all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
* libgd security update / i686 issues
@ 2016-07-28  7:23 Leo Famulari
  2016-07-28  8:34 ` Andreas Enge
                   ` (2 more replies)
  0 siblings, 3 replies; 14+ messages in thread
From: Leo Famulari @ 2016-07-28  7:23 UTC (permalink / raw)
  To: guix-devel

[-- Attachment #1: Type: text/plain, Size: 1240 bytes --]

libgd 2.2.3 has been released [0], which includes fixes for
CVE-2016-6207.

I built it on x86_64, and also cross-built to i686-linux. The 32-bit rounding
issue that Mark fixed with commit 27326064 was reported upstream [1],
and the suggested workaround is to add "-msse -mfpmath=sse" to CFLAGS
[2].

Having removed Mark's patch, I can cross-build to i686-linux using those
flags. The patch has gone stale with the 2.2.3 release:

---
gdimagerotate/bug00067.c: In function ‘main’:
gdimagerotate/bug00067.c:11:14: error: unused variable ‘filename’ [-Werror=unused-variable]
  char *path, filename[2048];
              ^
gdimagerotate/bug00067.c:11:8: error: unused variable ‘path’ [-Werror=unused-variable]
  char *path, filename[2048];
        ^
cc1: all warnings being treated as errors
Makefile:3120: recipe for target 'gdimagerotate/bug00067.o' failed
---

Should these CFLAGS values be applied unconditionally, as in the
attached patch, or should they be applied only while building on or for
specific architectures? Or something else?

[0]
https://github.com/libgd/libgd/releases/tag/gd-2.2.3

[1]
https://github.com/libgd/libgd/issues/242

[2]
https://github.com/libgd/libgd/commit/62ecc651e7780add5e4035bfc0e6cd060e90f6a9

[-- Attachment #2: 0001-gnu-gd-Update-to-2.2.3.patch --]
[-- Type: text/x-diff, Size: 19744 bytes --]

From d429ce44a39543b8f5e64f22bc722ee8bc22bd01 Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Thu, 28 Jul 2016 02:46:23 -0400
Subject: [PATCH] gnu: gd: Update to 2.2.3.

Fixes CVE-2016-6207.

* gnu/packages/gd.scm (gd): Update to 2.2.3.
[arguments]: Add "-msse -mfpmath=sse" to CFLAGS.
* gnu/packages/patches/gd-CVE-2016-5766.patch,
gnu/packages/patches/gd-CVE-2016-6128.patch,
gnu/packages/patches/gd-CVE-2016-6132.patch,
gnu/packages/patches/gd-CVE-2016-6214.patch,
gnu/packages/patches/gd-fix-test-on-i686.patch: Delete files.
* gnu/local.mk (dist_patch_DATA): Remove them.
---
 gnu/local.mk                                   |   5 -
 gnu/packages/gd.scm                            |  11 +-
 gnu/packages/patches/gd-CVE-2016-5766.patch    |  81 --------
 gnu/packages/patches/gd-CVE-2016-6128.patch    | 253 -------------------------
 gnu/packages/patches/gd-CVE-2016-6132.patch    |  55 ------
 gnu/packages/patches/gd-CVE-2016-6214.patch    |  66 -------
 gnu/packages/patches/gd-fix-test-on-i686.patch |  34 ----
 7 files changed, 4 insertions(+), 501 deletions(-)
 delete mode 100644 gnu/packages/patches/gd-CVE-2016-5766.patch
 delete mode 100644 gnu/packages/patches/gd-CVE-2016-6128.patch
 delete mode 100644 gnu/packages/patches/gd-CVE-2016-6132.patch
 delete mode 100644 gnu/packages/patches/gd-CVE-2016-6214.patch
 delete mode 100644 gnu/packages/patches/gd-fix-test-on-i686.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index c143dd7..2f4dda1 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -512,11 +512,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/gcc-cross-environment-variables.patch	\
   %D%/packages/patches/gcc-libvtv-runpath.patch			\
   %D%/packages/patches/gcc-5.0-libvtv-runpath.patch		\
-  %D%/packages/patches/gd-CVE-2016-5766.patch			\
-  %D%/packages/patches/gd-CVE-2016-6128.patch			\
-  %D%/packages/patches/gd-CVE-2016-6132.patch			\
-  %D%/packages/patches/gd-CVE-2016-6214.patch			\
-  %D%/packages/patches/gd-fix-test-on-i686.patch		\
   %D%/packages/patches/gegl-CVE-2012-4433.patch			\
   %D%/packages/patches/geoclue-config.patch			\
   %D%/packages/patches/ghostscript-CVE-2015-3228.patch		\
diff --git a/gnu/packages/gd.scm b/gnu/packages/gd.scm
index 3313ee6..46a2912 100644
--- a/gnu/packages/gd.scm
+++ b/gnu/packages/gd.scm
@@ -40,22 +40,19 @@
     ;; Note: With libgd.org now pointing to github.com, genuine old
     ;; tarballs are no longer available.  Notably, versions 2.0.x are
     ;; missing.
-    (version "2.2.2")
+    (version "2.2.3")
 
     (source (origin
              (method url-fetch)
              (uri (string-append
                    "https://github.com/libgd/libgd/releases/download/gd-"
                    version "/libgd-" version ".tar.xz"))
-             (patches (search-patches "gd-fix-test-on-i686.patch"
-                                      "gd-CVE-2016-5766.patch"
-                                      "gd-CVE-2016-6128.patch"
-                                      "gd-CVE-2016-6132.patch"
-                                      "gd-CVE-2016-6214.patch"))
              (sha256
               (base32
-               "1311g5mva2xlzqv3rjqjc4jjkn5lzls4skvr395h633zw1n7b7s8"))))
+               "0g3xz8jpz1pl2zzmssglrpa9nxiaa7rmcmvgpbrjz8k9cyynqsvl"))))
     (build-system gnu-build-system)
+    (arguments
+     '(#:configure-flags '("CFLAGS=-msse -mfpmath=sse")))
     (native-inputs
      `(("pkg-config" ,pkg-config)))
     (inputs
diff --git a/gnu/packages/patches/gd-CVE-2016-5766.patch b/gnu/packages/patches/gd-CVE-2016-5766.patch
deleted file mode 100644
index 400cb0a..0000000
--- a/gnu/packages/patches/gd-CVE-2016-5766.patch
+++ /dev/null
@@ -1,81 +0,0 @@
-Fix CVE-2016-5766 (Integer Overflow in _gd2GetHeader() resulting in heap
-overflow).
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5766
-
-Adapted from upstream commits:
-https://github.com/libgd/libgd/commit/aba3db8ba159465ecec1089027a24835a6da9cc0
-https://github.com/libgd/libgd/commit/a6a0e7feabb2a9738086a5dc96348f233c87fa79
-
-Since `patch` cannot apply Git binary diffs, we omit the addition of
-'tests/gd2/php_bug_72339.c' and its associated binary data.
-
-From aba3db8ba159465ecec1089027a24835a6da9cc0 Mon Sep 17 00:00:00 2001
-From: Pierre Joye <pierre.php@gmail.com>
-Date: Tue, 28 Jun 2016 16:23:42 +0700
-Subject: [PATCH] fix php bug 72339 (CVE-2016-5766), Integer Overflow in
- _gd2GetHeader() resulting in heap overflow
-
----
- src/gd_gd2.c                    |   5 ++++-
- tests/gd2/CMakeLists.txt        |   1 +
- tests/gd2/Makemodule.am         |   6 ++++--
- tests/gd2/php_bug_72339.c       |  21 +++++++++++++++++++++
- tests/gd2/php_bug_72339_exp.gd2 | Bin 0 -> 67108882 bytes
- 5 files changed, 30 insertions(+), 3 deletions(-)
- create mode 100644 tests/gd2/php_bug_72339.c
- create mode 100644 tests/gd2/php_bug_72339_exp.gd2
-
-diff --git a/src/gd_gd2.c b/src/gd_gd2.c
-index fd1e0c9..bdbbecf 100644
---- a/src/gd_gd2.c
-+++ b/src/gd_gd2.c
-@@ -154,8 +154,11 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy,
- 		nc = (*ncx) * (*ncy);
- 		GD2_DBG (printf ("Reading %d chunk index entries\n", nc));
- 		sidx = sizeof (t_chunk_info) * nc;
-+		if (overflow2(sidx, nc)) {
-+			goto fail1;
-+		}
- 		cidx = gdCalloc (sidx, 1);
--		if (!cidx) {
-+		if (cidx == NULL) {
- 			goto fail1;
- 		}
- 		for (i = 0; i < nc; i++) {
-From a6a0e7feabb2a9738086a5dc96348f233c87fa79 Mon Sep 17 00:00:00 2001
-From: Pierre Joye <pierre.php@gmail.com>
-Date: Wed, 29 Jun 2016 09:36:26 +0700
-Subject: [PATCH] fix php bug 72339 (CVE-2016-5766), Integer Overflow in
- _gd2GetHeader() resulting in heap overflow. Sync with php's sync
-
----
- src/gd_gd2.c              | 7 ++++++-
- tests/gd2/php_bug_72339.c | 2 +-
- 2 files changed, 7 insertions(+), 2 deletions(-)
-
-diff --git a/src/gd_gd2.c b/src/gd_gd2.c
-index bdbbecf..2837456 100644
---- a/src/gd_gd2.c
-+++ b/src/gd_gd2.c
-@@ -152,11 +152,16 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy,
- 
- 	if (gd2_compressed (*fmt)) {
- 		nc = (*ncx) * (*ncy);
-+
- 		GD2_DBG (printf ("Reading %d chunk index entries\n", nc));
-+		if (overflow2(sizeof(t_chunk_info), nc)) {
-+			goto fail1;
-+		}
- 		sidx = sizeof (t_chunk_info) * nc;
--		if (overflow2(sidx, nc)) {
-+		if (sidx <= 0) {
- 			goto fail1;
- 		}
-+
- 		cidx = gdCalloc (sidx, 1);
- 		if (cidx == NULL) {
- 			goto fail1;
--- 
-2.9.1
-
diff --git a/gnu/packages/patches/gd-CVE-2016-6128.patch b/gnu/packages/patches/gd-CVE-2016-6128.patch
deleted file mode 100644
index 45ee6b0..0000000
--- a/gnu/packages/patches/gd-CVE-2016-6128.patch
+++ /dev/null
@@ -1,253 +0,0 @@
-Fix CVE-2016-6128 (invalid color index is not properly handled leading
-to denial of service).
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-6128
-
-Copied from upstream commits:
-https://github.com/libgd/libgd/compare/3fe0a7128bac5000fdcfab888bd2a75ec0c9447d...fd623025505e87bba7ec8555eeb72dae4fb0afd
-
-From 1ccfe21e14c4d18336f9da8515cd17db88c3de61 Mon Sep 17 00:00:00 2001
-From: Pierre Joye <pierre.php@gmail.com>
-Date: Mon, 27 Jun 2016 11:17:39 +0700
-Subject: [PATCH 1/8] fix php 72494, invalid color index not handled, can lead
- to crash
-
----
- src/gd_crop.c        | 4 ++++
- tests/CMakeLists.txt | 1 +
- tests/Makefile.am    | 1 +
- 3 files changed, 6 insertions(+)
-
-diff --git a/src/gd_crop.c b/src/gd_crop.c
-index 0296633..532b49b 100644
---- a/src/gd_crop.c
-+++ b/src/gd_crop.c
-@@ -136,6 +136,10 @@ BGD_DECLARE(gdImagePtr) gdImageCropThreshold(gdImagePtr im, const unsigned int c
- 		return NULL;
- 	}
- 
-+	if (color < 0 || (!gdImageTrueColor(im) && color >= gdImageColorsTotal(im))) {
-+		return NULL;
-+	}
-+
- 	/* TODO: Add gdImageGetRowPtr and works with ptr at the row level
- 	 * for the true color and palette images
- 	 * new formats will simply work with ptr
-diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
-index 6f5c786..5093d52 100644
---- a/tests/CMakeLists.txt
-+++ b/tests/CMakeLists.txt
-@@ -31,6 +31,7 @@ if (BUILD_TEST)
- 		gdimagecolortransparent
- 		gdimagecopy
- 		gdimagecopyrotated
-+        gdimagecrop
- 		gdimagefile
- 		gdimagefill
- 		gdimagefilledellipse
-diff --git a/tests/Makefile.am b/tests/Makefile.am
-index 4f6e756..5a0ebe8 100644
---- a/tests/Makefile.am
-+++ b/tests/Makefile.am
-@@ -25,6 +25,7 @@ include gdimagecolorresolve/Makemodule.am
- include gdimagecolortransparent/Makemodule.am
- include gdimagecopy/Makemodule.am
- include gdimagecopyrotated/Makemodule.am
-+include gdimagecrop/Makemodule.am
- include gdimagefile/Makemodule.am
- include gdimagefill/Makemodule.am
- include gdimagefilledellipse/Makemodule.am
--- 
-2.9.1
-
-From 8c9f39c7cb1f62ea00bc7a48aff64d3811c2d6d0 Mon Sep 17 00:00:00 2001
-From: Pierre Joye <pierre.php@gmail.com>
-Date: Mon, 27 Jun 2016 11:20:07 +0700
-Subject: [PATCH 2/8] fix php 72494, invalid color index not handled, can lead
- to crash
-
----
- tests/gdimagecrop/.gitignore | 1 +
- 1 file changed, 1 insertion(+)
- create mode 100644 tests/gdimagecrop/.gitignore
-
-diff --git a/tests/gdimagecrop/.gitignore b/tests/gdimagecrop/.gitignore
-new file mode 100644
-index 0000000..8e8c9c3
---- /dev/null
-+++ b/tests/gdimagecrop/.gitignore
-@@ -0,0 +1 @@
-+/php_bug_72494
--- 
-2.9.1
-
-From 8de370b7b6263a02268037a7cd13ddd991b43ea9 Mon Sep 17 00:00:00 2001
-From: Pierre Joye <pierre.php@gmail.com>
-Date: Mon, 27 Jun 2016 11:24:50 +0700
-Subject: [PATCH 3/8] fix php 72494, invalid color index not handled, can lead
- to crash
-
----
- tests/gdimagecrop/CMakeLists.txt | 5 +++++
- 1 file changed, 5 insertions(+)
- create mode 100644 tests/gdimagecrop/CMakeLists.txt
-
-diff --git a/tests/gdimagecrop/CMakeLists.txt b/tests/gdimagecrop/CMakeLists.txt
-new file mode 100644
-index 0000000..f7e4c7e
---- /dev/null
-+++ b/tests/gdimagecrop/CMakeLists.txt
-@@ -0,0 +1,5 @@
-+SET(TESTS_FILES
-+	php_bug_72494
-+)
-+
-+ADD_GD_TESTS()
--- 
-2.9.1
-
-From bca12e4e11ecda8a0ea719472700ad5c2b36a0d6 Mon Sep 17 00:00:00 2001
-From: Pierre Joye <pierre.php@gmail.com>
-Date: Mon, 27 Jun 2016 11:25:12 +0700
-Subject: [PATCH 4/8] fix php 72494, invalid color index not handled, can lead
- to crash
-
----
- tests/gdimagecrop/Makemodule.am | 5 +++++
- 1 file changed, 5 insertions(+)
- create mode 100644 tests/gdimagecrop/Makemodule.am
-
-diff --git a/tests/gdimagecrop/Makemodule.am b/tests/gdimagecrop/Makemodule.am
-new file mode 100644
-index 0000000..210888b
---- /dev/null
-+++ b/tests/gdimagecrop/Makemodule.am
-@@ -0,0 +1,5 @@
-+libgd_test_programs += \
-+	gdimagecrop/php_bug_72494
-+
-+EXTRA_DIST += \
-+	gdimagecrop/CMakeLists.txt
--- 
-2.9.1
-
-From 6ff72ae40c7c20ece939afb362d98cc37f4a1c96 Mon Sep 17 00:00:00 2001
-From: Pierre Joye <pierre.php@gmail.com>
-Date: Mon, 27 Jun 2016 11:25:40 +0700
-Subject: [PATCH 5/8] fix php 72494, invalid color index not handled, can lead
- to crash
-
----
- tests/gdimagecrop/php_bug_72494.c | 23 +++++++++++++++++++++++
- 1 file changed, 23 insertions(+)
- create mode 100644 tests/gdimagecrop/php_bug_72494.c
-
-diff --git a/tests/gdimagecrop/php_bug_72494.c b/tests/gdimagecrop/php_bug_72494.c
-new file mode 100644
-index 0000000..adaa379
---- /dev/null
-+++ b/tests/gdimagecrop/php_bug_72494.c
-@@ -0,0 +1,23 @@
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include "gd.h"
-+
-+#include "gdtest.h"
-+
-+int main()
-+{
-+	gdImagePtr im, exp;
-+	int error = 0;
-+
-+	im = gdImageCreate(50, 50);
-+
-+	if (!im) {
-+		gdTestErrorMsg("gdImageCreate failed.\n");
-+		return 1;
-+	}
-+
-+	gdImageCropThreshold(im, 1337, 0);
-+	gdImageDestroy(im);
-+	/* this bug tests a crash, it never reaches this point if the bug exists*/
-+	return 0;
-+}
--- 
-2.9.1
-
-From a0f9f8f7bd0d3a6c6afd6d180b8e75d93aadddfa Mon Sep 17 00:00:00 2001
-From: Pierre Joye <pierre.php@gmail.com>
-Date: Mon, 27 Jun 2016 11:38:07 +0700
-Subject: [PATCH 6/8] fix php 72494, CID 149753, color is unsigned int, remove
- useless <0 comparison
-
----
- src/gd_crop.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/gd_crop.c b/src/gd_crop.c
-index 532b49b..d51ad67 100644
---- a/src/gd_crop.c
-+++ b/src/gd_crop.c
-@@ -136,7 +136,7 @@ BGD_DECLARE(gdImagePtr) gdImageCropThreshold(gdImagePtr im, const unsigned int c
- 		return NULL;
- 	}
- 
--	if (color < 0 || (!gdImageTrueColor(im) && color >= gdImageColorsTotal(im))) {
-+	if (!gdImageTrueColor(im) && color >= gdImageColorsTotal(im)) {
- 		return NULL;
- 	}
- 
--- 
-2.9.1
-
-From 907115fbb980862934d0de91af4977a216745039 Mon Sep 17 00:00:00 2001
-From: Pierre Joye <pierre.php@gmail.com>
-Date: Mon, 27 Jun 2016 11:51:40 +0700
-Subject: [PATCH 7/8] fix php 72494, CID 149753, color is unsigned int, remove
- useless <0 comparison
-
----
- tests/gdimagecrop/php_bug_72494.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/tests/gdimagecrop/php_bug_72494.c b/tests/gdimagecrop/php_bug_72494.c
-index adaa379..5cb589b 100644
---- a/tests/gdimagecrop/php_bug_72494.c
-+++ b/tests/gdimagecrop/php_bug_72494.c
-@@ -6,7 +6,7 @@
- 
- int main()
- {
--	gdImagePtr im, exp;
-+	gdImagePtr im;
- 	int error = 0;
- 
- 	im = gdImageCreate(50, 50);
--- 
-2.9.1
-
-From fd623025505e87bba7ec8555eeb72dae4fb0afdc Mon Sep 17 00:00:00 2001
-From: Pierre Joye <pierre.php@gmail.com>
-Date: Mon, 27 Jun 2016 12:04:25 +0700
-Subject: [PATCH 8/8] fix php 72494, CID 149753, color is unsigned int, remove
- useless <0 comparison
-
----
- tests/gdimagecrop/php_bug_72494.c | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/tests/gdimagecrop/php_bug_72494.c b/tests/gdimagecrop/php_bug_72494.c
-index 5cb589b..3bd19be 100644
---- a/tests/gdimagecrop/php_bug_72494.c
-+++ b/tests/gdimagecrop/php_bug_72494.c
-@@ -7,7 +7,6 @@
- int main()
- {
- 	gdImagePtr im;
--	int error = 0;
- 
- 	im = gdImageCreate(50, 50);
- 
--- 
-2.9.1
-
diff --git a/gnu/packages/patches/gd-CVE-2016-6132.patch b/gnu/packages/patches/gd-CVE-2016-6132.patch
deleted file mode 100644
index 4c475b7..0000000
--- a/gnu/packages/patches/gd-CVE-2016-6132.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-Fix CVE-2016-6132 (read out-of-bounds when parsing TGA files).
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-6132
-
-Copied from upstream commit:
-https://github.com/libgd/libgd/commit/ead349e99868303b37f5e6e9d9d680c9dc71ff8d
-
-From ead349e99868303b37f5e6e9d9d680c9dc71ff8d Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
-Date: Tue, 12 Jul 2016 11:24:09 +0200
-Subject: [PATCH] Fix #247, A read out-of-bands was found in the parsing of TGA
- files (CVE-2016-6132)
-
----
- src/gd_tga.c | 13 +++++++++++--
- 1 file changed, 11 insertions(+), 2 deletions(-)
-
-diff --git a/src/gd_tga.c b/src/gd_tga.c
-index ef20f86..20fe2d2 100644
---- a/src/gd_tga.c
-+++ b/src/gd_tga.c
-@@ -237,7 +237,11 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga )
- 			return -1;
- 		}
- 
--		gdGetBuf(conversion_buffer, image_block_size, ctx);
-+		if (gdGetBuf(conversion_buffer, image_block_size, ctx) != image_block_size) {
-+			gd_error("gd-tga: premature end of image data\n");
-+			gdFree(conversion_buffer);
-+			return -1;
-+		}
- 
- 		while (buffer_caret < image_block_size) {
- 			tga->bitmap[buffer_caret] = (int) conversion_buffer[buffer_caret];
-@@ -257,11 +261,16 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga )
- 		}
- 		conversion_buffer = (unsigned char *) gdMalloc(image_block_size * sizeof(unsigned char));
- 		if (conversion_buffer == NULL) {
-+			gd_error("gd-tga: premature end of image data\n");
- 			gdFree( decompression_buffer );
- 			return -1;
- 		}
- 
--		gdGetBuf( conversion_buffer, image_block_size, ctx );
-+		if (gdGetBuf(conversion_buffer, image_block_size, ctx) != image_block_size) {
-+			gdFree(conversion_buffer);
-+			gdFree(decompression_buffer);
-+			return -1;
-+		}
- 
- 		buffer_caret = 0;
- 
--- 
-2.9.1
-
diff --git a/gnu/packages/patches/gd-CVE-2016-6214.patch b/gnu/packages/patches/gd-CVE-2016-6214.patch
deleted file mode 100644
index 7894a32..0000000
--- a/gnu/packages/patches/gd-CVE-2016-6214.patch
+++ /dev/null
@@ -1,66 +0,0 @@
-Fix CVE-2016-6214 (read out-of-bounds when parsing TGA files).
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6214
-
-Adapted from upstream commit:
-https://github.com/libgd/libgd/commit/341aa68843ceceae9ba6e083431f14a07bd92308
-
-Since `patch` cannot apply Git binary diffs, we omit the addition of
-'tests/tga/bug00247a.c' and its associated binary data.
-
-From 341aa68843ceceae9ba6e083431f14a07bd92308 Mon Sep 17 00:00:00 2001
-From: "Christoph M. Becker" <cmbecker69@gmx.de>
-Date: Tue, 12 Jul 2016 19:23:13 +0200
-Subject: [PATCH] Unsupported TGA bpp/alphabit combinations should error
- gracefully
-
-Currently, only 24bpp without alphabits and 32bpp with 8 alphabits are
-really supported. All other combinations will be rejected with a warning.
-
-(cherry picked from commit cb1a0b7e54e9aa118270c23a4a6fe560e4590dc9)
----
- src/gd_tga.c             |  16 ++++++----------
- tests/tga/.gitignore     |   1 +
- tests/tga/CMakeLists.txt |   1 +
- tests/tga/Makemodule.am  |   4 +++-
- tests/tga/bug00247a.c    |  19 +++++++++++++++++++
- tests/tga/bug00247a.tga  | Bin 0 -> 36 bytes
- 6 files changed, 30 insertions(+), 11 deletions(-)
- create mode 100644 tests/tga/bug00247a.c
- create mode 100644 tests/tga/bug00247a.tga
-
-diff --git a/src/gd_tga.c b/src/gd_tga.c
-index 20fe2d2..b4f8fa6 100644
---- a/src/gd_tga.c
-+++ b/src/gd_tga.c
-@@ -99,7 +99,7 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromTgaCtx(gdIOCtx* ctx)
- 			if (tga->bits == TGA_BPP_24) {
- 				*tpix = gdTrueColor(tga->bitmap[bitmap_caret + 2], tga->bitmap[bitmap_caret + 1], tga->bitmap[bitmap_caret]);
- 				bitmap_caret += 3;
--			} else if (tga->bits == TGA_BPP_32 || tga->alphabits) {
-+			} else if (tga->bits == TGA_BPP_32 && tga->alphabits) {
- 				register int a = tga->bitmap[bitmap_caret + 3];
- 
- 				*tpix = gdTrueColorAlpha(tga->bitmap[bitmap_caret + 2], tga->bitmap[bitmap_caret + 1], tga->bitmap[bitmap_caret], gdAlphaMax - (a >> 1));
-@@ -159,16 +159,12 @@ int read_header_tga(gdIOCtx *ctx, oTga *tga)
- 	printf("wxh: %i %i\n", tga->width, tga->height);
- #endif
- 
--	switch(tga->bits) {
--	case 8:
--	case 16:
--	case 24:
--	case 32:
--		break;
--	default:
--		gd_error("bps %i not supported", tga->bits);
-+	if (!((tga->bits == TGA_BPP_24 && tga->alphabits == 0)
-+		|| (tga->bits == TGA_BPP_32 && tga->alphabits == 8)))
-+	{
-+		gd_error_ex(GD_WARNING, "gd-tga: %u bits per pixel with %u alpha bits not supported\n",
-+			tga->bits, tga->alphabits);
- 		return -1;
--		break;
- 	}
- 
- 	tga->ident = NULL;
diff --git a/gnu/packages/patches/gd-fix-test-on-i686.patch b/gnu/packages/patches/gd-fix-test-on-i686.patch
deleted file mode 100644
index 6dd2e0f..0000000
--- a/gnu/packages/patches/gd-fix-test-on-i686.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-Disable part of the gdimagerotate test on architectures such as i686
-where intermediate floating-point operations are done with 80-bit long
-doubles, and typically later rounded to 64-bit doubles.  This double
-rounding causes small differences in the resulting pixel values
-compared with other architectures, causing the image comparison to
-fail.
-
-Patch by Mark H Weaver <mhw@netris.org>.
-
---- libgd-2.2.2/tests/gdimagerotate/bug00067.c	1969-12-31 19:00:00.000000000 -0500
-+++ libgd-2.2.2/tests/gdimagerotate/bug00067.c	2016-07-18 12:19:19.885423132 -0400
-@@ -1,5 +1,6 @@
- #include <stdio.h>
- #include <stdlib.h>
-+#include <float.h>
- #include "gd.h"
- 
- #include "gdtest.h"
-@@ -41,6 +42,7 @@
- 			return 1;
- 		}
- 
-+#if FLT_EVAL_METHOD != 2
- 		sprintf(filename, "bug00067_%03d_exp.png", angle);
- 		path = gdTestFilePath2("gdimagerotate", filename);
- 		if (!gdAssertImageEqualsToFile(path, exp)) {
-@@ -48,6 +50,7 @@
- 			error += 1;
- 		}
- 		free(path);
-+#endif
- 
- 		gdImageDestroy(exp);
- 	}
-- 
2.9.2


^ permalink raw reply related	[flat|nested] 14+ messages in thread

* Re: libgd security update / i686 issues
  2016-07-28  7:23 libgd security update / i686 issues Leo Famulari
@ 2016-07-28  8:34 ` Andreas Enge
  2016-07-28  8:40 ` Andreas Enge
  2016-07-28 21:26 ` Leo Famulari
  2 siblings, 0 replies; 14+ messages in thread
From: Andreas Enge @ 2016-07-28  8:34 UTC (permalink / raw)
  To: Leo Famulari; +Cc: guix-devel

On Thu, Jul 28, 2016 at 03:23:37AM -0400, Leo Famulari wrote:
> Should these CFLAGS values be applied unconditionally, as in the
> attached patch, or should they be applied only while building on or for
> specific architectures? Or something else?

They only work on x86 processors, almost by definition: SSE stands for
a certain instruction set. So one would need to check whether the problem
occurs for other architectures. I would assume that it happens on all 32
bit architectures, in particular armhf. Their code is too fragile: One
should not rely on fine details of the processor architecture or instruction
set to hope for an expected rounding behaviour.

Andreas

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: libgd security update / i686 issues
  2016-07-28  7:23 libgd security update / i686 issues Leo Famulari
  2016-07-28  8:34 ` Andreas Enge
@ 2016-07-28  8:40 ` Andreas Enge
  2016-07-28 16:30   ` Leo Famulari
  2016-07-28 21:26 ` Leo Famulari
  2 siblings, 1 reply; 14+ messages in thread
From: Andreas Enge @ 2016-07-28  8:40 UTC (permalink / raw)
  To: Leo Famulari; +Cc: guix-devel

On Thu, Jul 28, 2016 at 03:23:37AM -0400, Leo Famulari wrote:
> I built it on x86_64, and also cross-built to i686-linux. The 32-bit rounding
> issue that Mark fixed with commit 27326064 was reported upstream [1],
> and the suggested workaround is to add "-msse -mfpmath=sse" to CFLAGS
> [2].

Well, the bug report states that the result is correct on armv7. Apparently
i686 is not IEEE compliant by default, while armv7 is. So it should be okay
to apply the flags only on i686. We assume that SSE, but not SSE2 or later
are supported, see our Qt package.

Andreas

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: libgd security update / i686 issues
  2016-07-28  8:40 ` Andreas Enge
@ 2016-07-28 16:30   ` Leo Famulari
  2016-07-28 17:22     ` Mark H Weaver
  0 siblings, 1 reply; 14+ messages in thread
From: Leo Famulari @ 2016-07-28 16:30 UTC (permalink / raw)
  To: Andreas Enge; +Cc: guix-devel

[-- Attachment #1: Type: text/plain, Size: 400 bytes --]

On Thu, Jul 28, 2016 at 10:40:49AM +0200, Andreas Enge wrote:
> Well, the bug report states that the result is correct on armv7. Apparently
> i686 is not IEEE compliant by default, while armv7 is. So it should be okay
> to apply the flags only on i686. We assume that SSE, but not SSE2 or later
> are supported, see our Qt package.

Thanks for the advice. What do you think about the attached patch?

[-- Attachment #2: 0001-gnu-gd-Update-to-2.2.3.patch --]
[-- Type: text/x-diff, Size: 20232 bytes --]

From b29dacff62fc7483ea6812a4a09cd68c5578ee90 Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Thu, 28 Jul 2016 02:46:23 -0400
Subject: [PATCH] gnu: gd: Update to 2.2.3.

Fixes CVE-2016-6207.

* gnu/packages/gd.scm (gd): Update to 2.2.3.
[arguments]: Add "-msse -mfpmath=sse" to CFLAGS on i686.
* gnu/packages/patches/gd-CVE-2016-5766.patch,
gnu/packages/patches/gd-CVE-2016-6128.patch,
gnu/packages/patches/gd-CVE-2016-6132.patch,
gnu/packages/patches/gd-CVE-2016-6214.patch,
gnu/packages/patches/gd-fix-test-on-i686.patch: Delete files.
* gnu/local.mk (dist_patch_DATA): Remove them.
---
 gnu/local.mk                                   |   5 -
 gnu/packages/gd.scm                            |  17 +-
 gnu/packages/patches/gd-CVE-2016-5766.patch    |  81 --------
 gnu/packages/patches/gd-CVE-2016-6128.patch    | 253 -------------------------
 gnu/packages/patches/gd-CVE-2016-6132.patch    |  55 ------
 gnu/packages/patches/gd-CVE-2016-6214.patch    |  66 -------
 gnu/packages/patches/gd-fix-test-on-i686.patch |  34 ----
 7 files changed, 10 insertions(+), 501 deletions(-)
 delete mode 100644 gnu/packages/patches/gd-CVE-2016-5766.patch
 delete mode 100644 gnu/packages/patches/gd-CVE-2016-6128.patch
 delete mode 100644 gnu/packages/patches/gd-CVE-2016-6132.patch
 delete mode 100644 gnu/packages/patches/gd-CVE-2016-6214.patch
 delete mode 100644 gnu/packages/patches/gd-fix-test-on-i686.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index c143dd7..2f4dda1 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -512,11 +512,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/gcc-cross-environment-variables.patch	\
   %D%/packages/patches/gcc-libvtv-runpath.patch			\
   %D%/packages/patches/gcc-5.0-libvtv-runpath.patch		\
-  %D%/packages/patches/gd-CVE-2016-5766.patch			\
-  %D%/packages/patches/gd-CVE-2016-6128.patch			\
-  %D%/packages/patches/gd-CVE-2016-6132.patch			\
-  %D%/packages/patches/gd-CVE-2016-6214.patch			\
-  %D%/packages/patches/gd-fix-test-on-i686.patch		\
   %D%/packages/patches/gegl-CVE-2012-4433.patch			\
   %D%/packages/patches/geoclue-config.patch			\
   %D%/packages/patches/ghostscript-CVE-2015-3228.patch		\
diff --git a/gnu/packages/gd.scm b/gnu/packages/gd.scm
index 3313ee6..3614d51 100644
--- a/gnu/packages/gd.scm
+++ b/gnu/packages/gd.scm
@@ -24,6 +24,7 @@
   #:use-module (guix build-system gnu)
   #:use-module (guix build-system perl)
   #:use-module (guix download)
+  #:use-module (guix utils)
   #:use-module (gnu packages)
   #:use-module (gnu packages perl)
   #:use-module (gnu packages image)
@@ -40,22 +41,24 @@
     ;; Note: With libgd.org now pointing to github.com, genuine old
     ;; tarballs are no longer available.  Notably, versions 2.0.x are
     ;; missing.
-    (version "2.2.2")
+    (version "2.2.3")
 
     (source (origin
              (method url-fetch)
              (uri (string-append
                    "https://github.com/libgd/libgd/releases/download/gd-"
                    version "/libgd-" version ".tar.xz"))
-             (patches (search-patches "gd-fix-test-on-i686.patch"
-                                      "gd-CVE-2016-5766.patch"
-                                      "gd-CVE-2016-6128.patch"
-                                      "gd-CVE-2016-6132.patch"
-                                      "gd-CVE-2016-6214.patch"))
              (sha256
               (base32
-               "1311g5mva2xlzqv3rjqjc4jjkn5lzls4skvr395h633zw1n7b7s8"))))
+               "0g3xz8jpz1pl2zzmssglrpa9nxiaa7rmcmvgpbrjz8k9cyynqsvl"))))
     (build-system gnu-build-system)
+    (arguments
+     `(#:configure-flags 
+       (list ,@(let ((system (or (%current-target-system)
+                                 (%current-system))))
+                 (if (string-prefix? "i686" system)
+                   '("CFLAGS=-msse -mfpmath=sse")
+                   '())))))
     (native-inputs
      `(("pkg-config" ,pkg-config)))
     (inputs
diff --git a/gnu/packages/patches/gd-CVE-2016-5766.patch b/gnu/packages/patches/gd-CVE-2016-5766.patch
deleted file mode 100644
index 400cb0a..0000000
--- a/gnu/packages/patches/gd-CVE-2016-5766.patch
+++ /dev/null
@@ -1,81 +0,0 @@
-Fix CVE-2016-5766 (Integer Overflow in _gd2GetHeader() resulting in heap
-overflow).
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5766
-
-Adapted from upstream commits:
-https://github.com/libgd/libgd/commit/aba3db8ba159465ecec1089027a24835a6da9cc0
-https://github.com/libgd/libgd/commit/a6a0e7feabb2a9738086a5dc96348f233c87fa79
-
-Since `patch` cannot apply Git binary diffs, we omit the addition of
-'tests/gd2/php_bug_72339.c' and its associated binary data.
-
-From aba3db8ba159465ecec1089027a24835a6da9cc0 Mon Sep 17 00:00:00 2001
-From: Pierre Joye <pierre.php@gmail.com>
-Date: Tue, 28 Jun 2016 16:23:42 +0700
-Subject: [PATCH] fix php bug 72339 (CVE-2016-5766), Integer Overflow in
- _gd2GetHeader() resulting in heap overflow
-
----
- src/gd_gd2.c                    |   5 ++++-
- tests/gd2/CMakeLists.txt        |   1 +
- tests/gd2/Makemodule.am         |   6 ++++--
- tests/gd2/php_bug_72339.c       |  21 +++++++++++++++++++++
- tests/gd2/php_bug_72339_exp.gd2 | Bin 0 -> 67108882 bytes
- 5 files changed, 30 insertions(+), 3 deletions(-)
- create mode 100644 tests/gd2/php_bug_72339.c
- create mode 100644 tests/gd2/php_bug_72339_exp.gd2
-
-diff --git a/src/gd_gd2.c b/src/gd_gd2.c
-index fd1e0c9..bdbbecf 100644
---- a/src/gd_gd2.c
-+++ b/src/gd_gd2.c
-@@ -154,8 +154,11 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy,
- 		nc = (*ncx) * (*ncy);
- 		GD2_DBG (printf ("Reading %d chunk index entries\n", nc));
- 		sidx = sizeof (t_chunk_info) * nc;
-+		if (overflow2(sidx, nc)) {
-+			goto fail1;
-+		}
- 		cidx = gdCalloc (sidx, 1);
--		if (!cidx) {
-+		if (cidx == NULL) {
- 			goto fail1;
- 		}
- 		for (i = 0; i < nc; i++) {
-From a6a0e7feabb2a9738086a5dc96348f233c87fa79 Mon Sep 17 00:00:00 2001
-From: Pierre Joye <pierre.php@gmail.com>
-Date: Wed, 29 Jun 2016 09:36:26 +0700
-Subject: [PATCH] fix php bug 72339 (CVE-2016-5766), Integer Overflow in
- _gd2GetHeader() resulting in heap overflow. Sync with php's sync
-
----
- src/gd_gd2.c              | 7 ++++++-
- tests/gd2/php_bug_72339.c | 2 +-
- 2 files changed, 7 insertions(+), 2 deletions(-)
-
-diff --git a/src/gd_gd2.c b/src/gd_gd2.c
-index bdbbecf..2837456 100644
---- a/src/gd_gd2.c
-+++ b/src/gd_gd2.c
-@@ -152,11 +152,16 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy,
- 
- 	if (gd2_compressed (*fmt)) {
- 		nc = (*ncx) * (*ncy);
-+
- 		GD2_DBG (printf ("Reading %d chunk index entries\n", nc));
-+		if (overflow2(sizeof(t_chunk_info), nc)) {
-+			goto fail1;
-+		}
- 		sidx = sizeof (t_chunk_info) * nc;
--		if (overflow2(sidx, nc)) {
-+		if (sidx <= 0) {
- 			goto fail1;
- 		}
-+
- 		cidx = gdCalloc (sidx, 1);
- 		if (cidx == NULL) {
- 			goto fail1;
--- 
-2.9.1
-
diff --git a/gnu/packages/patches/gd-CVE-2016-6128.patch b/gnu/packages/patches/gd-CVE-2016-6128.patch
deleted file mode 100644
index 45ee6b0..0000000
--- a/gnu/packages/patches/gd-CVE-2016-6128.patch
+++ /dev/null
@@ -1,253 +0,0 @@
-Fix CVE-2016-6128 (invalid color index is not properly handled leading
-to denial of service).
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-6128
-
-Copied from upstream commits:
-https://github.com/libgd/libgd/compare/3fe0a7128bac5000fdcfab888bd2a75ec0c9447d...fd623025505e87bba7ec8555eeb72dae4fb0afd
-
-From 1ccfe21e14c4d18336f9da8515cd17db88c3de61 Mon Sep 17 00:00:00 2001
-From: Pierre Joye <pierre.php@gmail.com>
-Date: Mon, 27 Jun 2016 11:17:39 +0700
-Subject: [PATCH 1/8] fix php 72494, invalid color index not handled, can lead
- to crash
-
----
- src/gd_crop.c        | 4 ++++
- tests/CMakeLists.txt | 1 +
- tests/Makefile.am    | 1 +
- 3 files changed, 6 insertions(+)
-
-diff --git a/src/gd_crop.c b/src/gd_crop.c
-index 0296633..532b49b 100644
---- a/src/gd_crop.c
-+++ b/src/gd_crop.c
-@@ -136,6 +136,10 @@ BGD_DECLARE(gdImagePtr) gdImageCropThreshold(gdImagePtr im, const unsigned int c
- 		return NULL;
- 	}
- 
-+	if (color < 0 || (!gdImageTrueColor(im) && color >= gdImageColorsTotal(im))) {
-+		return NULL;
-+	}
-+
- 	/* TODO: Add gdImageGetRowPtr and works with ptr at the row level
- 	 * for the true color and palette images
- 	 * new formats will simply work with ptr
-diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
-index 6f5c786..5093d52 100644
---- a/tests/CMakeLists.txt
-+++ b/tests/CMakeLists.txt
-@@ -31,6 +31,7 @@ if (BUILD_TEST)
- 		gdimagecolortransparent
- 		gdimagecopy
- 		gdimagecopyrotated
-+        gdimagecrop
- 		gdimagefile
- 		gdimagefill
- 		gdimagefilledellipse
-diff --git a/tests/Makefile.am b/tests/Makefile.am
-index 4f6e756..5a0ebe8 100644
---- a/tests/Makefile.am
-+++ b/tests/Makefile.am
-@@ -25,6 +25,7 @@ include gdimagecolorresolve/Makemodule.am
- include gdimagecolortransparent/Makemodule.am
- include gdimagecopy/Makemodule.am
- include gdimagecopyrotated/Makemodule.am
-+include gdimagecrop/Makemodule.am
- include gdimagefile/Makemodule.am
- include gdimagefill/Makemodule.am
- include gdimagefilledellipse/Makemodule.am
--- 
-2.9.1
-
-From 8c9f39c7cb1f62ea00bc7a48aff64d3811c2d6d0 Mon Sep 17 00:00:00 2001
-From: Pierre Joye <pierre.php@gmail.com>
-Date: Mon, 27 Jun 2016 11:20:07 +0700
-Subject: [PATCH 2/8] fix php 72494, invalid color index not handled, can lead
- to crash
-
----
- tests/gdimagecrop/.gitignore | 1 +
- 1 file changed, 1 insertion(+)
- create mode 100644 tests/gdimagecrop/.gitignore
-
-diff --git a/tests/gdimagecrop/.gitignore b/tests/gdimagecrop/.gitignore
-new file mode 100644
-index 0000000..8e8c9c3
---- /dev/null
-+++ b/tests/gdimagecrop/.gitignore
-@@ -0,0 +1 @@
-+/php_bug_72494
--- 
-2.9.1
-
-From 8de370b7b6263a02268037a7cd13ddd991b43ea9 Mon Sep 17 00:00:00 2001
-From: Pierre Joye <pierre.php@gmail.com>
-Date: Mon, 27 Jun 2016 11:24:50 +0700
-Subject: [PATCH 3/8] fix php 72494, invalid color index not handled, can lead
- to crash
-
----
- tests/gdimagecrop/CMakeLists.txt | 5 +++++
- 1 file changed, 5 insertions(+)
- create mode 100644 tests/gdimagecrop/CMakeLists.txt
-
-diff --git a/tests/gdimagecrop/CMakeLists.txt b/tests/gdimagecrop/CMakeLists.txt
-new file mode 100644
-index 0000000..f7e4c7e
---- /dev/null
-+++ b/tests/gdimagecrop/CMakeLists.txt
-@@ -0,0 +1,5 @@
-+SET(TESTS_FILES
-+	php_bug_72494
-+)
-+
-+ADD_GD_TESTS()
--- 
-2.9.1
-
-From bca12e4e11ecda8a0ea719472700ad5c2b36a0d6 Mon Sep 17 00:00:00 2001
-From: Pierre Joye <pierre.php@gmail.com>
-Date: Mon, 27 Jun 2016 11:25:12 +0700
-Subject: [PATCH 4/8] fix php 72494, invalid color index not handled, can lead
- to crash
-
----
- tests/gdimagecrop/Makemodule.am | 5 +++++
- 1 file changed, 5 insertions(+)
- create mode 100644 tests/gdimagecrop/Makemodule.am
-
-diff --git a/tests/gdimagecrop/Makemodule.am b/tests/gdimagecrop/Makemodule.am
-new file mode 100644
-index 0000000..210888b
---- /dev/null
-+++ b/tests/gdimagecrop/Makemodule.am
-@@ -0,0 +1,5 @@
-+libgd_test_programs += \
-+	gdimagecrop/php_bug_72494
-+
-+EXTRA_DIST += \
-+	gdimagecrop/CMakeLists.txt
--- 
-2.9.1
-
-From 6ff72ae40c7c20ece939afb362d98cc37f4a1c96 Mon Sep 17 00:00:00 2001
-From: Pierre Joye <pierre.php@gmail.com>
-Date: Mon, 27 Jun 2016 11:25:40 +0700
-Subject: [PATCH 5/8] fix php 72494, invalid color index not handled, can lead
- to crash
-
----
- tests/gdimagecrop/php_bug_72494.c | 23 +++++++++++++++++++++++
- 1 file changed, 23 insertions(+)
- create mode 100644 tests/gdimagecrop/php_bug_72494.c
-
-diff --git a/tests/gdimagecrop/php_bug_72494.c b/tests/gdimagecrop/php_bug_72494.c
-new file mode 100644
-index 0000000..adaa379
---- /dev/null
-+++ b/tests/gdimagecrop/php_bug_72494.c
-@@ -0,0 +1,23 @@
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include "gd.h"
-+
-+#include "gdtest.h"
-+
-+int main()
-+{
-+	gdImagePtr im, exp;
-+	int error = 0;
-+
-+	im = gdImageCreate(50, 50);
-+
-+	if (!im) {
-+		gdTestErrorMsg("gdImageCreate failed.\n");
-+		return 1;
-+	}
-+
-+	gdImageCropThreshold(im, 1337, 0);
-+	gdImageDestroy(im);
-+	/* this bug tests a crash, it never reaches this point if the bug exists*/
-+	return 0;
-+}
--- 
-2.9.1
-
-From a0f9f8f7bd0d3a6c6afd6d180b8e75d93aadddfa Mon Sep 17 00:00:00 2001
-From: Pierre Joye <pierre.php@gmail.com>
-Date: Mon, 27 Jun 2016 11:38:07 +0700
-Subject: [PATCH 6/8] fix php 72494, CID 149753, color is unsigned int, remove
- useless <0 comparison
-
----
- src/gd_crop.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/gd_crop.c b/src/gd_crop.c
-index 532b49b..d51ad67 100644
---- a/src/gd_crop.c
-+++ b/src/gd_crop.c
-@@ -136,7 +136,7 @@ BGD_DECLARE(gdImagePtr) gdImageCropThreshold(gdImagePtr im, const unsigned int c
- 		return NULL;
- 	}
- 
--	if (color < 0 || (!gdImageTrueColor(im) && color >= gdImageColorsTotal(im))) {
-+	if (!gdImageTrueColor(im) && color >= gdImageColorsTotal(im)) {
- 		return NULL;
- 	}
- 
--- 
-2.9.1
-
-From 907115fbb980862934d0de91af4977a216745039 Mon Sep 17 00:00:00 2001
-From: Pierre Joye <pierre.php@gmail.com>
-Date: Mon, 27 Jun 2016 11:51:40 +0700
-Subject: [PATCH 7/8] fix php 72494, CID 149753, color is unsigned int, remove
- useless <0 comparison
-
----
- tests/gdimagecrop/php_bug_72494.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/tests/gdimagecrop/php_bug_72494.c b/tests/gdimagecrop/php_bug_72494.c
-index adaa379..5cb589b 100644
---- a/tests/gdimagecrop/php_bug_72494.c
-+++ b/tests/gdimagecrop/php_bug_72494.c
-@@ -6,7 +6,7 @@
- 
- int main()
- {
--	gdImagePtr im, exp;
-+	gdImagePtr im;
- 	int error = 0;
- 
- 	im = gdImageCreate(50, 50);
--- 
-2.9.1
-
-From fd623025505e87bba7ec8555eeb72dae4fb0afdc Mon Sep 17 00:00:00 2001
-From: Pierre Joye <pierre.php@gmail.com>
-Date: Mon, 27 Jun 2016 12:04:25 +0700
-Subject: [PATCH 8/8] fix php 72494, CID 149753, color is unsigned int, remove
- useless <0 comparison
-
----
- tests/gdimagecrop/php_bug_72494.c | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/tests/gdimagecrop/php_bug_72494.c b/tests/gdimagecrop/php_bug_72494.c
-index 5cb589b..3bd19be 100644
---- a/tests/gdimagecrop/php_bug_72494.c
-+++ b/tests/gdimagecrop/php_bug_72494.c
-@@ -7,7 +7,6 @@
- int main()
- {
- 	gdImagePtr im;
--	int error = 0;
- 
- 	im = gdImageCreate(50, 50);
- 
--- 
-2.9.1
-
diff --git a/gnu/packages/patches/gd-CVE-2016-6132.patch b/gnu/packages/patches/gd-CVE-2016-6132.patch
deleted file mode 100644
index 4c475b7..0000000
--- a/gnu/packages/patches/gd-CVE-2016-6132.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-Fix CVE-2016-6132 (read out-of-bounds when parsing TGA files).
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-6132
-
-Copied from upstream commit:
-https://github.com/libgd/libgd/commit/ead349e99868303b37f5e6e9d9d680c9dc71ff8d
-
-From ead349e99868303b37f5e6e9d9d680c9dc71ff8d Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
-Date: Tue, 12 Jul 2016 11:24:09 +0200
-Subject: [PATCH] Fix #247, A read out-of-bands was found in the parsing of TGA
- files (CVE-2016-6132)
-
----
- src/gd_tga.c | 13 +++++++++++--
- 1 file changed, 11 insertions(+), 2 deletions(-)
-
-diff --git a/src/gd_tga.c b/src/gd_tga.c
-index ef20f86..20fe2d2 100644
---- a/src/gd_tga.c
-+++ b/src/gd_tga.c
-@@ -237,7 +237,11 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga )
- 			return -1;
- 		}
- 
--		gdGetBuf(conversion_buffer, image_block_size, ctx);
-+		if (gdGetBuf(conversion_buffer, image_block_size, ctx) != image_block_size) {
-+			gd_error("gd-tga: premature end of image data\n");
-+			gdFree(conversion_buffer);
-+			return -1;
-+		}
- 
- 		while (buffer_caret < image_block_size) {
- 			tga->bitmap[buffer_caret] = (int) conversion_buffer[buffer_caret];
-@@ -257,11 +261,16 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga )
- 		}
- 		conversion_buffer = (unsigned char *) gdMalloc(image_block_size * sizeof(unsigned char));
- 		if (conversion_buffer == NULL) {
-+			gd_error("gd-tga: premature end of image data\n");
- 			gdFree( decompression_buffer );
- 			return -1;
- 		}
- 
--		gdGetBuf( conversion_buffer, image_block_size, ctx );
-+		if (gdGetBuf(conversion_buffer, image_block_size, ctx) != image_block_size) {
-+			gdFree(conversion_buffer);
-+			gdFree(decompression_buffer);
-+			return -1;
-+		}
- 
- 		buffer_caret = 0;
- 
--- 
-2.9.1
-
diff --git a/gnu/packages/patches/gd-CVE-2016-6214.patch b/gnu/packages/patches/gd-CVE-2016-6214.patch
deleted file mode 100644
index 7894a32..0000000
--- a/gnu/packages/patches/gd-CVE-2016-6214.patch
+++ /dev/null
@@ -1,66 +0,0 @@
-Fix CVE-2016-6214 (read out-of-bounds when parsing TGA files).
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6214
-
-Adapted from upstream commit:
-https://github.com/libgd/libgd/commit/341aa68843ceceae9ba6e083431f14a07bd92308
-
-Since `patch` cannot apply Git binary diffs, we omit the addition of
-'tests/tga/bug00247a.c' and its associated binary data.
-
-From 341aa68843ceceae9ba6e083431f14a07bd92308 Mon Sep 17 00:00:00 2001
-From: "Christoph M. Becker" <cmbecker69@gmx.de>
-Date: Tue, 12 Jul 2016 19:23:13 +0200
-Subject: [PATCH] Unsupported TGA bpp/alphabit combinations should error
- gracefully
-
-Currently, only 24bpp without alphabits and 32bpp with 8 alphabits are
-really supported. All other combinations will be rejected with a warning.
-
-(cherry picked from commit cb1a0b7e54e9aa118270c23a4a6fe560e4590dc9)
----
- src/gd_tga.c             |  16 ++++++----------
- tests/tga/.gitignore     |   1 +
- tests/tga/CMakeLists.txt |   1 +
- tests/tga/Makemodule.am  |   4 +++-
- tests/tga/bug00247a.c    |  19 +++++++++++++++++++
- tests/tga/bug00247a.tga  | Bin 0 -> 36 bytes
- 6 files changed, 30 insertions(+), 11 deletions(-)
- create mode 100644 tests/tga/bug00247a.c
- create mode 100644 tests/tga/bug00247a.tga
-
-diff --git a/src/gd_tga.c b/src/gd_tga.c
-index 20fe2d2..b4f8fa6 100644
---- a/src/gd_tga.c
-+++ b/src/gd_tga.c
-@@ -99,7 +99,7 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromTgaCtx(gdIOCtx* ctx)
- 			if (tga->bits == TGA_BPP_24) {
- 				*tpix = gdTrueColor(tga->bitmap[bitmap_caret + 2], tga->bitmap[bitmap_caret + 1], tga->bitmap[bitmap_caret]);
- 				bitmap_caret += 3;
--			} else if (tga->bits == TGA_BPP_32 || tga->alphabits) {
-+			} else if (tga->bits == TGA_BPP_32 && tga->alphabits) {
- 				register int a = tga->bitmap[bitmap_caret + 3];
- 
- 				*tpix = gdTrueColorAlpha(tga->bitmap[bitmap_caret + 2], tga->bitmap[bitmap_caret + 1], tga->bitmap[bitmap_caret], gdAlphaMax - (a >> 1));
-@@ -159,16 +159,12 @@ int read_header_tga(gdIOCtx *ctx, oTga *tga)
- 	printf("wxh: %i %i\n", tga->width, tga->height);
- #endif
- 
--	switch(tga->bits) {
--	case 8:
--	case 16:
--	case 24:
--	case 32:
--		break;
--	default:
--		gd_error("bps %i not supported", tga->bits);
-+	if (!((tga->bits == TGA_BPP_24 && tga->alphabits == 0)
-+		|| (tga->bits == TGA_BPP_32 && tga->alphabits == 8)))
-+	{
-+		gd_error_ex(GD_WARNING, "gd-tga: %u bits per pixel with %u alpha bits not supported\n",
-+			tga->bits, tga->alphabits);
- 		return -1;
--		break;
- 	}
- 
- 	tga->ident = NULL;
diff --git a/gnu/packages/patches/gd-fix-test-on-i686.patch b/gnu/packages/patches/gd-fix-test-on-i686.patch
deleted file mode 100644
index 6dd2e0f..0000000
--- a/gnu/packages/patches/gd-fix-test-on-i686.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-Disable part of the gdimagerotate test on architectures such as i686
-where intermediate floating-point operations are done with 80-bit long
-doubles, and typically later rounded to 64-bit doubles.  This double
-rounding causes small differences in the resulting pixel values
-compared with other architectures, causing the image comparison to
-fail.
-
-Patch by Mark H Weaver <mhw@netris.org>.
-
---- libgd-2.2.2/tests/gdimagerotate/bug00067.c	1969-12-31 19:00:00.000000000 -0500
-+++ libgd-2.2.2/tests/gdimagerotate/bug00067.c	2016-07-18 12:19:19.885423132 -0400
-@@ -1,5 +1,6 @@
- #include <stdio.h>
- #include <stdlib.h>
-+#include <float.h>
- #include "gd.h"
- 
- #include "gdtest.h"
-@@ -41,6 +42,7 @@
- 			return 1;
- 		}
- 
-+#if FLT_EVAL_METHOD != 2
- 		sprintf(filename, "bug00067_%03d_exp.png", angle);
- 		path = gdTestFilePath2("gdimagerotate", filename);
- 		if (!gdAssertImageEqualsToFile(path, exp)) {
-@@ -48,6 +50,7 @@
- 			error += 1;
- 		}
- 		free(path);
-+#endif
- 
- 		gdImageDestroy(exp);
- 	}
-- 
2.9.2


^ permalink raw reply related	[flat|nested] 14+ messages in thread

* Re: libgd security update / i686 issues
  2016-07-28 16:30   ` Leo Famulari
@ 2016-07-28 17:22     ` Mark H Weaver
  2016-07-28 18:38       ` Leo Famulari
  2016-07-28 18:56       ` Leo Famulari
  0 siblings, 2 replies; 14+ messages in thread
From: Mark H Weaver @ 2016-07-28 17:22 UTC (permalink / raw)
  To: Leo Famulari; +Cc: guix-devel

Leo Famulari <leo@famulari.name> writes:

> On Thu, Jul 28, 2016 at 10:40:49AM +0200, Andreas Enge wrote:
>> Well, the bug report states that the result is correct on armv7. Apparently
>> i686 is not IEEE compliant by default, while armv7 is. So it should be okay
>> to apply the flags only on i686. We assume that SSE, but not SSE2 or later
>> are supported, see our Qt package.
>
> Thanks for the advice. What do you think about the attached patch?

Not all i686 systems have support for SSE.  I don't think we should
apply the upstream suggested workaround, which effectively amounts to
dropping support for older systems.  If we want to add a requirement for
SSE for i686 systems in Guix, that should be a separate discussion, and
not rushed in as part of a security update.

I will adapt my patch to the new version.

     Mark

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: libgd security update / i686 issues
  2016-07-28 17:22     ` Mark H Weaver
@ 2016-07-28 18:38       ` Leo Famulari
  2016-07-28 18:56       ` Leo Famulari
  1 sibling, 0 replies; 14+ messages in thread
From: Leo Famulari @ 2016-07-28 18:38 UTC (permalink / raw)
  To: Mark H Weaver; +Cc: guix-devel

On Thu, Jul 28, 2016 at 01:22:40PM -0400, Mark H Weaver wrote:
> Not all i686 systems have support for SSE.  I don't think we should
> apply the upstream suggested workaround, which effectively amounts to
> dropping support for older systems.  If we want to add a requirement for
> SSE for i686 systems in Guix, that should be a separate discussion, and
> not rushed in as part of a security update.
> 
> I will adapt my patch to the new version.

Okay, thanks Mark!

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: libgd security update / i686 issues
  2016-07-28 17:22     ` Mark H Weaver
  2016-07-28 18:38       ` Leo Famulari
@ 2016-07-28 18:56       ` Leo Famulari
  2016-07-28 20:47         ` Leo Famulari
  2016-07-29 17:59         ` Mark H Weaver
  1 sibling, 2 replies; 14+ messages in thread
From: Leo Famulari @ 2016-07-28 18:56 UTC (permalink / raw)
  To: Mark H Weaver; +Cc: guix-devel

On Thu, Jul 28, 2016 at 01:22:40PM -0400, Mark H Weaver wrote:
> I will adapt my patch to the new version.

Unfortunately, this new patch makes libgd fail to build from source on
x86_64, like this:

gdimagecopyresampled/basic_alpha.c: In function ‘main’:
gdimagecopyresampled/basic_alpha.c:37:23: error: value computed is not used [-Werror=unused-value]
  FLT_EVAL_METHOD != 2 && gdAssertImageEqualsToFile("gdimagecopyresampled/basic_alpha_exp.png", copy);
                       ^
cc1: all warnings being treated as errors
Makefile:3120: recipe for target 'gdimagecopyresampled/basic_alpha.o' failed
make[2]: *** [gdimagecopyresampled/basic_alpha.o] Error 1
make[2]: *** Waiting for unfinished jobs....
gdimagecopyresampled/bug00201.c: In function ‘main’:
gdimagecopyresampled/bug00201.c:69:26: error: value computed is not used [-Werror=unused-value]
     FLT_EVAL_METHOD != 2 && gdAssertImageEqualsToFile("gdimagecopyresampled/bug00201_exp.png", img);
                          ^
cc1: all warnings being treated as errors
Makefile:3120: recipe for target 'gdimagecopyresampled/bug00201.o' failed
make[2]: *** [gdimagecopyresampled/bug00201.o] Error 1
make[2]: Leaving directory '/tmp/guix-build-gd-2.2.3.drv-0/libgd-2.2.3/tests'
Makefile:4318: recipe for target 'check-am' failed
make[1]: *** [check-am] Error 2
make[1]: Leaving directory '/tmp/guix-build-gd-2.2.3.drv-0/libgd-2.2.3/tests'
Makefile:408: recipe for target 'check-recursive' failed
make: *** [check-recursive] Error 1
phase `check' failed after 2.0 seconds

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: libgd security update / i686 issues
  2016-07-28 18:56       ` Leo Famulari
@ 2016-07-28 20:47         ` Leo Famulari
  2016-07-29 17:59         ` Mark H Weaver
  1 sibling, 0 replies; 14+ messages in thread
From: Leo Famulari @ 2016-07-28 20:47 UTC (permalink / raw)
  To: Mark H Weaver; +Cc: guix-devel

On Thu, Jul 28, 2016 at 02:56:06PM -0400, Leo Famulari wrote:
> On Thu, Jul 28, 2016 at 01:22:40PM -0400, Mark H Weaver wrote:
> > I will adapt my patch to the new version.
> 
> Unfortunately, this new patch makes libgd fail to build from source on
> x86_64, like this:

I reverted the commit on master and merged master into core-updates.

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: libgd security update / i686 issues
  2016-07-28  7:23 libgd security update / i686 issues Leo Famulari
  2016-07-28  8:34 ` Andreas Enge
  2016-07-28  8:40 ` Andreas Enge
@ 2016-07-28 21:26 ` Leo Famulari
  2016-07-29 15:00   ` Ludovic Courtès
  2 siblings, 1 reply; 14+ messages in thread
From: Leo Famulari @ 2016-07-28 21:26 UTC (permalink / raw)
  To: guix-devel

[-- Attachment #1: Type: text/plain, Size: 262 bytes --]

On Thu, Jul 28, 2016 at 03:23:37AM -0400, Leo Famulari wrote:
> libgd 2.2.3 has been released [0], which includes fixes for
> CVE-2016-6207.

Instead of updating to 2.2.3, we could also try cherry-picking the
upstream commits that address this bug, as attached.

[-- Attachment #2: 0001-gnu-gd-Fix-CVE-2016-6207.patch --]
[-- Type: text/x-diff, Size: 16816 bytes --]

From 1ac0113094a8a2914f9f78da2d2e13c378c61e06 Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Thu, 28 Jul 2016 17:23:53 -0400
Subject: [PATCH] gnu: gd: Fix CVE-2016-6207.

* gnu/packages/patches/gd-CVE-2016-6207.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/gd.scm (gd)[source]: Use it.
---
 gnu/local.mk                                |   1 +
 gnu/packages/gd.scm                         |   1 +
 gnu/packages/patches/gd-CVE-2016-6207.patch | 455 ++++++++++++++++++++++++++++
 3 files changed, 457 insertions(+)
 create mode 100644 gnu/packages/patches/gd-CVE-2016-6207.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index c789b19..6b9b2c4 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -516,6 +516,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/gd-CVE-2016-5766.patch			\
   %D%/packages/patches/gd-CVE-2016-6128.patch			\
   %D%/packages/patches/gd-CVE-2016-6132.patch			\
+  %D%/packages/patches/gd-CVE-2016-6207.patch			\
   %D%/packages/patches/gd-CVE-2016-6214.patch			\
   %D%/packages/patches/gd-fix-test-on-i686.patch		\
   %D%/packages/patches/gegl-CVE-2012-4433.patch			\
diff --git a/gnu/packages/gd.scm b/gnu/packages/gd.scm
index 3313ee6..83f0d48 100644
--- a/gnu/packages/gd.scm
+++ b/gnu/packages/gd.scm
@@ -51,6 +51,7 @@
                                       "gd-CVE-2016-5766.patch"
                                       "gd-CVE-2016-6128.patch"
                                       "gd-CVE-2016-6132.patch"
+                                      "gd-CVE-2016-6207.patch"
                                       "gd-CVE-2016-6214.patch"))
              (sha256
               (base32
diff --git a/gnu/packages/patches/gd-CVE-2016-6207.patch b/gnu/packages/patches/gd-CVE-2016-6207.patch
new file mode 100644
index 0000000..255cd20
--- /dev/null
+++ b/gnu/packages/patches/gd-CVE-2016-6207.patch
@@ -0,0 +1,455 @@
+Fix CVE-2016-6207 (denial of service caused by integer overflow in
+_gdContributionsAlloc()):
+
+<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8869>
+
+Copied from upstream commits:
+<https://github.com/libgd/libgd/commit/0dd40abd6d5b3e53a6b745dd4d6cf94b70010989>
+<https://github.com/libgd/libgd/commit/d325888a9fe3c9681e4a9aad576de2c5cd5df2ef>
+<https://github.com/libgd/libgd/commit/ff9113c80a32205d45205d3ea30965b25480e0fb>
+<https://github.com/libgd/libgd/commit/f60ec7a546499f9446063a4dbe755be9523d8232>
+<https://github.com/libgd/libgd/commit/7a28c235890c95e6010e7b0d0f7c7369367168ef>
+
+From 819ae1b7fce4a61a1492640dd08daa19066af5ab Mon Sep 17 00:00:00 2001
+From: Pierre Joye <pierre.php@gmail.com>
+Date: Tue, 19 Jul 2016 14:45:56 +0700
+Subject: [PATCH] fix possible OOB or OOM in gdImageScale, reported by Secunia
+ (CVE 2016-6207)
+
+---
+ src/gd.c                                         | 89 +++++++++++-------------
+ src/gd_interpolation.c                           | 47 +++++++++++--
+ tests/gdimagescale/CMakeLists.txt                |  1 +
+ tests/gdimagescale/Makemodule.am                 |  3 +-
+ tests/gdimagescale/bug_overflow_large_new_size.c | 31 +++++++++
+ 5 files changed, 116 insertions(+), 55 deletions(-)
+ create mode 100644 tests/gdimagescale/bug_overflow_large_new_size.c
+
+diff --git a/src/gd.c b/src/gd.c
+index 855e8ca..7faf066 100644
+--- a/src/gd.c
++++ b/src/gd.c
+@@ -272,7 +272,7 @@ BGD_DECLARE(gdImagePtr) gdImageCreateTrueColor (int sx, int sy)
+ 		return 0;
+ 	}
+ 
+-	if (overflow2(sizeof(int), sx)) {
++	if (overflow2(sizeof(int *), sx)) {
+ 		return NULL;
+ 	}
+ 
+@@ -2946,78 +2946,77 @@ BGD_DECLARE(void) gdImageCopyResampled (gdImagePtr dst,
+ 										int dstW, int dstH, int srcW, int srcH)
+ {
+ 	int x, y;
+-	double sy1, sy2, sx1, sx2;
+ 	if (!dst->trueColor) {
+-		gdImageCopyResized (dst, src, dstX, dstY, srcX, srcY, dstW, dstH,
+-		                    srcW, srcH);
++		gdImageCopyResized (dst, src, dstX, dstY, srcX, srcY, dstW, dstH, srcW, srcH);
+ 		return;
+ 	}
+ 	for (y = dstY; (y < dstY + dstH); y++) {
+-		sy1 = ((double) y - (double) dstY) * (double) srcH / (double) dstH;
+-		sy2 = ((double) (y + 1) - (double) dstY) * (double) srcH /
+-		      (double) dstH;
+ 		for (x = dstX; (x < dstX + dstW); x++) {
+-			double sx, sy;
+-			double spixels = 0;
+-			double red = 0.0, green = 0.0, blue = 0.0, alpha = 0.0;
+-			double alpha_sum = 0.0, contrib_sum = 0.0;
+-
+-			sx1 = ((double) x - (double) dstX) * (double) srcW / dstW;
+-			sx2 = ((double) (x + 1) - (double) dstX) * (double) srcW / dstW;
++			float sy1, sy2, sx1, sx2;
++			float sx, sy;
++			float spixels = 0.0;
++			float red = 0.0, green = 0.0, blue = 0.0, alpha = 0.0;
++			float alpha_factor, alpha_sum = 0.0, contrib_sum = 0.0;
++			sy1 = ((float)(y - dstY)) * (float)srcH / (float)dstH;
++			sy2 = ((float)(y + 1 - dstY)) * (float) srcH / (float) dstH;
+ 			sy = sy1;
+ 			do {
+-				double yportion;
+-				if (floor2 (sy) == floor2 (sy1)) {
+-					yportion = 1.0 - (sy - floor2 (sy));
++				float yportion;
++				if (floorf(sy) == floorf(sy1)) {
++					yportion = 1.0 - (sy - floorf(sy));
+ 					if (yportion > sy2 - sy1) {
+ 						yportion = sy2 - sy1;
+ 					}
+-					sy = floor2 (sy);
+-				} else if (sy == floor2 (sy2)) {
+-					yportion = sy2 - floor2 (sy2);
++					sy = floorf(sy);
++				} else if (sy == floorf(sy2)) {
++					yportion = sy2 - floorf(sy2);
+ 				} else {
+ 					yportion = 1.0;
+ 				}
++				sx1 = ((float)(x - dstX)) * (float) srcW / dstW;
++				sx2 = ((float)(x + 1 - dstX)) * (float) srcW / dstW;
+ 				sx = sx1;
+ 				do {
+-					double xportion;
+-					double pcontribution;
++					float xportion;
++					float pcontribution;
+ 					int p;
+-					if (floor2 (sx) == floor2 (sx1)) {
+-						xportion = 1.0 - (sx - floor2 (sx));
++					if (floorf(sx) == floorf(sx1)) {
++						xportion = 1.0 - (sx - floorf(sx));
+ 						if (xportion > sx2 - sx1) {
+ 							xportion = sx2 - sx1;
+ 						}
+-						sx = floor2 (sx);
+-					} else if (sx == floor2 (sx2)) {
+-						xportion = sx2 - floor2 (sx2);
++						sx = floorf(sx);
++					} else if (sx == floorf(sx2)) {
++						xportion = sx2 - floorf(sx2);
+ 					} else {
+ 						xportion = 1.0;
+ 					}
+ 					pcontribution = xportion * yportion;
+-					/* 2.08: previously srcX and srcY were ignored.
+-					   Andrew Pattison */
+-					p = gdImageGetTrueColorPixel (src,
+-					                              (int) sx + srcX,
+-					                              (int) sy + srcY);
+-					red += gdTrueColorGetRed (p) * pcontribution;
+-					green += gdTrueColorGetGreen (p) * pcontribution;
+-					blue += gdTrueColorGetBlue (p) * pcontribution;
++					p = gdImageGetTrueColorPixel(src, (int) sx + srcX, (int) sy + srcY);
++
++					alpha_factor = ((gdAlphaMax - gdTrueColorGetAlpha(p))) * pcontribution;
++					red += gdTrueColorGetRed (p) * alpha_factor;
++					green += gdTrueColorGetGreen (p) * alpha_factor;
++					blue += gdTrueColorGetBlue (p) * alpha_factor;
+ 					alpha += gdTrueColorGetAlpha (p) * pcontribution;
++					alpha_sum += alpha_factor;
++					contrib_sum += pcontribution;
+ 					spixels += xportion * yportion;
+ 					sx += 1.0;
+-				} while (sx < sx2);
+-				sy += 1.0;
+-			} while (sy < sy2);
++				}
++				while (sx < sx2);
++				sy += 1.0f;
++			}
++			while (sy < sy2);
++
+ 			if (spixels != 0.0) {
+ 				red /= spixels;
+ 				green /= spixels;
+ 				blue /= spixels;
+ 				alpha /= spixels;
+-				alpha += 0.5;
+ 			}
+-			if ( alpha_sum != 0.0f) {
+-				if( contrib_sum != 0.0f) {
++			if ( alpha_sum != 0.0) {
++				if( contrib_sum != 0.0) {
+ 					alpha_sum /= contrib_sum;
+ 				}
+ 				red /= alpha_sum;
+@@ -3031,17 +3030,13 @@ BGD_DECLARE(void) gdImageCopyResampled (gdImagePtr dst,
+ 			if (green > 255.0) {
+ 				green = 255.0;
+ 			}
+-			if (blue > 255.0) {
++			if (blue > 255.0f) {
+ 				blue = 255.0;
+ 			}
+ 			if (alpha > gdAlphaMax) {
+ 				alpha = gdAlphaMax;
+ 			}
+-			gdImageSetPixel (dst,
+-			                 x, y,
+-			                 gdTrueColorAlpha ((int) red,
+-			                                   (int) green,
+-			                                   (int) blue, (int) alpha));
++			gdImageSetPixel(dst, x, y, gdTrueColorAlpha ((int) red, (int) green, (int) blue, (int) alpha));
+ 		}
+ 	}
+ }
+diff --git a/src/gd_interpolation.c b/src/gd_interpolation.c
+index da6c8ad..72845d2 100644
+--- a/src/gd_interpolation.c
++++ b/src/gd_interpolation.c
+@@ -829,6 +829,7 @@ static inline LineContribType * _gdContributionsAlloc(unsigned int line_length,
+ {
+ 	unsigned int u = 0;
+ 	LineContribType *res;
++	int overflow_error = 0;
+ 
+ 	res = (LineContribType *) gdMalloc(sizeof(LineContribType));
+ 	if (!res) {
+@@ -836,10 +837,28 @@ static inline LineContribType * _gdContributionsAlloc(unsigned int line_length,
+ 	}
+ 	res->WindowSize = windows_size;
+ 	res->LineLength = line_length;
++	if (overflow2(line_length, sizeof(ContributionType))) {
++		return NULL;
++	}
+ 	res->ContribRow = (ContributionType *) gdMalloc(line_length * sizeof(ContributionType));
+-
++	if (res->ContribRow == NULL) {
++		gdFree(res);
++		return NULL;
++	}
+ 	for (u = 0 ; u < line_length ; u++) {
+-		res->ContribRow[u].Weights = (double *) gdMalloc(windows_size * sizeof(double));
++		if (overflow2(windows_size, sizeof(double))) {
++			overflow_error = 1;
++		} else {
++			res->ContribRow[u].Weights = (double *) gdMalloc(windows_size * sizeof(double));
++		}
++		if (overflow_error == 1 || res->ContribRow[u].Weights == NULL) {
++			u--;
++			while (u >= 0) {
++				gdFree(res->ContribRow[u].Weights);
++				u--;
++			}
++			return NULL;
++		}
+ 	}
+ 	return res;
+ }
+@@ -872,7 +891,9 @@ static inline LineContribType *_gdContributionsCalc(unsigned int line_size, unsi
+ 
+ 	windows_size = 2 * (int)ceil(width_d) + 1;
+ 	res = _gdContributionsAlloc(line_size, windows_size);
+-
++	if (res == NULL) {
++		return NULL;
++	}
+ 	for (u = 0; u < line_size; u++) {
+ 		const double dCenter = (double)u / scale_d;
+ 		/* get the significant edge points affecting the pixel */
+@@ -977,7 +998,6 @@ _gdScalePass(const gdImagePtr pSrc, const unsigned int src_len,
+         _gdScaleOneAxis(pSrc, pDst, dst_len, line_ndx, contrib, axis);
+ 	}
+ 	_gdContributionsFree (contrib);
+-
+     return 1;
+ }/* _gdScalePass*/
+ 
+@@ -990,6 +1010,7 @@ gdImageScaleTwoPass(const gdImagePtr src, const unsigned int new_width,
+     const unsigned int src_height = src->sy;
+ 	gdImagePtr tmp_im = NULL;
+ 	gdImagePtr dst = NULL;
++	int scale_pass_res;
+ 
+     /* First, handle the trivial case. */
+     if (src_width == new_width && src_height == new_height) {
+@@ -1011,7 +1032,11 @@ gdImageScaleTwoPass(const gdImagePtr src, const unsigned int new_width,
+         }
+         gdImageSetInterpolationMethod(tmp_im, src->interpolation_id);
+ 
+-        _gdScalePass(src, src_width, tmp_im, new_width, src_height, HORIZONTAL);
++		scale_pass_res = _gdScalePass(src, src_width, tmp_im, new_width, src_height, HORIZONTAL);
++		if (scale_pass_res != 1) {
++			gdImageDestroy(tmp_im);
++			return NULL;
++		}
+     }/* if .. else*/
+ 
+     /* If vertical sizes match, we're done. */
+@@ -1024,10 +1049,18 @@ gdImageScaleTwoPass(const gdImagePtr src, const unsigned int new_width,
+ 	dst = gdImageCreateTrueColor(new_width, new_height);
+ 	if (dst != NULL) {
+         gdImageSetInterpolationMethod(dst, src->interpolation_id);
+-        _gdScalePass(tmp_im, src_height, dst, new_height, new_width, VERTICAL);
++        scale_pass_res = _gdScalePass(tmp_im, src_height, dst, new_height, new_width, VERTICAL);
++		if (scale_pass_res != 1) {
++			gdImageDestroy(dst);
++			if (src != tmp_im && tmp_im != NULL) {
++				gdImageDestroy(tmp_im);
++			}
++			return NULL;
++	   }
+     }/* if */
+ 
+-    if (src != tmp_im) {
++
++	if (src != tmp_im && tmp_im != NULL) {
+         gdImageDestroy(tmp_im);
+     }/* if */
+ 
+diff --git a/tests/gdimagescale/CMakeLists.txt b/tests/gdimagescale/CMakeLists.txt
+index 1098e06..91bd015 100644
+--- a/tests/gdimagescale/CMakeLists.txt
++++ b/tests/gdimagescale/CMakeLists.txt
+@@ -1,5 +1,6 @@
+ SET(TESTS_FILES
+ 	github_bug_00218
++	bug_overflow_large_new_size
+ )
+ 
+ ADD_GD_TESTS()
+diff --git a/tests/gdimagescale/Makemodule.am b/tests/gdimagescale/Makemodule.am
+index dacabe7..23b8924 100644
+--- a/tests/gdimagescale/Makemodule.am
++++ b/tests/gdimagescale/Makemodule.am
+@@ -1,6 +1,7 @@
+ 
+ libgd_test_programs += \
+-	gdimagescale/github_bug_00218
++	gdimagescale/github_bug_00218 \
++	gdimagescale/bug_overflow_large_new_size
+ 
+ EXTRA_DIST += \
+ 	gdimagescale/CMakeLists.txt
+diff --git a/tests/gdimagescale/bug_overflow_large_new_size.c b/tests/gdimagescale/bug_overflow_large_new_size.c
+new file mode 100644
+index 0000000..0a8503b
+--- /dev/null
++++ b/tests/gdimagescale/bug_overflow_large_new_size.c
+@@ -0,0 +1,31 @@
++#include <stdio.h>
++#include <stdlib.h>
++#include "gd.h"
++#include <math.h>
++
++#include "gdtest.h"
++
++int main()
++{
++	gdImagePtr im, im2;
++
++	im = gdImageCreate(1,1);
++	if (im == NULL) {
++		printf("gdImageCreate failed\n");
++		return 1;
++	}
++	gdImageSetInterpolationMethod(im, GD_BELL);
++	
++	/* here the call may pass if the system has enough memory (physical or swap)
++	   or fails (overflow check or alloc fails.
++	   in both cases the tests pass */
++	im2 = gdImageScale(im,0x15555556, 1);
++	if (im2 == NULL) {
++		printf("gdImageScale failed, expected (out of memory or overflow validation\n");
++		return 0;
++	}
++	gdImageDestroy(im);
++	gdImageDestroy(im2);
++
++	return 0;
++}
+-- 
+2.9.2
+
+From d325888a9fe3c9681e4a9aad576de2c5cd5df2ef Mon Sep 17 00:00:00 2001
+From: Pierre Joye <pierre.php@gmail.com>
+Date: Tue, 19 Jul 2016 15:25:47 +0700
+Subject: [PATCH 1/3] fix possible OOB or OOM in gdImageScale, reported by
+ Secunia (CVE 2016-6207)
+
+---
+ src/gd_interpolation.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/gd_interpolation.c b/src/gd_interpolation.c
+index 6b7e4ec..602d0f7 100644
+--- a/src/gd_interpolation.c
++++ b/src/gd_interpolation.c
+@@ -838,6 +838,7 @@ static inline LineContribType * _gdContributionsAlloc(unsigned int line_length,
+ 	res->WindowSize = windows_size;
+ 	res->LineLength = line_length;
+ 	if (overflow2(line_length, sizeof(ContributionType))) {
++		gdFree(res);
+ 		return NULL;
+ 	}
+ 	res->ContribRow = (ContributionType *) gdMalloc(line_length * sizeof(ContributionType));
+-- 
+2.9.2
+
+From ff9113c80a32205d45205d3ea30965b25480e0fb Mon Sep 17 00:00:00 2001
+From: Pierre Joye <pierre.php@gmail.com>
+Date: Tue, 19 Jul 2016 15:57:08 +0700
+Subject: [PATCH 2/3] fix possible OOB or OOM in gdImageScale, reported by
+ Secunia (CVE 2016-6207)
+
+---
+ src/gd_interpolation.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/src/gd_interpolation.c b/src/gd_interpolation.c
+index 602d0f7..ca1ad10 100644
+--- a/src/gd_interpolation.c
++++ b/src/gd_interpolation.c
+@@ -853,11 +853,12 @@ static inline LineContribType * _gdContributionsAlloc(unsigned int line_length,
+ 			res->ContribRow[u].Weights = (double *) gdMalloc(windows_size * sizeof(double));
+ 		}
+ 		if (overflow_error == 1 || res->ContribRow[u].Weights == NULL) {
++			unsigned int i;
+ 			u--;
+-			while (u >= 0) {
+-				gdFree(res->ContribRow[u].Weights);
+-				u--;
++			for (i=0;i<=u;i++) {
++				gdFree(res->ContribRow[i].Weights);
+ 			}
++			gdFree(res);
+ 			return NULL;
+ 		}
+ 	}
+-- 
+2.9.2
+
+From f60ec7a546499f9446063a4dbe755be9523d8232 Mon Sep 17 00:00:00 2001
+From: Pierre Joye <pierre.php@gmail.com>
+Date: Tue, 19 Jul 2016 16:30:52 +0700
+Subject: [PATCH 3/3] fix possible OOB or OOM in gdImageScale, reported by
+ Secunia (CVE 2016-6207)
+
+---
+ src/gd_interpolation.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/gd_interpolation.c b/src/gd_interpolation.c
+index ca1ad10..c9bcb0c 100644
+--- a/src/gd_interpolation.c
++++ b/src/gd_interpolation.c
+@@ -858,6 +858,7 @@ static inline LineContribType * _gdContributionsAlloc(unsigned int line_length,
+ 			for (i=0;i<=u;i++) {
+ 				gdFree(res->ContribRow[i].Weights);
+ 			}
++			gdFree(res->ContribRow);
+ 			gdFree(res);
+ 			return NULL;
+ 		}
+-- 
+2.9.2
+
+From c64a4aeeeeed7b81bc732ca993224ece9ebbc126 Mon Sep 17 00:00:00 2001
+From: Pierre Joye <pierre.php@gmail.com>
+Date: Tue, 19 Jul 2016 17:05:54 +0700
+Subject: [PATCH] fix possible OOB or OOM in gdImageScale, reported by Secunia
+ (CVE 2016-6207)
+
+---
+ src/gd_interpolation.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/gd_interpolation.c b/src/gd_interpolation.c
+index c9bcb0c..3f4b49f 100644
+--- a/src/gd_interpolation.c
++++ b/src/gd_interpolation.c
+@@ -1063,7 +1063,7 @@ gdImageScaleTwoPass(const gdImagePtr src, const unsigned int new_width,
+     }/* if */
+ 
+ 
+-	if (src != tmp_im && tmp_im != NULL) {
++	if (tmp_im != NULL && src != tmp_im) {
+         gdImageDestroy(tmp_im);
+     }/* if */
+ 
+-- 
+2.9.2
+
-- 
2.9.2


^ permalink raw reply related	[flat|nested] 14+ messages in thread

* Re: libgd security update / i686 issues
  2016-07-28 21:26 ` Leo Famulari
@ 2016-07-29 15:00   ` Ludovic Courtès
  2016-07-29 15:42     ` Leo Famulari
  0 siblings, 1 reply; 14+ messages in thread
From: Ludovic Courtès @ 2016-07-29 15:00 UTC (permalink / raw)
  To: Leo Famulari; +Cc: guix-devel

Leo Famulari <leo@famulari.name> skribis:

> On Thu, Jul 28, 2016 at 03:23:37AM -0400, Leo Famulari wrote:
>> libgd 2.2.3 has been released [0], which includes fixes for
>> CVE-2016-6207.
>
> Instead of updating to 2.2.3, we could also try cherry-picking the
> upstream commits that address this bug, as attached.

Are there any good reasons not to update?

I would tend to update, which sounds simpler and will have to be done
anyway, but maybe I’m overlooking something.

Thanks for taking care of this,
Ludo’.

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: libgd security update / i686 issues
  2016-07-29 15:00   ` Ludovic Courtès
@ 2016-07-29 15:42     ` Leo Famulari
  0 siblings, 0 replies; 14+ messages in thread
From: Leo Famulari @ 2016-07-29 15:42 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: guix-devel

On Fri, Jul 29, 2016 at 05:00:38PM +0200, Ludovic Courtès wrote:
> Leo Famulari <leo@famulari.name> skribis:
> > Instead of updating to 2.2.3, we could also try cherry-picking the
> > upstream commits that address this bug, as attached.
> 
> Are there any good reasons not to update?
> 
> I would tend to update, which sounds simpler and will have to be done
> anyway, but maybe I’m overlooking something.

I tried the update, because it's indeed simpler, but that breaks the
libgd build on i686-linux due to a test failure. Upstream suggests to
build with '-msse -mfpmath-sse'. But, as Mark pointed out, this would
mean we drop support for older i686 hardware without SSE, at least for
software that uses libgd.

The patch that Mark has in the current package tree works around this,
and he also updated his patch for the new version of libgd.

Unfortunately, it seems that the upstream developers have turned on
-Werror. So, Mark's approach makes the build fail on, at least, x86_64,
due to warnings about unused variables being treated as errors. I pasted
these error messages elsehwere in this thread.

I don't really like cherry-picking these commits; they are not from the
correct gd-2.2.2 branch.

We could also try deleting the test, disabling -Werror, complaining to
upstream, take another approach at disabling the test conditionally, or
... something else?

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: libgd security update / i686 issues
  2016-07-28 18:56       ` Leo Famulari
  2016-07-28 20:47         ` Leo Famulari
@ 2016-07-29 17:59         ` Mark H Weaver
  2016-07-29 18:52           ` Leo Famulari
  2016-07-29 20:33           ` Mark H Weaver
  1 sibling, 2 replies; 14+ messages in thread
From: Mark H Weaver @ 2016-07-29 17:59 UTC (permalink / raw)
  To: Leo Famulari; +Cc: guix-devel

Leo Famulari <leo@famulari.name> writes:

> On Thu, Jul 28, 2016 at 01:22:40PM -0400, Mark H Weaver wrote:
>> I will adapt my patch to the new version.
>
> Unfortunately, this new patch makes libgd fail to build from source on
> x86_64, like this:
>
> gdimagecopyresampled/basic_alpha.c: In function ‘main’:
> gdimagecopyresampled/basic_alpha.c:37:23: error: value computed is not used [-Werror=unused-value]
>   FLT_EVAL_METHOD != 2 && gdAssertImageEqualsToFile("gdimagecopyresampled/basic_alpha_exp.png", copy);
>                        ^
> cc1: all warnings being treated as errors
> Makefile:3120: recipe for target 'gdimagecopyresampled/basic_alpha.o' failed
> make[2]: *** [gdimagecopyresampled/basic_alpha.o] Error 1
> make[2]: *** Waiting for unfinished jobs....
> gdimagecopyresampled/bug00201.c: In function ‘main’:
> gdimagecopyresampled/bug00201.c:69:26: error: value computed is not used [-Werror=unused-value]
>      FLT_EVAL_METHOD != 2 && gdAssertImageEqualsToFile("gdimagecopyresampled/bug00201_exp.png", img);
>                           ^
> cc1: all warnings being treated as errors
> Makefile:3120: recipe for target 'gdimagecopyresampled/bug00201.o' failed

Bah, sorry about that.  I just pushed an updated patch that builds
successfully on x86_64 and i686, and hopefully on the others as well.

      Mark

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: libgd security update / i686 issues
  2016-07-29 17:59         ` Mark H Weaver
@ 2016-07-29 18:52           ` Leo Famulari
  2016-07-29 20:33           ` Mark H Weaver
  1 sibling, 0 replies; 14+ messages in thread
From: Leo Famulari @ 2016-07-29 18:52 UTC (permalink / raw)
  To: Mark H Weaver; +Cc: guix-devel

On Fri, Jul 29, 2016 at 01:59:15PM -0400, Mark H Weaver wrote:
> Bah, sorry about that.  I just pushed an updated patch that builds
> successfully on x86_64 and i686, and hopefully on the others as well.

Thank you!

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: libgd security update / i686 issues
  2016-07-29 17:59         ` Mark H Weaver
  2016-07-29 18:52           ` Leo Famulari
@ 2016-07-29 20:33           ` Mark H Weaver
  1 sibling, 0 replies; 14+ messages in thread
From: Mark H Weaver @ 2016-07-29 20:33 UTC (permalink / raw)
  To: Leo Famulari; +Cc: guix-devel

Mark H Weaver <mhw@netris.org> writes:

> Leo Famulari <leo@famulari.name> writes:
>
>> On Thu, Jul 28, 2016 at 01:22:40PM -0400, Mark H Weaver wrote:
>>> I will adapt my patch to the new version.
>>
>> Unfortunately, this new patch makes libgd fail to build from source on
>> x86_64, like this:
>>
>> gdimagecopyresampled/basic_alpha.c: In function ‘main’:
>> gdimagecopyresampled/basic_alpha.c:37:23: error: value computed is not used [-Werror=unused-value]
>>   FLT_EVAL_METHOD != 2 && gdAssertImageEqualsToFile("gdimagecopyresampled/basic_alpha_exp.png", copy);
>>                        ^
>> cc1: all warnings being treated as errors
>> Makefile:3120: recipe for target 'gdimagecopyresampled/basic_alpha.o' failed
>> make[2]: *** [gdimagecopyresampled/basic_alpha.o] Error 1
>> make[2]: *** Waiting for unfinished jobs....
>> gdimagecopyresampled/bug00201.c: In function ‘main’:
>> gdimagecopyresampled/bug00201.c:69:26: error: value computed is not used [-Werror=unused-value]
>>      FLT_EVAL_METHOD != 2 && gdAssertImageEqualsToFile("gdimagecopyresampled/bug00201_exp.png", img);
>>                           ^
>> cc1: all warnings being treated as errors
>> Makefile:3120: recipe for target 'gdimagecopyresampled/bug00201.o' failed
>
> Bah, sorry about that.  I just pushed an updated patch that builds
> successfully on x86_64 and i686, and hopefully on the others as well.

The build failed on armhf and mips64el, due to another warning->error
that's unrelated to my patch.  I pushed a possible fix to the
'wip-gd-fix' branch and asked hydra to build it.

      Mark

^ permalink raw reply	[flat|nested] 14+ messages in thread

end of thread, other threads:[~2016-07-29 20:33 UTC | newest]

Thread overview: 14+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-07-28  7:23 libgd security update / i686 issues Leo Famulari
2016-07-28  8:34 ` Andreas Enge
2016-07-28  8:40 ` Andreas Enge
2016-07-28 16:30   ` Leo Famulari
2016-07-28 17:22     ` Mark H Weaver
2016-07-28 18:38       ` Leo Famulari
2016-07-28 18:56       ` Leo Famulari
2016-07-28 20:47         ` Leo Famulari
2016-07-29 17:59         ` Mark H Weaver
2016-07-29 18:52           ` Leo Famulari
2016-07-29 20:33           ` Mark H Weaver
2016-07-28 21:26 ` Leo Famulari
2016-07-29 15:00   ` Ludovic Courtès
2016-07-29 15:42     ` Leo Famulari

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.