[pkgsrc/trunk]: pkgsrc Add security fix for CVE-2007-1001 to "php4-gd" and "p...

[tron <tron%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/b20954062997
branches:  trunk
changeset: 528518:b20954062997
user:      tron <tron%pkgsrc.org@localhost>
date:      Sun May 06 13:08:33 2007 +0000

description:
Add security fix for CVE-2007-1001 to "php4-gd" and "php5-gd" packages.
Bump package revision.

diffstat:

 graphics/php-gd/Makefile   |   3 ++-
 lang/php5/distinfo         |   3 ++-
 lang/php5/patches/patch-ac |  40 ++++++++++++++++++++++++++++++++++++++++
 www/php4/distinfo          |   3 ++-
 www/php4/patches/patch-ae  |  38 ++++++++++++++++++++++++++++++++++++++
 5 files changed, 84 insertions(+), 3 deletions(-)

diffs (131 lines):

diff -r 9462090f8fd5 -r b20954062997 graphics/php-gd/Makefile
--- a/graphics/php-gd/Makefile  Sun May 06 13:01:36 2007 +0000
+++ b/graphics/php-gd/Makefile  Sun May 06 13:08:33 2007 +0000
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.15 2007/02/20 20:46:20 jdolecek Exp $
+# $NetBSD: Makefile,v 1.16 2007/05/06 13:08:33 tron Exp $
 
 MODNAME=               gd
+PKGREVISION=           1
 CATEGORIES+=           graphics
 COMMENT=               PHP extension for GD graphics library
 
diff -r 9462090f8fd5 -r b20954062997 lang/php5/distinfo
--- a/lang/php5/distinfo        Sun May 06 13:01:36 2007 +0000
+++ b/lang/php5/distinfo        Sun May 06 13:08:33 2007 +0000
@@ -1,10 +1,11 @@
-$NetBSD: distinfo,v 1.38 2007/04/29 12:30:18 taca Exp $
+$NetBSD: distinfo,v 1.39 2007/05/06 13:08:33 tron Exp $
 
 SHA1 (php-5.2.1/php-5.2.1.tar.bz2) = 978ce7cde3d988d9aa672e32e46f815a8b25baa0
 RMD160 (php-5.2.1/php-5.2.1.tar.bz2) = f75078e0e43cb9c64e6d0a8d51a2ebd23cc9131d
 Size (php-5.2.1/php-5.2.1.tar.bz2) = 7163383 bytes
 SHA1 (patch-aa) = 20bc3831e435182d014b11ae9f1f6c537a21af20
 SHA1 (patch-ab) = e4131ba531bc7afdf478802dac33a47fa2f87b88
+SHA1 (patch-ac) = 0e260cfdbc247f2960f73af79324529efadcb25f
 SHA1 (patch-ag) = 4ccb67ba6f5370b1d16b087e3e714de3e5ae604e
 SHA1 (patch-ah) = c7cbd4b9ea0796ea3b7491c2cffb6ddddc518587
 SHA1 (patch-aj) = 54812097499c81e5cb0196ab949cc86a4f24a9cc
diff -r 9462090f8fd5 -r b20954062997 lang/php5/patches/patch-ac
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/lang/php5/patches/patch-ac        Sun May 06 13:08:33 2007 +0000
@@ -0,0 +1,40 @@
+$NetBSD: patch-ac,v 1.4 2007/05/06 13:08:33 tron Exp $
+
+Patch for CVE-2007-1001, taken from here:
+
+http://cvs.php.net/viewvc.cgi/php-src/ext/gd/libgd/wbmp.c?r1=1.5&r2=1.5.6.1&view=patch
+
+--- ext/gd/libgd/wbmp.c.orig   2003-12-31 01:01:44.000000000 +0000
++++ ext/gd/libgd/wbmp.c        2007-05-06 13:41:13.000000000 +0100
+@@ -116,6 +116,15 @@
+   if ((wbmp = (Wbmp *) gdMalloc (sizeof (Wbmp))) == NULL)
+     return (NULL);
+ 
++  if (overflow2(sizeof (int), width)) {
++    gdFree(wbmp);
++    return NULL;
++  }
++  if (overflow2(sizeof (int) * width, height)) {
++    gdFree(wbmp);
++    return NULL;
++  }
++
+   if ((wbmp->bitmap = (int *) safe_emalloc(sizeof(int), width * height, 0)) == NULL)
+     {
+       gdFree (wbmp);
+@@ -176,7 +185,14 @@
+   printf ("W: %d, H: %d\n", wbmp->width, wbmp->height);
+ #endif
+ 
+-  if ((wbmp->bitmap = (int *) safe_emalloc(wbmp->width * wbmp->height, sizeof(int), 0)) == NULL)
++  if (overflow2(sizeof (int), wbmp->width) ||
++    overflow2(sizeof (int) * wbmp->width, wbmp->height))
++    {
++      gdFree(wbmp);
++      return (-1);
++    }
++
++  if ((wbmp->bitmap = (int *) safe_emalloc((size_t)wbmp->width * wbmp->height, sizeof(int), 0)) == NULL)
+     {
+       gdFree (wbmp);
+       return (-1);
diff -r 9462090f8fd5 -r b20954062997 www/php4/distinfo
--- a/www/php4/distinfo Sun May 06 13:01:36 2007 +0000
+++ b/www/php4/distinfo Sun May 06 13:08:33 2007 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.63 2007/05/05 21:35:05 adrianp Exp $
+$NetBSD: distinfo,v 1.64 2007/05/06 13:08:34 tron Exp $
 
 SHA1 (php-4.4.6.tar.bz2) = e9c11ae084e2d505568d672afd06d4e6fc431621
 RMD160 (php-4.4.6.tar.bz2) = 16a81ee94d1f8f56adf3e76dde32c62597130674
@@ -7,6 +7,7 @@
 SHA1 (patch-ab) = 38a4bcd0d65b26c5d8e54e22b552f60831188469
 SHA1 (patch-ac) = 28288b1e79c14fb2b40eaefed0d6d2bff4775607
 SHA1 (patch-ad) = 9ca5d2f59bfeea77a98cd0e727546d11669114cd
+SHA1 (patch-ae) = 2a5989d3eb144a1c238703d388055d0f47624e1a
 SHA1 (patch-ag) = 1ded1d7f4daac6806f41864c783f16d3403315e4
 SHA1 (patch-ah) = 0ac37bd35c4594cb58f1ea85ef811154b644a931
 SHA1 (patch-ai) = 0b9c1c9fb75a64026f2fb3cbd44cc19e0a1f186c
diff -r 9462090f8fd5 -r b20954062997 www/php4/patches/patch-ae
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/www/php4/patches/patch-ae Sun May 06 13:08:33 2007 +0000
@@ -0,0 +1,38 @@
+$NetBSD: patch-ae,v 1.7 2007/05/06 13:08:34 tron Exp $
+
+Patch for CVE-2007-1001, taken from here:
+
+http://cvs.php.net/viewvc.cgi/php-src/ext/gd/libgd/wbmp.c?r1=1.2.4.1&r2=1.2.4.1.8.1&view=patch
+
+--- ext/gd/libgd/wbmp.c.orig   2003-04-25 01:59:03.000000000 +0100
++++ ext/gd/libgd/wbmp.c        2007-05-06 13:47:23.000000000 +0100
+@@ -116,6 +116,15 @@
+   if ((wbmp = (Wbmp *) gdMalloc (sizeof (Wbmp))) == NULL)
+     return (NULL);
+ 
++  if (overflow2(sizeof (int), width)) {
++    gdFree(wbmp);
++    return NULL;
++  }
++  if (overflow2(sizeof (int) * width, height)) {
++    gdFree(wbmp);
++    return NULL;
++  }
++
+   if ((wbmp->bitmap = (int *) safe_emalloc(sizeof(int), (width * height), 0)) == NULL)
+     {
+       gdFree (wbmp);
+@@ -176,6 +185,13 @@
+   printf ("W: %d, H: %d\n", wbmp->width, wbmp->height);
+ #endif
+ 
++  if (overflow2(sizeof (int), wbmp->width) ||
++    overflow2(sizeof (int) * wbmp->width, wbmp->height))
++    {
++      gdFree(wbmp);
++      return (-1);
++    }
++
+   if ((wbmp->bitmap = (int *) safe_emalloc(sizeof(int), (wbmp->width * wbmp->height), 0)) == NULL)
+     {
+       gdFree (wbmp);