From: Leo Famulari <leo@famulari.name>
To: guix-devel@gnu.org
Subject: libgd security update
Date: Fri, 15 Jul 2016 16:32:12 -0400 [thread overview]
Message-ID: <20160715203212.GA10916@jasmine> (raw)
[-- Attachment #1.1: Type: text/plain, Size: 798 bytes --]
Several security vulnerabilities in libgd have been discovered recently,
and today Debian issued a security update:
https://lists.debian.org/debian-security-announce/2016/msg00197.html
The first patch updates libgd to the latest release, 2.2.2, fixing some
of the bugs.
For the remaining bugs, I've taken patches from the master branch of the
libgd Git repo.
Two of the patches included binary files to be used in tests, which
`patch` cannot handle, so I've removed those parts of the patches.
This patch series was not trivial to create; removing the binary diffs
required some care, some of the patches depended on changes associated
with the removed binary diffs, and some upstream fixes were reverted and
re-committed with changes. Will someone double-check this patch series
for mistakes?
[-- Attachment #1.2: 0001-gnu-gd-Update-to-2.2.2-fixes-CVE-2016-5767-6161.patch --]
[-- Type: text/x-diff, Size: 1179 bytes --]
From a27a22635f0615495d18b2d78eb90745d5989a0e Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Fri, 15 Jul 2016 14:47:47 -0400
Subject: [PATCH 1/2] gnu: gd: Update to 2.2.2 [fixes CVE-2016-{5767,6161}].
* gnu/packages/gd.scm (gd): Update to 2.2.2.
---
gnu/packages/gd.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gnu/packages/gd.scm b/gnu/packages/gd.scm
index 4d6b1a3..b4e6349 100644
--- a/gnu/packages/gd.scm
+++ b/gnu/packages/gd.scm
@@ -40,7 +40,7 @@
;; Note: With libgd.org now pointing to github.com, genuine old
;; tarballs are no longer available. Notably, versions 2.0.x are
;; missing.
- (version "2.2.1")
+ (version "2.2.2")
(source (origin
(method url-fetch)
@@ -49,7 +49,7 @@
version "/libgd-" version ".tar.xz"))
(sha256
(base32
- "0xmrqka1ggqgml84xbmkw1y0r0lg7qn657v5b1my8pry92p651vh"))))
+ "1311g5mva2xlzqv3rjqjc4jjkn5lzls4skvr395h633zw1n7b7s8"))))
(build-system gnu-build-system)
(native-inputs
`(("pkg-config" ,pkg-config)))
--
2.9.1
[-- Attachment #1.3: 0002-gnu-gd-Fix-CVE-2016-5766-6128-6132-6214.patch --]
[-- Type: text/x-diff, Size: 18105 bytes --]
From 2840ecffd86395bd63734406f924905bac727104 Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Fri, 15 Jul 2016 14:48:09 -0400
Subject: [PATCH 2/2] gnu: gd: Fix CVE-2016-{5766,6128,6132,6214}.
* gnu/packages/patches/gd-CVE-2016-5766.patch,
gnu/packages/patches/gd-CVE-2016-6128.patch,
gnu/packages/patches/gd-CVE-2016-6132.patch,
gnu/packages/patches/gd-CVE-2016-6214.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/gd.scm (gd): Use patches.
---
gnu/local.mk | 4 +
gnu/packages/gd.scm | 4 +
gnu/packages/patches/gd-CVE-2016-5766.patch | 81 +++++++++
gnu/packages/patches/gd-CVE-2016-6128.patch | 253 ++++++++++++++++++++++++++++
gnu/packages/patches/gd-CVE-2016-6132.patch | 55 ++++++
gnu/packages/patches/gd-CVE-2016-6214.patch | 66 ++++++++
6 files changed, 463 insertions(+)
create mode 100644 gnu/packages/patches/gd-CVE-2016-5766.patch
create mode 100644 gnu/packages/patches/gd-CVE-2016-6128.patch
create mode 100644 gnu/packages/patches/gd-CVE-2016-6132.patch
create mode 100644 gnu/packages/patches/gd-CVE-2016-6214.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 71409b9..536ecef 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -510,6 +510,10 @@ dist_patch_DATA = \
%D%/packages/patches/gcc-cross-environment-variables.patch \
%D%/packages/patches/gcc-libvtv-runpath.patch \
%D%/packages/patches/gcc-5.0-libvtv-runpath.patch \
+ %D%/packages/patches/gd-CVE-2016-5766.patch \
+ %D%/packages/patches/gd-CVE-2016-6128.patch \
+ %D%/packages/patches/gd-CVE-2016-6132.patch \
+ %D%/packages/patches/gd-CVE-2016-6214.patch \
%D%/packages/patches/gegl-CVE-2012-4433.patch \
%D%/packages/patches/geoclue-config.patch \
%D%/packages/patches/ghostscript-CVE-2015-3228.patch \
diff --git a/gnu/packages/gd.scm b/gnu/packages/gd.scm
index b4e6349..700de33 100644
--- a/gnu/packages/gd.scm
+++ b/gnu/packages/gd.scm
@@ -47,6 +47,10 @@
(uri (string-append
"https://github.com/libgd/libgd/releases/download/gd-"
version "/libgd-" version ".tar.xz"))
+ (patches (search-patches "gd-CVE-2016-5766.patch"
+ "gd-CVE-2016-6128.patch"
+ "gd-CVE-2016-6132.patch"
+ "gd-CVE-2016-6214.patch"))
(sha256
(base32
"1311g5mva2xlzqv3rjqjc4jjkn5lzls4skvr395h633zw1n7b7s8"))))
diff --git a/gnu/packages/patches/gd-CVE-2016-5766.patch b/gnu/packages/patches/gd-CVE-2016-5766.patch
new file mode 100644
index 0000000..400cb0a
--- /dev/null
+++ b/gnu/packages/patches/gd-CVE-2016-5766.patch
@@ -0,0 +1,81 @@
+Fix CVE-2016-5766 (Integer Overflow in _gd2GetHeader() resulting in heap
+overflow).
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5766
+
+Adapted from upstream commits:
+https://github.com/libgd/libgd/commit/aba3db8ba159465ecec1089027a24835a6da9cc0
+https://github.com/libgd/libgd/commit/a6a0e7feabb2a9738086a5dc96348f233c87fa79
+
+Since `patch` cannot apply Git binary diffs, we omit the addition of
+'tests/gd2/php_bug_72339.c' and its associated binary data.
+
+From aba3db8ba159465ecec1089027a24835a6da9cc0 Mon Sep 17 00:00:00 2001
+From: Pierre Joye <pierre.php@gmail.com>
+Date: Tue, 28 Jun 2016 16:23:42 +0700
+Subject: [PATCH] fix php bug 72339 (CVE-2016-5766), Integer Overflow in
+ _gd2GetHeader() resulting in heap overflow
+
+---
+ src/gd_gd2.c | 5 ++++-
+ tests/gd2/CMakeLists.txt | 1 +
+ tests/gd2/Makemodule.am | 6 ++++--
+ tests/gd2/php_bug_72339.c | 21 +++++++++++++++++++++
+ tests/gd2/php_bug_72339_exp.gd2 | Bin 0 -> 67108882 bytes
+ 5 files changed, 30 insertions(+), 3 deletions(-)
+ create mode 100644 tests/gd2/php_bug_72339.c
+ create mode 100644 tests/gd2/php_bug_72339_exp.gd2
+
+diff --git a/src/gd_gd2.c b/src/gd_gd2.c
+index fd1e0c9..bdbbecf 100644
+--- a/src/gd_gd2.c
++++ b/src/gd_gd2.c
+@@ -154,8 +154,11 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy,
+ nc = (*ncx) * (*ncy);
+ GD2_DBG (printf ("Reading %d chunk index entries\n", nc));
+ sidx = sizeof (t_chunk_info) * nc;
++ if (overflow2(sidx, nc)) {
++ goto fail1;
++ }
+ cidx = gdCalloc (sidx, 1);
+- if (!cidx) {
++ if (cidx == NULL) {
+ goto fail1;
+ }
+ for (i = 0; i < nc; i++) {
+From a6a0e7feabb2a9738086a5dc96348f233c87fa79 Mon Sep 17 00:00:00 2001
+From: Pierre Joye <pierre.php@gmail.com>
+Date: Wed, 29 Jun 2016 09:36:26 +0700
+Subject: [PATCH] fix php bug 72339 (CVE-2016-5766), Integer Overflow in
+ _gd2GetHeader() resulting in heap overflow. Sync with php's sync
+
+---
+ src/gd_gd2.c | 7 ++++++-
+ tests/gd2/php_bug_72339.c | 2 +-
+ 2 files changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/src/gd_gd2.c b/src/gd_gd2.c
+index bdbbecf..2837456 100644
+--- a/src/gd_gd2.c
++++ b/src/gd_gd2.c
+@@ -152,11 +152,16 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy,
+
+ if (gd2_compressed (*fmt)) {
+ nc = (*ncx) * (*ncy);
++
+ GD2_DBG (printf ("Reading %d chunk index entries\n", nc));
++ if (overflow2(sizeof(t_chunk_info), nc)) {
++ goto fail1;
++ }
+ sidx = sizeof (t_chunk_info) * nc;
+- if (overflow2(sidx, nc)) {
++ if (sidx <= 0) {
+ goto fail1;
+ }
++
+ cidx = gdCalloc (sidx, 1);
+ if (cidx == NULL) {
+ goto fail1;
+--
+2.9.1
+
diff --git a/gnu/packages/patches/gd-CVE-2016-6128.patch b/gnu/packages/patches/gd-CVE-2016-6128.patch
new file mode 100644
index 0000000..45ee6b0
--- /dev/null
+++ b/gnu/packages/patches/gd-CVE-2016-6128.patch
@@ -0,0 +1,253 @@
+Fix CVE-2016-6128 (invalid color index is not properly handled leading
+to denial of service).
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-6128
+
+Copied from upstream commits:
+https://github.com/libgd/libgd/compare/3fe0a7128bac5000fdcfab888bd2a75ec0c9447d...fd623025505e87bba7ec8555eeb72dae4fb0afd
+
+From 1ccfe21e14c4d18336f9da8515cd17db88c3de61 Mon Sep 17 00:00:00 2001
+From: Pierre Joye <pierre.php@gmail.com>
+Date: Mon, 27 Jun 2016 11:17:39 +0700
+Subject: [PATCH 1/8] fix php 72494, invalid color index not handled, can lead
+ to crash
+
+---
+ src/gd_crop.c | 4 ++++
+ tests/CMakeLists.txt | 1 +
+ tests/Makefile.am | 1 +
+ 3 files changed, 6 insertions(+)
+
+diff --git a/src/gd_crop.c b/src/gd_crop.c
+index 0296633..532b49b 100644
+--- a/src/gd_crop.c
++++ b/src/gd_crop.c
+@@ -136,6 +136,10 @@ BGD_DECLARE(gdImagePtr) gdImageCropThreshold(gdImagePtr im, const unsigned int c
+ return NULL;
+ }
+
++ if (color < 0 || (!gdImageTrueColor(im) && color >= gdImageColorsTotal(im))) {
++ return NULL;
++ }
++
+ /* TODO: Add gdImageGetRowPtr and works with ptr at the row level
+ * for the true color and palette images
+ * new formats will simply work with ptr
+diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
+index 6f5c786..5093d52 100644
+--- a/tests/CMakeLists.txt
++++ b/tests/CMakeLists.txt
+@@ -31,6 +31,7 @@ if (BUILD_TEST)
+ gdimagecolortransparent
+ gdimagecopy
+ gdimagecopyrotated
++ gdimagecrop
+ gdimagefile
+ gdimagefill
+ gdimagefilledellipse
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index 4f6e756..5a0ebe8 100644
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -25,6 +25,7 @@ include gdimagecolorresolve/Makemodule.am
+ include gdimagecolortransparent/Makemodule.am
+ include gdimagecopy/Makemodule.am
+ include gdimagecopyrotated/Makemodule.am
++include gdimagecrop/Makemodule.am
+ include gdimagefile/Makemodule.am
+ include gdimagefill/Makemodule.am
+ include gdimagefilledellipse/Makemodule.am
+--
+2.9.1
+
+From 8c9f39c7cb1f62ea00bc7a48aff64d3811c2d6d0 Mon Sep 17 00:00:00 2001
+From: Pierre Joye <pierre.php@gmail.com>
+Date: Mon, 27 Jun 2016 11:20:07 +0700
+Subject: [PATCH 2/8] fix php 72494, invalid color index not handled, can lead
+ to crash
+
+---
+ tests/gdimagecrop/.gitignore | 1 +
+ 1 file changed, 1 insertion(+)
+ create mode 100644 tests/gdimagecrop/.gitignore
+
+diff --git a/tests/gdimagecrop/.gitignore b/tests/gdimagecrop/.gitignore
+new file mode 100644
+index 0000000..8e8c9c3
+--- /dev/null
++++ b/tests/gdimagecrop/.gitignore
+@@ -0,0 +1 @@
++/php_bug_72494
+--
+2.9.1
+
+From 8de370b7b6263a02268037a7cd13ddd991b43ea9 Mon Sep 17 00:00:00 2001
+From: Pierre Joye <pierre.php@gmail.com>
+Date: Mon, 27 Jun 2016 11:24:50 +0700
+Subject: [PATCH 3/8] fix php 72494, invalid color index not handled, can lead
+ to crash
+
+---
+ tests/gdimagecrop/CMakeLists.txt | 5 +++++
+ 1 file changed, 5 insertions(+)
+ create mode 100644 tests/gdimagecrop/CMakeLists.txt
+
+diff --git a/tests/gdimagecrop/CMakeLists.txt b/tests/gdimagecrop/CMakeLists.txt
+new file mode 100644
+index 0000000..f7e4c7e
+--- /dev/null
++++ b/tests/gdimagecrop/CMakeLists.txt
+@@ -0,0 +1,5 @@
++SET(TESTS_FILES
++ php_bug_72494
++)
++
++ADD_GD_TESTS()
+--
+2.9.1
+
+From bca12e4e11ecda8a0ea719472700ad5c2b36a0d6 Mon Sep 17 00:00:00 2001
+From: Pierre Joye <pierre.php@gmail.com>
+Date: Mon, 27 Jun 2016 11:25:12 +0700
+Subject: [PATCH 4/8] fix php 72494, invalid color index not handled, can lead
+ to crash
+
+---
+ tests/gdimagecrop/Makemodule.am | 5 +++++
+ 1 file changed, 5 insertions(+)
+ create mode 100644 tests/gdimagecrop/Makemodule.am
+
+diff --git a/tests/gdimagecrop/Makemodule.am b/tests/gdimagecrop/Makemodule.am
+new file mode 100644
+index 0000000..210888b
+--- /dev/null
++++ b/tests/gdimagecrop/Makemodule.am
+@@ -0,0 +1,5 @@
++libgd_test_programs += \
++ gdimagecrop/php_bug_72494
++
++EXTRA_DIST += \
++ gdimagecrop/CMakeLists.txt
+--
+2.9.1
+
+From 6ff72ae40c7c20ece939afb362d98cc37f4a1c96 Mon Sep 17 00:00:00 2001
+From: Pierre Joye <pierre.php@gmail.com>
+Date: Mon, 27 Jun 2016 11:25:40 +0700
+Subject: [PATCH 5/8] fix php 72494, invalid color index not handled, can lead
+ to crash
+
+---
+ tests/gdimagecrop/php_bug_72494.c | 23 +++++++++++++++++++++++
+ 1 file changed, 23 insertions(+)
+ create mode 100644 tests/gdimagecrop/php_bug_72494.c
+
+diff --git a/tests/gdimagecrop/php_bug_72494.c b/tests/gdimagecrop/php_bug_72494.c
+new file mode 100644
+index 0000000..adaa379
+--- /dev/null
++++ b/tests/gdimagecrop/php_bug_72494.c
+@@ -0,0 +1,23 @@
++#include <stdio.h>
++#include <stdlib.h>
++#include "gd.h"
++
++#include "gdtest.h"
++
++int main()
++{
++ gdImagePtr im, exp;
++ int error = 0;
++
++ im = gdImageCreate(50, 50);
++
++ if (!im) {
++ gdTestErrorMsg("gdImageCreate failed.\n");
++ return 1;
++ }
++
++ gdImageCropThreshold(im, 1337, 0);
++ gdImageDestroy(im);
++ /* this bug tests a crash, it never reaches this point if the bug exists*/
++ return 0;
++}
+--
+2.9.1
+
+From a0f9f8f7bd0d3a6c6afd6d180b8e75d93aadddfa Mon Sep 17 00:00:00 2001
+From: Pierre Joye <pierre.php@gmail.com>
+Date: Mon, 27 Jun 2016 11:38:07 +0700
+Subject: [PATCH 6/8] fix php 72494, CID 149753, color is unsigned int, remove
+ useless <0 comparison
+
+---
+ src/gd_crop.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/gd_crop.c b/src/gd_crop.c
+index 532b49b..d51ad67 100644
+--- a/src/gd_crop.c
++++ b/src/gd_crop.c
+@@ -136,7 +136,7 @@ BGD_DECLARE(gdImagePtr) gdImageCropThreshold(gdImagePtr im, const unsigned int c
+ return NULL;
+ }
+
+- if (color < 0 || (!gdImageTrueColor(im) && color >= gdImageColorsTotal(im))) {
++ if (!gdImageTrueColor(im) && color >= gdImageColorsTotal(im)) {
+ return NULL;
+ }
+
+--
+2.9.1
+
+From 907115fbb980862934d0de91af4977a216745039 Mon Sep 17 00:00:00 2001
+From: Pierre Joye <pierre.php@gmail.com>
+Date: Mon, 27 Jun 2016 11:51:40 +0700
+Subject: [PATCH 7/8] fix php 72494, CID 149753, color is unsigned int, remove
+ useless <0 comparison
+
+---
+ tests/gdimagecrop/php_bug_72494.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tests/gdimagecrop/php_bug_72494.c b/tests/gdimagecrop/php_bug_72494.c
+index adaa379..5cb589b 100644
+--- a/tests/gdimagecrop/php_bug_72494.c
++++ b/tests/gdimagecrop/php_bug_72494.c
+@@ -6,7 +6,7 @@
+
+ int main()
+ {
+- gdImagePtr im, exp;
++ gdImagePtr im;
+ int error = 0;
+
+ im = gdImageCreate(50, 50);
+--
+2.9.1
+
+From fd623025505e87bba7ec8555eeb72dae4fb0afdc Mon Sep 17 00:00:00 2001
+From: Pierre Joye <pierre.php@gmail.com>
+Date: Mon, 27 Jun 2016 12:04:25 +0700
+Subject: [PATCH 8/8] fix php 72494, CID 149753, color is unsigned int, remove
+ useless <0 comparison
+
+---
+ tests/gdimagecrop/php_bug_72494.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/tests/gdimagecrop/php_bug_72494.c b/tests/gdimagecrop/php_bug_72494.c
+index 5cb589b..3bd19be 100644
+--- a/tests/gdimagecrop/php_bug_72494.c
++++ b/tests/gdimagecrop/php_bug_72494.c
+@@ -7,7 +7,6 @@
+ int main()
+ {
+ gdImagePtr im;
+- int error = 0;
+
+ im = gdImageCreate(50, 50);
+
+--
+2.9.1
+
diff --git a/gnu/packages/patches/gd-CVE-2016-6132.patch b/gnu/packages/patches/gd-CVE-2016-6132.patch
new file mode 100644
index 0000000..4c475b7
--- /dev/null
+++ b/gnu/packages/patches/gd-CVE-2016-6132.patch
@@ -0,0 +1,55 @@
+Fix CVE-2016-6132 (read out-of-bounds when parsing TGA files).
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-6132
+
+Copied from upstream commit:
+https://github.com/libgd/libgd/commit/ead349e99868303b37f5e6e9d9d680c9dc71ff8d
+
+From ead349e99868303b37f5e6e9d9d680c9dc71ff8d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
+Date: Tue, 12 Jul 2016 11:24:09 +0200
+Subject: [PATCH] Fix #247, A read out-of-bands was found in the parsing of TGA
+ files (CVE-2016-6132)
+
+---
+ src/gd_tga.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/src/gd_tga.c b/src/gd_tga.c
+index ef20f86..20fe2d2 100644
+--- a/src/gd_tga.c
++++ b/src/gd_tga.c
+@@ -237,7 +237,11 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga )
+ return -1;
+ }
+
+- gdGetBuf(conversion_buffer, image_block_size, ctx);
++ if (gdGetBuf(conversion_buffer, image_block_size, ctx) != image_block_size) {
++ gd_error("gd-tga: premature end of image data\n");
++ gdFree(conversion_buffer);
++ return -1;
++ }
+
+ while (buffer_caret < image_block_size) {
+ tga->bitmap[buffer_caret] = (int) conversion_buffer[buffer_caret];
+@@ -257,11 +261,16 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga )
+ }
+ conversion_buffer = (unsigned char *) gdMalloc(image_block_size * sizeof(unsigned char));
+ if (conversion_buffer == NULL) {
++ gd_error("gd-tga: premature end of image data\n");
+ gdFree( decompression_buffer );
+ return -1;
+ }
+
+- gdGetBuf( conversion_buffer, image_block_size, ctx );
++ if (gdGetBuf(conversion_buffer, image_block_size, ctx) != image_block_size) {
++ gdFree(conversion_buffer);
++ gdFree(decompression_buffer);
++ return -1;
++ }
+
+ buffer_caret = 0;
+
+--
+2.9.1
+
diff --git a/gnu/packages/patches/gd-CVE-2016-6214.patch b/gnu/packages/patches/gd-CVE-2016-6214.patch
new file mode 100644
index 0000000..7894a32
--- /dev/null
+++ b/gnu/packages/patches/gd-CVE-2016-6214.patch
@@ -0,0 +1,66 @@
+Fix CVE-2016-6214 (read out-of-bounds when parsing TGA files).
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6214
+
+Adapted from upstream commit:
+https://github.com/libgd/libgd/commit/341aa68843ceceae9ba6e083431f14a07bd92308
+
+Since `patch` cannot apply Git binary diffs, we omit the addition of
+'tests/tga/bug00247a.c' and its associated binary data.
+
+From 341aa68843ceceae9ba6e083431f14a07bd92308 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Tue, 12 Jul 2016 19:23:13 +0200
+Subject: [PATCH] Unsupported TGA bpp/alphabit combinations should error
+ gracefully
+
+Currently, only 24bpp without alphabits and 32bpp with 8 alphabits are
+really supported. All other combinations will be rejected with a warning.
+
+(cherry picked from commit cb1a0b7e54e9aa118270c23a4a6fe560e4590dc9)
+---
+ src/gd_tga.c | 16 ++++++----------
+ tests/tga/.gitignore | 1 +
+ tests/tga/CMakeLists.txt | 1 +
+ tests/tga/Makemodule.am | 4 +++-
+ tests/tga/bug00247a.c | 19 +++++++++++++++++++
+ tests/tga/bug00247a.tga | Bin 0 -> 36 bytes
+ 6 files changed, 30 insertions(+), 11 deletions(-)
+ create mode 100644 tests/tga/bug00247a.c
+ create mode 100644 tests/tga/bug00247a.tga
+
+diff --git a/src/gd_tga.c b/src/gd_tga.c
+index 20fe2d2..b4f8fa6 100644
+--- a/src/gd_tga.c
++++ b/src/gd_tga.c
+@@ -99,7 +99,7 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromTgaCtx(gdIOCtx* ctx)
+ if (tga->bits == TGA_BPP_24) {
+ *tpix = gdTrueColor(tga->bitmap[bitmap_caret + 2], tga->bitmap[bitmap_caret + 1], tga->bitmap[bitmap_caret]);
+ bitmap_caret += 3;
+- } else if (tga->bits == TGA_BPP_32 || tga->alphabits) {
++ } else if (tga->bits == TGA_BPP_32 && tga->alphabits) {
+ register int a = tga->bitmap[bitmap_caret + 3];
+
+ *tpix = gdTrueColorAlpha(tga->bitmap[bitmap_caret + 2], tga->bitmap[bitmap_caret + 1], tga->bitmap[bitmap_caret], gdAlphaMax - (a >> 1));
+@@ -159,16 +159,12 @@ int read_header_tga(gdIOCtx *ctx, oTga *tga)
+ printf("wxh: %i %i\n", tga->width, tga->height);
+ #endif
+
+- switch(tga->bits) {
+- case 8:
+- case 16:
+- case 24:
+- case 32:
+- break;
+- default:
+- gd_error("bps %i not supported", tga->bits);
++ if (!((tga->bits == TGA_BPP_24 && tga->alphabits == 0)
++ || (tga->bits == TGA_BPP_32 && tga->alphabits == 8)))
++ {
++ gd_error_ex(GD_WARNING, "gd-tga: %u bits per pixel with %u alpha bits not supported\n",
++ tga->bits, tga->alphabits);
+ return -1;
+- break;
+ }
+
+ tga->ident = NULL;
--
2.9.1
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
next reply other threads:[~2016-07-15 20:32 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-15 20:32 Leo Famulari [this message]
2016-07-16 12:36 ` libgd security update Ludovic Courtès
2016-07-16 16:51 ` Leo Famulari
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160715203212.GA10916@jasmine \
--to=leo@famulari.name \
--cc=guix-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).