|
 |
cb9d8a |
From f58c813f8afcd08acdd630f378cff1a5009655cc Mon Sep 17 00:00:00 2001
|
|
|
cb9d8a |
From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
|
|
|
cb9d8a |
Date: Thu, 31 Jan 2019 16:02:19 +0000
|
|
|
cb9d8a |
Subject: [PATCH] merge in fixes for libgd CVE-2019-6978
|
|
|
cb9d8a |
|
|
|
cb9d8a |
---
|
|
|
cb9d8a |
README | 5 +++++
|
|
|
cb9d8a |
configure.ac | 2 +-
|
|
|
cb9d8a |
src/extra/gd/gd_jpeg.c | 21 +++++++++++++++++----
|
|
|
cb9d8a |
src/extra/gd/gd_wbmp.c | 24 ++++++++++++++++++++++--
|
|
|
cb9d8a |
4 files changed, 45 insertions(+), 7 deletions(-)
|
|
|
cb9d8a |
|
|
|
cb9d8a |
diff --git a/src/extra/gd/gd_jpeg.c b/src/extra/gd/gd_jpeg.c
|
|
|
cb9d8a |
index 7e6dfbb..b270186 100644
|
|
|
cb9d8a |
--- a/src/extra/gd/gd_jpeg.c
|
|
|
cb9d8a |
+++ b/src/extra/gd/gd_jpeg.c
|
|
|
cb9d8a |
@@ -72,6 +72,8 @@ fatal_jpeg_error (j_common_ptr cinfo)
|
|
|
cb9d8a |
exit (99);
|
|
|
cb9d8a |
}
|
|
|
cb9d8a |
|
|
|
cb9d8a |
+static int _gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality);
|
|
|
cb9d8a |
+
|
|
|
cb9d8a |
/*
|
|
|
cb9d8a |
* Write IM to OUTFILE as a JFIF-formatted JPEG image, using quality
|
|
|
cb9d8a |
* QUALITY. If QUALITY is in the range 0-100, increasing values
|
|
|
cb9d8a |
@@ -93,8 +95,12 @@ gdImageJpegPtr (gdImagePtr im, int *size, int quality)
|
|
|
cb9d8a |
{
|
|
|
cb9d8a |
void *rv;
|
|
|
cb9d8a |
gdIOCtx *out = gdNewDynamicCtx (2048, NULL);
|
|
|
cb9d8a |
- gdImageJpegCtx (im, out, quality);
|
|
|
cb9d8a |
- rv = gdDPExtractData (out, size);
|
|
|
cb9d8a |
+ if (out == NULL) return NULL;
|
|
|
cb9d8a |
+ if (!_gdImageJpegCtx(im, out, quality)) {
|
|
|
cb9d8a |
+ rv = gdDPExtractData(out, size);
|
|
|
cb9d8a |
+ } else {
|
|
|
cb9d8a |
+ rv = NULL;
|
|
|
cb9d8a |
+ }
|
|
|
cb9d8a |
out->free (out);
|
|
|
cb9d8a |
return rv;
|
|
|
cb9d8a |
}
|
|
|
cb9d8a |
@@ -103,6 +109,12 @@ static void jpeg_gdIOCtx_dest (j_compress_ptr cinfo, gdIOCtx * outfile);
|
|
|
cb9d8a |
|
|
|
cb9d8a |
void
|
|
|
cb9d8a |
gdImageJpegCtx (gdImagePtr im, gdIOCtx * outfile, int quality)
|
|
|
cb9d8a |
+{
|
|
|
cb9d8a |
+ _gdImageJpegCtx(im, outfile, quality);
|
|
|
cb9d8a |
+}
|
|
|
cb9d8a |
+
|
|
|
cb9d8a |
+/* returns 0 on success, 1 on failure */
|
|
|
cb9d8a |
+static int _gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality)
|
|
|
cb9d8a |
{
|
|
|
cb9d8a |
struct jpeg_compress_struct cinfo;
|
|
|
cb9d8a |
struct jpeg_error_mgr jerr;
|
|
|
cb9d8a |
@@ -139,7 +151,7 @@ gdImageJpegCtx (gdImagePtr im, gdIOCtx * outfile, int quality)
|
|
|
cb9d8a |
/* we're here courtesy of longjmp */
|
|
|
cb9d8a |
if (row)
|
|
|
cb9d8a |
gdFree (row);
|
|
|
cb9d8a |
- return;
|
|
|
cb9d8a |
+ return 1;
|
|
|
cb9d8a |
}
|
|
|
cb9d8a |
|
|
|
cb9d8a |
cinfo.err->error_exit = fatal_jpeg_error;
|
|
|
cb9d8a |
@@ -173,7 +185,7 @@ gdImageJpegCtx (gdImagePtr im, gdIOCtx * outfile, int quality)
|
|
|
cb9d8a |
fprintf (stderr, "gd-jpeg: error: unable to allocate JPEG row "
|
|
|
cb9d8a |
"structure: gdCalloc returns NULL\n");
|
|
|
cb9d8a |
jpeg_destroy_compress (&cinfo);
|
|
|
cb9d8a |
- return;
|
|
|
cb9d8a |
+ return 1;
|
|
|
cb9d8a |
}
|
|
|
cb9d8a |
|
|
|
cb9d8a |
rowptr[0] = row;
|
|
|
cb9d8a |
@@ -254,6 +266,7 @@ error:
|
|
|
cb9d8a |
#endif
|
|
|
cb9d8a |
jpeg_destroy_compress (&cinfo);
|
|
|
cb9d8a |
gdFree (row);
|
|
|
cb9d8a |
+ return 0;
|
|
|
cb9d8a |
}
|
|
|
cb9d8a |
|
|
|
cb9d8a |
gdImagePtr
|
|
|
cb9d8a |
diff --git a/src/extra/gd/gd_wbmp.c b/src/extra/gd/gd_wbmp.c
|
|
|
cb9d8a |
index f1258da..4b27043 100644
|
|
|
cb9d8a |
--- a/src/extra/gd/gd_wbmp.c
|
|
|
cb9d8a |
+++ b/src/extra/gd/gd_wbmp.c
|
|
|
cb9d8a |
@@ -85,6 +85,7 @@ gd_getin (void *in)
|
|
|
cb9d8a |
return (gdGetC ((gdIOCtx *) in));
|
|
|
cb9d8a |
}
|
|
|
cb9d8a |
|
|
|
cb9d8a |
+static int _gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out);
|
|
|
cb9d8a |
|
|
|
cb9d8a |
/* gdImageWBMPCtx
|
|
|
cb9d8a |
** --------------
|
|
|
cb9d8a |
@@ -97,6 +98,12 @@ gd_getin (void *in)
|
|
|
cb9d8a |
*/
|
|
|
cb9d8a |
void
|
|
|
cb9d8a |
gdImageWBMPCtx (gdImagePtr image, int fg, gdIOCtx * out)
|
|
|
cb9d8a |
+{
|
|
|
cb9d8a |
+ _gdImageWBMPCtx(image, fg, out);
|
|
|
cb9d8a |
+}
|
|
|
cb9d8a |
+
|
|
|
cb9d8a |
+/* returns 0 on success, 1 on failure */
|
|
|
cb9d8a |
+static int _gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out)
|
|
|
cb9d8a |
{
|
|
|
cb9d8a |
|
|
|
cb9d8a |
int x, y, pos;
|
|
|
cb9d8a |
@@ -107,7 +114,7 @@ gdImageWBMPCtx (gdImagePtr image, int fg, gdIOCtx * out)
|
|
|
cb9d8a |
if ((wbmp = createwbmp (gdImageSX (image), gdImageSY (image), WBMP_WHITE)) == NULL)
|
|
|
cb9d8a |
{
|
|
|
cb9d8a |
fprintf (stderr, "Could not create WBMP\n");
|
|
|
cb9d8a |
- return;
|
|
|
cb9d8a |
+ return 1;
|
|
|
cb9d8a |
}
|
|
|
cb9d8a |
|
|
|
cb9d8a |
/* fill up the WBMP structure */
|
|
|
cb9d8a |
@@ -126,9 +133,16 @@ gdImageWBMPCtx (gdImagePtr image, int fg, gdIOCtx * out)
|
|
|
cb9d8a |
|
|
|
cb9d8a |
/* write the WBMP to a gd file descriptor */
|
|
|
cb9d8a |
if (writewbmp (wbmp, &gd_putout, out))
|
|
|
cb9d8a |
+ {
|
|
|
cb9d8a |
fprintf (stderr, "Could not save WBMP\n");
|
|
|
cb9d8a |
+ freewbmp (wbmp);
|
|
|
cb9d8a |
+ return 1;
|
|
|
cb9d8a |
+ }
|
|
|
cb9d8a |
+
|
|
|
cb9d8a |
/* des submitted this bugfix: gdFree the memory. */
|
|
|
cb9d8a |
freewbmp (wbmp);
|
|
|
cb9d8a |
+
|
|
|
cb9d8a |
+ return 0;
|
|
|
cb9d8a |
}
|
|
|
cb9d8a |
|
|
|
cb9d8a |
|
|
|
cb9d8a |
@@ -214,8 +228,12 @@ gdImageWBMPPtr (gdImagePtr im, int *size, int fg)
|
|
|
cb9d8a |
{
|
|
|
cb9d8a |
void *rv;
|
|
|
cb9d8a |
gdIOCtx *out = gdNewDynamicCtx (2048, NULL);
|
|
|
cb9d8a |
- gdImageWBMPCtx (im, fg, out);
|
|
|
cb9d8a |
- rv = gdDPExtractData (out, size);
|
|
|
cb9d8a |
+ if (out == NULL) return NULL;
|
|
|
cb9d8a |
+ if (!_gdImageWBMPCtx(im, fg, out)) {
|
|
|
cb9d8a |
+ rv = gdDPExtractData(out, size);
|
|
|
cb9d8a |
+ } else {
|
|
|
cb9d8a |
+ rv = NULL;
|
|
|
cb9d8a |
+ }
|
|
|
cb9d8a |
out->free (out);
|
|
|
cb9d8a |
return rv;
|
|
|
cb9d8a |
}
|
|
|
cb9d8a |
--
|
|
|
cb9d8a |
2.20.1
|
|
|
cb9d8a |
|