CVS commit: [pkgsrc-2016Q3] pkgsrc/graphics/gd

["Benny Siegert" <bsiegert%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   bsiegert
Date:           Thu Oct  6 18:25:40 UTC 2016

Modified Files:
        pkgsrc/graphics/gd [pkgsrc-2016Q3]: Makefile distinfo
Added Files:
        pkgsrc/graphics/gd/patches [pkgsrc-2016Q3]: patch-src_gd__webp.c

Log Message:
Pullup ticket #5124 - requested by taca
graphics/gc: security fix

Revisions pulled up:
- graphics/gd/Makefile                                          1.112
- graphics/gd/distinfo                                          1.42
- graphics/gd/patches/patch-src_gd__webp.c                      1.1

---
   Module Name: pkgsrc
   Committed By:        taca
   Date:                Wed Oct  5 03:10:31 UTC 2016

   Modified Files:
        pkgsrc/graphics/gd: Makefile distinfo
   Added Files:
        pkgsrc/graphics/gd/patches: patch-src_gd__webp.c

   Log Message:
   Add fix for CVE-2016-7568.

   Bump PKGREVISION.


To generate a diff of this commit:
cvs rdiff -u -r1.111 -r1.111.2.1 pkgsrc/graphics/gd/Makefile
cvs rdiff -u -r1.41 -r1.41.2.1 pkgsrc/graphics/gd/distinfo
cvs rdiff -u -r0 -r1.1.2.2 pkgsrc/graphics/gd/patches/patch-src_gd__webp.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/graphics/gd/Makefile
diff -u pkgsrc/graphics/gd/Makefile:1.111 pkgsrc/graphics/gd/Makefile:1.111.2.1
--- pkgsrc/graphics/gd/Makefile:1.111   Tue Aug  2 18:29:21 2016
+++ pkgsrc/graphics/gd/Makefile Thu Oct  6 18:25:40 2016
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.111 2016/08/02 18:29:21 adam Exp $
+# $NetBSD: Makefile,v 1.111.2.1 2016/10/06 18:25:40 bsiegert Exp $
 
 DISTNAME=      libgd-2.2.3
+PKGREVISION=   1
 PKGNAME=       ${DISTNAME:S/libgd/gd/}
 CATEGORIES=    graphics
 MASTER_SITES=  ${MASTER_SITE_GITHUB:=libgd/}

Index: pkgsrc/graphics/gd/distinfo
diff -u pkgsrc/graphics/gd/distinfo:1.41 pkgsrc/graphics/gd/distinfo:1.41.2.1
--- pkgsrc/graphics/gd/distinfo:1.41    Tue Aug  2 18:29:21 2016
+++ pkgsrc/graphics/gd/distinfo Thu Oct  6 18:25:40 2016
@@ -1,6 +1,7 @@
-$NetBSD: distinfo,v 1.41 2016/08/02 18:29:21 adam Exp $
+$NetBSD: distinfo,v 1.41.2.1 2016/10/06 18:25:40 bsiegert Exp $
 
 SHA1 (libgd-2.2.3.tar.xz) = 2f8cebec5afd6c83a3d5cb92f40ea4926b4daa98
 RMD160 (libgd-2.2.3.tar.xz) = e6c29133c2ea33c8ba16571892d2798ef0f5afea
 SHA512 (libgd-2.2.3.tar.xz) = bdc6d086bc054beda6574ec46baa4cd94048a5f2f357f875ba05983e92d247f1b731434b9e438c6aef09d46fa96f1a7e1f330a25a77ffd2dd78aa8a32d652557
 Size (libgd-2.2.3.tar.xz) = 2164152 bytes
+SHA1 (patch-src_gd__webp.c) = 55c5929007ffe0d9ab23b7fed9abf373bc188de8

Added files:

Index: pkgsrc/graphics/gd/patches/patch-src_gd__webp.c
diff -u /dev/null pkgsrc/graphics/gd/patches/patch-src_gd__webp.c:1.1.2.2
--- /dev/null   Thu Oct  6 18:25:40 2016
+++ pkgsrc/graphics/gd/patches/patch-src_gd__webp.c     Thu Oct  6 18:25:40 2016
@@ -0,0 +1,21 @@
+$NetBSD: patch-src_gd__webp.c,v 1.1.2.2 2016/10/06 18:25:40 bsiegert Exp $
+
+Fix for CVE-2016-7568.
+
+--- src/gd_webp.c.orig 2016-07-21 08:06:42.000000000 +0000
++++ src/gd_webp.c
+@@ -126,6 +126,14 @@ void gdImageWebpCtx (gdImagePtr im, gdIO
+               quantization = 80;
+       }
+ 
++      if (overflow2(gdImageSX(im), 4)) {
++              return;
++      }
++
++      if (overflow2(gdImageSX(im) * 4, gdImageSY(im))) {
++              return;
++      }
++
+       argb = (uint8_t *)gdMalloc(gdImageSX(im) * 4 * gdImageSY(im));
+       if (!argb) {
+               return;