[pkgsrc/trunk]: pkgsrc/graphics/gd Upstream patch for overflow in gif parser ...

[tnn <tnn%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/76ed60eced2e
branches:  trunk
changeset: 649910:76ed60eced2e
user:      tnn <tnn%pkgsrc.org@localhost>
date:      Sun Apr 12 15:09:32 2015 +0000

description:
Upstream patch for overflow in gif parser (CVE-2014-9709)

diffstat:

 graphics/gd/Makefile                        |   4 +-
 graphics/gd/distinfo                        |   3 +-
 graphics/gd/patches/patch-src_gd__gif__in.c |  45 +++++++++++++++++++++++++++++
 3 files changed, 49 insertions(+), 3 deletions(-)

diffs (77 lines):

diff -r fe79c263ec2f -r 76ed60eced2e graphics/gd/Makefile
--- a/graphics/gd/Makefile      Sun Apr 12 14:51:50 2015 +0000
+++ b/graphics/gd/Makefile      Sun Apr 12 15:09:32 2015 +0000
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.102 2014/12/09 11:42:10 wiz Exp $
+# $NetBSD: Makefile,v 1.103 2015/04/12 15:09:32 tnn Exp $
 
 DISTNAME=      libgd-2.1.0
 PKGNAME=       ${DISTNAME:S/libgd/gd/}
-PKGREVISION=   1
+PKGREVISION=   2
 CATEGORIES=    graphics
 MASTER_SITES=  http://cdn.bitbucket.org/libgd/gd-libgd/downloads/
 EXTRACT_SUFX=  .tar.xz
diff -r fe79c263ec2f -r 76ed60eced2e graphics/gd/distinfo
--- a/graphics/gd/distinfo      Sun Apr 12 14:51:50 2015 +0000
+++ b/graphics/gd/distinfo      Sun Apr 12 15:09:32 2015 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.35 2013/11/11 21:34:40 dholland Exp $
+$NetBSD: distinfo,v 1.36 2015/04/12 15:09:32 tnn Exp $
 
 SHA1 (libgd-2.1.0.tar.xz) = 66c56fc07246b66ba649c83e996fd2085ea2f9e2
 RMD160 (libgd-2.1.0.tar.xz) = 3fcdf88e1ca653ffd40ddba607dbc317ca87bf63
@@ -6,3 +6,4 @@
 SHA1 (patch-aa) = 00198349dd9cff60f1f5738524096a251057eb16
 SHA1 (patch-ab) = 300ffacf47d7421fc9efb7b3fd9e93f011de1b4b
 SHA1 (patch-src_gd__bmp.c) = 4db300a26cebae6fb6f14564c5648608d7ed6cc5
+SHA1 (patch-src_gd__gif__in.c) = 4c18302fa45b482b28f5b618681354690eaa9b2d
diff -r fe79c263ec2f -r 76ed60eced2e graphics/gd/patches/patch-src_gd__gif__in.c
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/gd/patches/patch-src_gd__gif__in.c       Sun Apr 12 15:09:32 2015 +0000
@@ -0,0 +1,45 @@
+$NetBSD: patch-src_gd__gif__in.c,v 1.1 2015/04/12 15:09:33 tnn Exp $
+
+CVE-2014-9709
+https://bitbucket.org/libgd/gd-libgd/commits/47eb44b2e90ca88a08dca9f9a1aa9041e9587f43/raw/
+
+From 47eb44b2e90ca88a08dca9f9a1aa9041e9587f43 Mon Sep 17 00:00:00 2001
+From: Remi Collet <fedora%famillecollet.com@localhost>
+Date: Sat, 13 Dec 2014 08:48:18 +0100
+Subject: [PATCH] Fix possible buffer read overflow detected by
+ -fsanitize=address, thanks to Jan Bee
+
+---
+ src/gd_gif_in.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/src/gd_gif_in.c b/src/gd_gif_in.c
+index b3b4ca3..13a663c 100644
+--- src/gd_gif_in.c
++++ src/gd_gif_in.c
+@@ -75,8 +75,10 @@ static struct {
+ 
+ #define STACK_SIZE ((1<<(MAX_LWZ_BITS))*2)
+ 
++#define CSD_BUF_SIZE 280
++
+ typedef struct {
+-      unsigned char buf[280];
++      unsigned char buf[CSD_BUF_SIZE];
+       int curbit;
+       int lastbit;
+       int done;
+@@ -468,7 +470,12 @@ GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_size, int flag, int *ZeroD
+ 
+       ret = 0;
+       for (i = scd->curbit, j = 0; j < code_size; ++i, ++j) {
+-              ret |= ((scd->buf[i / 8] & (1 << (i % 8))) != 0) << j;
++              if (i < CSD_BUF_SIZE * 8) {
++                      ret |= ((scd->buf[i / 8] & (1 << (i % 8))) != 0) << j;
++              } else {
++                      ret = -1;
++                      break;
++              }
+       }
+ 
+       scd->curbit += code_size;