[pkgsrc/trunk]: pkgsrc/graphics/gd Add fix for CVE-2016-6128 from upstream.

[taca <taca%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/4fd976dfb720
branches:  trunk
changeset: 349108:4fd976dfb720
user:      taca <taca%pkgsrc.org@localhost>
date:      Thu Jun 30 09:00:18 2016 +0000

description:
Add fix for CVE-2016-6128 from upstream.

Bump PKGREVISION.

diffstat:

 graphics/gd/Makefile                     |   4 ++--
 graphics/gd/distinfo                     |   3 ++-
 graphics/gd/patches/patch-src_gd__crop.c |  18 ++++++++++++++++++
 3 files changed, 22 insertions(+), 3 deletions(-)

diffs (51 lines):

diff -r 4f0c843bb53d -r 4fd976dfb720 graphics/gd/Makefile
--- a/graphics/gd/Makefile      Thu Jun 30 03:17:52 2016 +0000
+++ b/graphics/gd/Makefile      Thu Jun 30 09:00:18 2016 +0000
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.108 2015/11/18 14:19:46 ryoon Exp $
+# $NetBSD: Makefile,v 1.109 2016/06/30 09:00:18 taca Exp $
 
 DISTNAME=      libgd-2.1.1
 PKGNAME=       ${DISTNAME:S/libgd/gd/}
-PKGREVISION=   2
+PKGREVISION=   3
 CATEGORIES=    graphics
 MASTER_SITES=  https://bitbucket.org/libgd/gd-libgd/downloads/
 EXTRACT_SUFX=  .tar.xz
diff -r 4f0c843bb53d -r 4fd976dfb720 graphics/gd/distinfo
--- a/graphics/gd/distinfo      Thu Jun 30 03:17:52 2016 +0000
+++ b/graphics/gd/distinfo      Thu Jun 30 09:00:18 2016 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.39 2015/11/03 21:33:58 agc Exp $
+$NetBSD: distinfo,v 1.40 2016/06/30 09:00:18 taca Exp $
 
 SHA1 (libgd-2.1.1.tar.xz) = 9038ed488b577d16aa8c32b6c10b4a70b10f7fa1
 RMD160 (libgd-2.1.1.tar.xz) = 8d564caf9a953d344fb9a5e169d241510a2c71f1
@@ -9,4 +9,5 @@
 SHA1 (patch-configure) = 53769c3daffa38c88d82093f59cb97b4bd38008f
 SHA1 (patch-configure.ac) = 72092d5a0ee7944249286edc0d3505176f15303f
 SHA1 (patch-src_gd__bmp.c) = 4db300a26cebae6fb6f14564c5648608d7ed6cc5
+SHA1 (patch-src_gd__crop.c) = 34c9716fe40e8f80cc126893dbafa0151bbf3b5a
 SHA1 (patch-src_webpimg.c) = 2717cbcfdbbddfc8cd96de2d4f6a07a0485ba086
diff -r 4f0c843bb53d -r 4fd976dfb720 graphics/gd/patches/patch-src_gd__crop.c
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/gd/patches/patch-src_gd__crop.c  Thu Jun 30 09:00:18 2016 +0000
@@ -0,0 +1,18 @@
+$NetBSD: patch-src_gd__crop.c,v 1.1 2016/06/30 09:00:18 taca Exp $
+
+Fix for CVE-2016-6128 from
+https://github.com/libgd/libgd/commit/1ccfe21e14c4d18336f9da8515cd17db88c3de61.
+
+--- src/gd_crop.c.orig 2015-01-06 09:16:03.000000000 +0000
++++ src/gd_crop.c
+@@ -136,6 +136,10 @@ BGD_DECLARE(gdImagePtr) gdImageCropThres
+               return NULL;
+       }
+ 
++      if (color < 0 || (!gdImageTrueColor(im) && color >= gdImageColorsTotal(im))) {
++              return NULL;
++      }
++
+       /* TODO: Add gdImageGetRowPtr and works with ptr at the row level
+        * for the true color and palette images
+        * new formats will simply work with ptr