rpms / libwmf

Clone
Source Code
GIT

Blame SOURCES/0001-merge-in-fixes-for-libgd-CVE-2019-6978.patch

c4 c5 c5-plus c6 c6-plus c7 c7-beta c8 c8-beta c8-containeronly-stream-flatpak c8s c9 c9-beta c9s-sig-cloud-openstack-xena
  1.   d985984a04d39b188566488dcab84be48d6723be
  2.   SOURCES
  3.   0001-merge-in-fixes-for-libgd-CVE-2019-6978.patch
Blob History Raw
d98598 
From f58c813f8afcd08acdd630f378cff1a5009655cc Mon Sep 17 00:00:00 2001
d98598 
From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
d98598 
Date: Thu, 31 Jan 2019 16:02:19 +0000
d98598 
Subject: [PATCH] merge in fixes for libgd CVE-2019-6978
d98598
d98598 
---
d98598 
 README                 |  5 +++++
d98598 
 configure.ac           |  2 +-
d98598 
 src/extra/gd/gd_jpeg.c | 21 +++++++++++++++++----
d98598 
 src/extra/gd/gd_wbmp.c | 24 ++++++++++++++++++++++--
d98598 
 4 files changed, 45 insertions(+), 7 deletions(-)
d98598
d98598 
diff --git a/src/extra/gd/gd_jpeg.c b/src/extra/gd/gd_jpeg.c
d98598 
index 7e6dfbb..b270186 100644
d98598 
--- a/src/extra/gd/gd_jpeg.c
d98598 
+++ b/src/extra/gd/gd_jpeg.c
d98598 
@@ -72,6 +72,8 @@ fatal_jpeg_error (j_common_ptr cinfo)
d98598 
   exit (99);
d98598 
 }
d98598
d98598 
+static int _gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality);
d98598 
+
d98598 
 /*
d98598 
  * Write IM to OUTFILE as a JFIF-formatted JPEG image, using quality
d98598 
  * QUALITY.  If QUALITY is in the range 0-100, increasing values
d98598 
@@ -93,8 +95,12 @@ gdImageJpegPtr (gdImagePtr im, int *size, int quality)
d98598 
 {
d98598 
   void *rv;
d98598 
   gdIOCtx *out = gdNewDynamicCtx (2048, NULL);
d98598 
-  gdImageJpegCtx (im, out, quality);
d98598 
-  rv = gdDPExtractData (out, size);
d98598 
+  if (out == NULL) return NULL;
d98598 
+  if (!_gdImageJpegCtx(im, out, quality)) {
d98598 
+    rv = gdDPExtractData(out, size);
d98598 
+  } else {
d98598 
+    rv = NULL;
d98598 
+  }
d98598 
   out->free (out);
d98598 
   return rv;
d98598 
 }
d98598 
@@ -103,6 +109,12 @@ static void jpeg_gdIOCtx_dest (j_compress_ptr cinfo, gdIOCtx * outfile);
d98598
d98598 
 void
d98598 
 gdImageJpegCtx (gdImagePtr im, gdIOCtx * outfile, int quality)
d98598 
+{
d98598 
+  _gdImageJpegCtx(im, outfile, quality);
d98598 
+}
d98598 
+
d98598 
+/* returns 0 on success, 1 on failure */
d98598 
+static int _gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality)
d98598 
 {
d98598 
   struct jpeg_compress_struct cinfo;
d98598 
   struct jpeg_error_mgr jerr;
d98598 
@@ -139,7 +151,7 @@ gdImageJpegCtx (gdImagePtr im, gdIOCtx * outfile, int quality)
d98598 
       /* we're here courtesy of longjmp */
d98598 
       if (row)
d98598 
 	gdFree (row);
d98598 
-      return;
d98598 
+      return 1;
d98598 
     }
d98598
d98598 
   cinfo.err->error_exit = fatal_jpeg_error;
d98598 
@@ -173,7 +185,7 @@ gdImageJpegCtx (gdImagePtr im, gdIOCtx * outfile, int quality)
d98598 
       fprintf (stderr, "gd-jpeg: error: unable to allocate JPEG row "
d98598 
 	       "structure: gdCalloc returns NULL\n");
d98598 
       jpeg_destroy_compress (&cinfo);
d98598 
-      return;
d98598 
+      return 1;
d98598 
     }
d98598
d98598 
   rowptr[0] = row;
d98598 
@@ -254,6 +266,7 @@ error:
d98598 
 #endif
d98598 
   jpeg_destroy_compress (&cinfo);
d98598 
   gdFree (row);
d98598 
+  return 0;
d98598 
 }
d98598
d98598 
 gdImagePtr
d98598 
diff --git a/src/extra/gd/gd_wbmp.c b/src/extra/gd/gd_wbmp.c
d98598 
index f1258da..4b27043 100644
d98598 
--- a/src/extra/gd/gd_wbmp.c
d98598 
+++ b/src/extra/gd/gd_wbmp.c
d98598 
@@ -85,6 +85,7 @@ gd_getin (void *in)
d98598 
   return (gdGetC ((gdIOCtx *) in));
d98598 
 }
d98598
d98598 
+static int _gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out);
d98598
d98598 
 /*      gdImageWBMPCtx
d98598 
    **  --------------
d98598 
@@ -97,6 +98,12 @@ gd_getin (void *in)
d98598 
  */
d98598 
 void
d98598 
 gdImageWBMPCtx (gdImagePtr image, int fg, gdIOCtx * out)
d98598 
+{
d98598 
+  _gdImageWBMPCtx(image, fg, out);
d98598 
+}
d98598 
+
d98598 
+/* returns 0 on success, 1 on failure */
d98598 
+static int _gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out)
d98598 
 {
d98598
d98598 
   int x, y, pos;
d98598 
@@ -105,7 +112,10 @@ gdImageWBMPCtx (gdImagePtr image, int fg, gdIOCtx * out)
d98598
d98598 
   /* create the WBMP */
d98598 
   if ((wbmp = createwbmp (gdImageSX (image), gdImageSY (image), WBMP_WHITE)) == NULL)
d98598 
+    {
d98598 
     fprintf (stderr, "Could not create WBMP\n");
d98598 
+    return 1;
d98598 
+    }
d98598
d98598 
   /* fill up the WBMP structure */
d98598 
   pos = 0;
d98598 
@@ -123,9 +133,16 @@ gdImageWBMPCtx (gdImagePtr image, int fg, gdIOCtx * out)
d98598
d98598 
   /* write the WBMP to a gd file descriptor */
d98598 
   if (writewbmp (wbmp, &gd_putout, out))
d98598 
+  {
d98598 
     fprintf (stderr, "Could not save WBMP\n");
d98598 
+    freewbmp (wbmp);
d98598 
+    return 1;
d98598 
+  }
d98598 
+
d98598 
   /* des submitted this bugfix: gdFree the memory. */
d98598 
   freewbmp (wbmp);
d98598 
+
d98598 
+  return 0;
d98598 
 }
d98598
d98598
d98598 
@@ -211,8 +228,12 @@ gdImageWBMPPtr (gdImagePtr im, int *size, int fg)
d98598 
 {
d98598 
   void *rv;
d98598 
   gdIOCtx *out = gdNewDynamicCtx (2048, NULL);
d98598 
-  gdImageWBMPCtx (im, fg, out);
d98598 
-  rv = gdDPExtractData (out, size);
d98598 
+  if (out == NULL) return NULL;
d98598 
+  if (!_gdImageWBMPCtx(im, fg, out)) {
d98598 
+    rv = gdDPExtractData(out, size);
d98598 
+  } else {
d98598 
+    rv = NULL;
d98598 
+  }
d98598 
   out->free (out);
d98598 
   return rv;
d98598 
 }
d98598 
--
d98598 
2.20.1
d98598

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation