreateFromTiffPtr.patch deleted file mode 100644 index 78a80b4..0000000 Binary files a/gd-2.2.x-fix-invalid-read-in-gdImageCreateFromTiffPtr.patch and /dev/null differ diff --git a/gd.spec b/gd.spec index d7d725f..cec5648 100644 --- a/gd.spec +++ b/gd.spec @@ -4,8 +4,8 @@ Summary: A graphics library for quick creation of PNG or JPEG images Name: gd -Version: 2.2.3 -Release: 5%{?prever}%{?short}%{?dist} +Version: 2.2.4 +Release: 1%{?prever}%{?short}%{?dist} Group: System Environment/Libraries License: MIT URL: http://libgd.github.io/ @@ -19,11 +19,7 @@ Source0: https://github.com/libgd/libgd/releases/download/gd-%{version}/li Patch1: gd-2.1.0-multilib.patch Patch2: gd-2.2.3-tests.patch -Patch3: gd-2.2.3-overflow-in-gdImageWebpCtx.patch -Patch4: gd-2.2.3-dynamicGetbuf-negative-rlen.patch -# TODO - created by one of upstream maintainers, but not in upstream yet -# https://github.com/libgd/libgd/pull/353 -Patch5: gd-2.2.x-fix-invalid-read-in-gdImageCreateFromTiffPtr.patch +Patch3: gd-2.2.4-upstream.patch BuildRequires: freetype-devel BuildRequires: fontconfig-devel @@ -39,6 +35,8 @@ BuildRequires: pkgconfig BuildRequires: libtool BuildRequires: perl BuildRequires: perl-generators +# for fontconfig/basic test +BuildRequires: liberation-sans-fonts %description @@ -83,10 +81,7 @@ files for gd, a graphics library for creating PNG and JPEG graphics. %setup -q -n libgd-%{version}%{?prever:-%{prever}} %patch1 -p1 -b .mlib %patch2 -p1 -b .build -%patch3 -p1 -b .gdImageWebpCtx -%patch4 -p1 -b .dynamicGetbuf -# Patch5 adds some non-text files (.tiff) -patch -p1 --binary < %{PATCH5} +%patch3 -p1 -b .upstream %if 0%{?fedora} >= 26 # TODO - tests using freetype 2.7 are failing @@ -139,6 +134,18 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libgd.a %check +%ifarch %{ix86} +# See https://github.com/libgd/libgd/issues/359 +XFAIL_TESTS="gdimagegrayscale/basic $XFAIL_TESTS" +%endif +%if 0%{?fedora} >= 26 +# See https://github.com/libgd/libgd/issues/363 +XFAIL_TESTS="freetype/bug00132 $XFAIL_TESTS" +XFAIL_TESTS="gdimagestringft/gdimagestringft_bbox $XFAIL_TESTS" +%endif + +export XFAIL_TESTS + : Upstream test suite make check @@ -161,7 +168,6 @@ grep %{version} $RPM_BUILD_ROOT%{_libdir}/pkgconfig/gdlib.pc %exclude %{_bindir}/gdlib-config %files devel -%doc ChangeLog %{_bindir}/gdlib-config %{_includedir}/* %{_libdir}/*.so @@ -169,6 +175,9 @@ grep %{version} $RPM_BUILD_ROOT%{_libdir}/pkgconfig/gdlib.pc %changelog +* Wed Jan 18 2017 Remi Collet - 2.2.4-1 +- Update to 2.2.4 + * Tue Dec 06 2016 Marek Skalický - 2.2.3-5 - Fix invalid read in gdImageCreateFromTiffPtr() ( CVE-2016-6911) - Disable tests using freetype in Fedora 26 (freetype > 2.6) diff --git a/sources b/sources index 2fb8acb..976a31c 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -14e4134c129b4c166c3a0549a32ef340 libgd-2.2.3.tar.xz +SHA512 (libgd-2.2.4.tar.xz) = 07903f322c4f6ab392508b0f60c38ca133699111ea92995dc6cd9379210d598bcb24a46c19657884d9e252f8663d0ee8c89c600e3a382a5ae598198c190f39b5