main/gd: security fix for CVE-2016-7568

fixes #6342
2026-05-05 12:26:52 +02:00 · 2016-10-21 13:08:24 +00:00 · 2016-10-21 13:08:24 +00:00 · e75858307e
commit e75858307e
parent ac6549fa39
2 changed files with 43 additions and 5 deletions
--- a/main/gd/APKBUILD
+++ b/main/gd/APKBUILD
@ -3,7 +3,7 @@
 pkgname=gd
 pkgver=2.2.3
 _myver=${pkgver/_rc/RC}
-pkgrel=0
+pkgrel=1
 pkgdesc="Library for the dynamic creation of images by programmers"
 url="http://libgd.github.io/"
 arch="all"
@ -11,7 +11,9 @@ license="custom"
 depends=
 makedepends="libpng-dev libjpeg-turbo-dev freetype-dev zlib-dev"
 subpackages="$pkgname-dev"
-source="https://github.com/libgd/libgd/releases/download/gd-$pkgver/libgd-$pkgver.tar.xz"
+source="https://github.com/libgd/libgd/releases/download/gd-$pkgver/libgd-$pkgver.tar.xz
+	CVE-2016-7568.patch
+	"

 builddir="$srcdir"/lib$pkgname-$_myver

@ -39,6 +41,9 @@ package() {
 	make DESTDIR="$pkgdir" install || return 1
 }

-md5sums="14e4134c129b4c166c3a0549a32ef340  libgd-2.2.3.tar.xz"
-sha256sums="746b6cbd6769a22ff3ba6f5756f3512a769bd4cdf4695dff17f4867f25fa7d3c  libgd-2.2.3.tar.xz"
-sha512sums="bdc6d086bc054beda6574ec46baa4cd94048a5f2f357f875ba05983e92d247f1b731434b9e438c6aef09d46fa96f1a7e1f330a25a77ffd2dd78aa8a32d652557  libgd-2.2.3.tar.xz"
+md5sums="14e4134c129b4c166c3a0549a32ef340  libgd-2.2.3.tar.xz
+fca9871b791d6ac88af7d6d5ce8c59d1  CVE-2016-7568.patch"
+sha256sums="746b6cbd6769a22ff3ba6f5756f3512a769bd4cdf4695dff17f4867f25fa7d3c  libgd-2.2.3.tar.xz
+0b7b7ddfc5200220763efb47cc6b56a6275fd5af70e85a8c91c667344f664012  CVE-2016-7568.patch"
+sha512sums="bdc6d086bc054beda6574ec46baa4cd94048a5f2f357f875ba05983e92d247f1b731434b9e438c6aef09d46fa96f1a7e1f330a25a77ffd2dd78aa8a32d652557  libgd-2.2.3.tar.xz
+8310d11a2398e8617c9defc4500b9ce3897ac1026002ffa36000f1d1f8df19336005e8c1f6587533f1d787a4a54d7a3a28ad25bddbc966a018aedf4d8704a716  CVE-2016-7568.patch"
--- a/main/gd/CVE-2016-7568.patch
+++ b/main/gd/CVE-2016-7568.patch
@ -0,0 +1,33 @@
+From 2806adfdc27a94d333199345394d7c302952b95f Mon Sep 17 00:00:00 2001
+From: trylab <trylab@users.noreply.github.com>
+Date: Tue, 6 Sep 2016 18:35:32 +0800
+Subject: [PATCH] Fix integer overflow in gdImageWebpCtx
+
+Integer overflow can be happened in expression gdImageSX(im) * 4 *
+gdImageSY(im). It could lead to heap buffer overflow in the following
+code. This issue has been reported to the PHP Bug Tracking System. The
+proof-of-concept file will be supplied some days later. This issue was
+discovered by Ke Liu of Tencent's Xuanwu LAB.
+---
+ src/gd_webp.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/src/gd_webp.c b/src/gd_webp.c
+index 8eb4dee..9886399 100644
+--- a/src/gd_webp.c
+++ b/src/gd_webp.c
+@@ -199,6 +199,14 @@ BGD_DECLARE(void) gdImageWebpCtx (gdImagePtr im, gdIOCtx * outfile, int quality)
+ 		quality = 80;
+ 	}
+ 
+	if (overflow2(gdImageSX(im), 4)) {
+		return;
+	}
+
+	if (overflow2(gdImageSX(im) * 4, gdImageSY(im))) {
+		return;
+	}
+
+ 	argb = (uint8_t *)gdMalloc(gdImageSX(im) * 4 * gdImageSY(im));
+ 	if (!argb) {
+ 		return;