main/gd: modernize and add security patches

CVE-2018-5711, CVE-2019-6977, CVE-2019-6978

Fixes #10087

5 files changed, 310 insertions, 46 deletions

diff --git a/main/gd/APKBUILD b/main/gd/APKBUILD
index c76b3d2fcf..dd79ac03d5 100644
--- a/main/gd/APKBUILD
+++ b/main/gd/APKBUILD
@@ -2,23 +2,31 @@
 # Maintainer: Carlo Landmeter <clandmeter@gmail.com>
 pkgname=gd
 pkgver=2.2.5
-pkgrel=1
+pkgrel=2
 _pkgreal=lib$pkgname
 pkgdesc="Library for the dynamic creation of images by programmers"
-url="http://libgd.github.io/"
+url="https://libgd.github.io/"
 arch="all"
 license="custom"
 depends=
 makedepends="bash libpng-dev libjpeg-turbo-dev libwebp-dev freetype-dev zlib-dev"
 subpackages="$pkgname-dev $_pkgreal:libs"
 source="https://github.com/$_pkgreal/$_pkgreal/releases/download/$pkgname-$pkgver/$_pkgreal-$pkgver.tar.xz
-	CVE-2016-7568.patch
 	CVE-2018-1000222.patch
+	CVE-2018-5711.patch
+	CVE-2019-6977.patch
+	CVE-2019-6978.patch
 	"
 builddir="$srcdir/$_pkgreal-$pkgver"
-options="!check"
+case "$CARCH" in
+	aarch64|x86) options="!check" ;; # https://github.com/libgd/libgd/issues/359
+esac
 
 # secfixes:
+#   2.2.5-r2:
+#   - CVE-2018-5711
+#   - CVE-2019-6977
+#   - CVE-2019-6978
 #   2.2.5-r1:
 #   - CVE-2018-1000222
 #   2.2.5-r0:
@@ -35,26 +43,28 @@ build() {
 		--mandir=/usr/share/man \
 		--infodir=/usr/share/info \
 		--without-fontconfig \
-		--disable-werror \
-		|| return 1
-	make || return 1
+		--disable-werror
+	make
 }
 
 check() {
-	make -C "$builddir" check
-	return 0
+	cd "$builddir"
+	make check
 }
 
 package() {
-	make -C "$builddir" DESTDIR="$pkgdir" install || return 1
+	cd "$builddir"
+	DESTDIR="$pkgdir" make install
 }
 
 dev() {
-       default_dev || return 1
+       default_dev
        depends="$pkgname perl"
        mv "$pkgdir"/usr/bin/bdftogd "$subpkgdir"/usr/bin
 }
 
 sha512sums="e4598e17a277a75e02255402182cab139cb3f2cffcd68ec05cc10bbeaf6bc7aa39162c3445cd4a7efc1a26b72b9152bbedb187351e3ed099ea51767319997a6b  libgd-2.2.5.tar.xz
-8310d11a2398e8617c9defc4500b9ce3897ac1026002ffa36000f1d1f8df19336005e8c1f6587533f1d787a4a54d7a3a28ad25bddbc966a018aedf4d8704a716  CVE-2016-7568.patch
-d12462f1b159d50b9032435e9767a5d76e1797a88be950ed33dda7aa17005b7cb60560d04b9520e46d8111e1669d42ce28cb2c508f9c8825d545ac0335d2a10b  CVE-2018-1000222.patch"
+d12462f1b159d50b9032435e9767a5d76e1797a88be950ed33dda7aa17005b7cb60560d04b9520e46d8111e1669d42ce28cb2c508f9c8825d545ac0335d2a10b  CVE-2018-1000222.patch
+b23929f10ad75fa97d2ff797ef44d185cfe6de4f26b649e8e507b6fc41ebdb527ab4633d10df955c92d677428d9ed1707d9997954a1bcfb0070995191211d886  CVE-2018-5711.patch
+5214ac4148c618f3fef3bb3b6675e41a76e31465cd8dac326ee99dc1ae4cfe760749997d2941743efa48e79b8dbdb536d6b6d79d9bc4e5363f2c50da52ab5cac  CVE-2019-6977.patch
+2f70f041b531a23d0bac5c5370a3fb135ca8facaa7baf1554baf35135cc9c6e21de9c09400d939e133ad090b9aa23fa901ea7b5cd9ea20d11edc38257601eb97  CVE-2019-6978.patch"
diff --git a/main/gd/CVE-2016-7568.patch b/main/gd/CVE-2016-7568.patch
deleted file mode 100644
index 56156411e3..0000000000
--- a/main/gd/CVE-2016-7568.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 2806adfdc27a94d333199345394d7c302952b95f Mon Sep 17 00:00:00 2001
-From: trylab <trylab@users.noreply.github.com>
-Date: Tue, 6 Sep 2016 18:35:32 +0800
-Subject: [PATCH] Fix integer overflow in gdImageWebpCtx
-
-Integer overflow can be happened in expression gdImageSX(im) * 4 *
-gdImageSY(im). It could lead to heap buffer overflow in the following
-code. This issue has been reported to the PHP Bug Tracking System. The
-proof-of-concept file will be supplied some days later. This issue was
-discovered by Ke Liu of Tencent's Xuanwu LAB.
----
- src/gd_webp.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/src/gd_webp.c b/src/gd_webp.c
-index 8eb4dee..9886399 100644
---- a/src/gd_webp.c
-+++ b/src/gd_webp.c
-@@ -199,6 +199,14 @@ BGD_DECLARE(void) gdImageWebpCtx (gdImagePtr im, gdIOCtx * outfile, int quality)
- 		quality = 80;
- 	}
- 
-+	if (overflow2(gdImageSX(im), 4)) {
-+		return;
-+	}
-+
-+	if (overflow2(gdImageSX(im) * 4, gdImageSY(im))) {
-+		return;
-+	}
-+
- 	argb = (uint8_t *)gdMalloc(gdImageSX(im) * 4 * gdImageSY(im));
- 	if (!argb) {
- 		return;
diff --git a/main/gd/CVE-2018-5711.patch b/main/gd/CVE-2018-5711.patch
new file mode 100644
index 0000000000..a90689a321
--- /dev/null
+++ b/main/gd/CVE-2018-5711.patch
@@ -0,0 +1,53 @@
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Wed, 29 Nov 2017 19:37:38 +0100
+Subject: Fix #420: Potential infinite loop in gdImageCreateFromGifCtx
+origin: https://github.com/libgd/libgd/commit/a11f47475e6443b7f32d21f2271f28f417e2ac04
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-5711
+Bug-Debian: https://bugs.debian.org/887485
+Bug: https://github.com/libgd/libgd/issues/420
+
+Due to a signedness confusion in `GetCode_` a corrupt GIF file can
+trigger an infinite loop.  Furthermore we make sure that a GIF without
+any palette entries is treated as invalid *after* open palette entries
+have been removed.
+
+CVE-2018-5711
+
+See also https://bugs.php.net/bug.php?id=75571.
+---
+
+--- a/src/gd_gif_in.c
++++ b/src/gd_gif_in.c
+@@ -335,11 +335,6 @@ terminated:
+ 		return 0;
+ 	}
+ 
+-	if(!im->colorsTotal) {
+-		gdImageDestroy(im);
+-		return 0;
+-	}
+-
+ 	/* Check for open colors at the end, so
+ 	 * we can reduce colorsTotal and ultimately
+ 	 * BitsPerPixel */
+@@ -351,6 +346,11 @@ terminated:
+ 		}
+ 	}
+ 
++	if(!im->colorsTotal) {
++		gdImageDestroy(im);
++		return 0;
++	}
++
+ 	return im;
+ }
+ 
+@@ -447,7 +447,7 @@ static int
+ GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_size, int flag, int *ZeroDataBlockP)
+ {
+ 	int i, j, ret;
+-	unsigned char count;
++	int count;
+ 
+ 	if(flag) {
+ 		scd->curbit = 0;
diff --git a/main/gd/CVE-2019-6977.patch b/main/gd/CVE-2019-6977.patch
new file mode 100644
index 0000000000..0b67a596c6
--- /dev/null
+++ b/main/gd/CVE-2019-6977.patch
@@ -0,0 +1,28 @@
+Description: Heap-based buffer overflow in gdImageColorMatch
+Origin: other, https://gist.github.com/cmb69/1f36d285eb297ed326f5c821d7aafced
+Bug-PHP: https://bugs.php.net/bug.php?id=77270
+Bug-Debian: https://bugs.debian.org/920645
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-6977
+Forwarded: no
+Author: "Christoph M. Becker" <cmbecker69@gmx.de>
+Last-Update: 2019-02-01
+
+At least some of the image reading functions may return images which
+use color indexes greater than or equal to im->colorsTotal.  We cater
+to this by always using a buffer size which is sufficient for
+`gdMaxColors` in `gdImageColorMatch()`.
+---
+
+--- a/src/gd_color_match.c
++++ b/src/gd_color_match.c
+@@ -31,8 +31,8 @@ BGD_DECLARE(int) gdImageColorMatch (gdIm
+ 		return -4; /* At least 1 color must be allocated */
+ 	}
+ 
+-	buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * im2->colorsTotal);
+-	memset (buf, 0, sizeof(unsigned long) * 5 * im2->colorsTotal );
++	buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * gdMaxColors);
++	memset (buf, 0, sizeof(unsigned long) * 5 * gdMaxColors );
+ 
+ 	for (x=0; x < im1->sx; x++) {
+ 		for( y=0; y<im1->sy; y++ ) {
diff --git a/main/gd/CVE-2019-6978.patch b/main/gd/CVE-2019-6978.patch
new file mode 100644
index 0000000000..65e61445ce
--- /dev/null
+++ b/main/gd/CVE-2019-6978.patch
@@ -0,0 +1,206 @@
+From 553702980ae89c83f2d6e254d62cf82e204956d0 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Thu, 17 Jan 2019 11:54:55 +0100
+Subject: [PATCH] Fix #492: Potential double-free in gdImage*Ptr()
+
+Whenever `gdImage*Ptr()` calls `gdImage*Ctx()` and the latter fails, we
+must not call `gdDPExtractData()`; otherwise a double-free would
+happen.  Since `gdImage*Ctx()` are void functions, and we can't change
+that for BC reasons, we're introducing static helpers which are used
+internally.
+
+We're adding a regression test for `gdImageJpegPtr()`, but not for
+`gdImageGifPtr()` and `gdImageWbmpPtr()` since we don't know how to
+trigger failure of the respective `gdImage*Ctx()` calls.
+
+This potential security issue has been reported by Solmaz Salimi (aka.
+Rooney).
+
+diff --git a/src/gd_gif_out.c b/src/gd_gif_out.c
+index 298a5812..d5a95346 100644
+--- a/src/gd_gif_out.c
++++ b/src/gd_gif_out.c
+@@ -99,6 +99,7 @@ static void char_init(GifCtx *ctx);
+ static void char_out(int c, GifCtx *ctx);
+ static void flush_char(GifCtx *ctx);
+ 
++static int _gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out);
+ 
+ 
+ 
+@@ -131,8 +132,11 @@ BGD_DECLARE(void *) gdImageGifPtr(gdImagePtr im, int *size)
+ 	void *rv;
+ 	gdIOCtx *out = gdNewDynamicCtx(2048, NULL);
+ 	if (out == NULL) return NULL;
+-	gdImageGifCtx(im, out);
+-	rv = gdDPExtractData(out, size);
++	if (!_gdImageGifCtx(im, out)) {
++		rv = gdDPExtractData(out, size);
++	} else {
++		rv = NULL;
++	}
+ 	out->gd_free(out);
+ 	return rv;
+ }
+@@ -220,6 +224,12 @@ BGD_DECLARE(void) gdImageGif(gdImagePtr im, FILE *outFile)
+ 
+ */
+ BGD_DECLARE(void) gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out)
++{
++	_gdImageGifCtx(im, out);
++}
++
++/* returns 0 on success, 1 on failure */
++static int _gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out)
+ {
+ 	gdImagePtr pim = 0, tim = im;
+ 	int interlace, BitsPerPixel;
+@@ -231,7 +241,7 @@ BGD_DECLARE(void) gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out)
+ 		based temporary image. */
+ 		pim = gdImageCreatePaletteFromTrueColor(im, 1, 256);
+ 		if(!pim) {
+-			return;
++			return 1;
+ 		}
+ 		tim = pim;
+ 	}
+@@ -247,6 +257,8 @@ BGD_DECLARE(void) gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out)
+ 		/* Destroy palette based temporary image. */
+ 		gdImageDestroy(	pim);
+ 	}
++
++	return 0;
+ }
+ 
+ 
+diff --git a/src/gd_jpeg.c b/src/gd_jpeg.c
+index fc058420..96ef4302 100644
+--- a/src/gd_jpeg.c
++++ b/src/gd_jpeg.c
+@@ -117,6 +117,8 @@ static void fatal_jpeg_error(j_common_ptr cinfo)
+ 	exit(99);
+ }
+ 
++static int _gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality);
++
+ /*
+  * Write IM to OUTFILE as a JFIF-formatted JPEG image, using quality
+  * QUALITY.  If QUALITY is in the range 0-100, increasing values
+@@ -231,8 +233,11 @@ BGD_DECLARE(void *) gdImageJpegPtr(gdImagePtr im, int *size, int quality)
+ 	void *rv;
+ 	gdIOCtx *out = gdNewDynamicCtx(2048, NULL);
+ 	if (out == NULL) return NULL;
+-	gdImageJpegCtx(im, out, quality);
+-	rv = gdDPExtractData(out, size);
++	if (!_gdImageJpegCtx(im, out, quality)) {
++		rv = gdDPExtractData(out, size);
++	} else {
++		rv = NULL;
++	}
+ 	out->gd_free(out);
+ 	return rv;
+ }
+@@ -253,6 +258,12 @@ void jpeg_gdIOCtx_dest(j_compress_ptr cinfo, gdIOCtx *outfile);
+ 
+ */
+ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality)
++{
++	_gdImageJpegCtx(im, outfile, quality);
++}
++
++/* returns 0 on success, 1 on failure */
++static int _gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality)
+ {
+ 	struct jpeg_compress_struct cinfo;
+ 	struct jpeg_error_mgr jerr;
+@@ -287,7 +298,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality)
+ 		if(row) {
+ 			gdFree(row);
+ 		}
+-		return;
++		return 1;
+ 	}
+ 
+ 	cinfo.err->emit_message = jpeg_emit_message;
+@@ -328,7 +339,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality)
+ 	if(row == 0) {
+ 		gd_error("gd-jpeg: error: unable to allocate JPEG row structure: gdCalloc returns NULL\n");
+ 		jpeg_destroy_compress(&cinfo);
+-		return;
++		return 1;
+ 	}
+ 
+ 	rowptr[0] = row;
+@@ -405,6 +416,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality)
+ 	jpeg_finish_compress(&cinfo);
+ 	jpeg_destroy_compress(&cinfo);
+ 	gdFree(row);
++	return 0;
+ }
+ 
+ 
+diff --git a/src/gd_wbmp.c b/src/gd_wbmp.c
+index f19a1c96..a49bdbec 100644
+--- a/src/gd_wbmp.c
++++ b/src/gd_wbmp.c
+@@ -88,6 +88,8 @@ int gd_getin(void *in)
+ 	return (gdGetC((gdIOCtx *)in));
+ }
+ 
++static int _gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out);
++
+ /*
+ 	Function: gdImageWBMPCtx
+ 
+@@ -100,6 +102,12 @@ int gd_getin(void *in)
+ 		out   - the stream where to write
+ */
+ BGD_DECLARE(void) gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out)
++{
++	_gdImageWBMPCtx(image, fg, out);
++}
++
++/* returns 0 on success, 1 on failure */
++static int _gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out)
+ {
+ 	int x, y, pos;
+ 	Wbmp *wbmp;
+@@ -107,7 +115,7 @@ BGD_DECLARE(void) gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out)
+ 	/* create the WBMP */
+ 	if((wbmp = createwbmp(gdImageSX(image), gdImageSY(image), WBMP_WHITE)) == NULL) {
+ 		gd_error("Could not create WBMP\n");
+-		return;
++		return 1;
+ 	}
+ 
+ 	/* fill up the WBMP structure */
+@@ -123,11 +131,15 @@ BGD_DECLARE(void) gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out)
+ 
+ 	/* write the WBMP to a gd file descriptor */
+ 	if(writewbmp(wbmp, &gd_putout, out)) {
++		freewbmp(wbmp);
+ 		gd_error("Could not save WBMP\n");
++		return 1;
+ 	}
+ 
+ 	/* des submitted this bugfix: gdFree the memory. */
+ 	freewbmp(wbmp);
++
++	return 0;
+ }
+ 
+ /*
+@@ -271,8 +283,11 @@ BGD_DECLARE(void *) gdImageWBMPPtr(gdImagePtr im, int *size, int fg)
+ 	void *rv;
+ 	gdIOCtx *out = gdNewDynamicCtx(2048, NULL);
+ 	if (out == NULL) return NULL;
+-	gdImageWBMPCtx(im, fg, out);
+-	rv = gdDPExtractData(out, size);
++	if (!_gdImageWBMPCtx(im, fg, out)) {
++		rv = gdDPExtractData(out, size);
++	} else {
++		rv = NULL;
++	}
+ 	out->gd_free(out);
+ 	return rv;
+ }