summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--user/libgd/APKBUILD51
-rw-r--r--user/libgd/CVE-2016-7568.patch33
2 files changed, 84 insertions, 0 deletions
diff --git a/user/libgd/APKBUILD b/user/libgd/APKBUILD
new file mode 100644
index 000000000..13f07cfe0
--- /dev/null
+++ b/user/libgd/APKBUILD
@@ -0,0 +1,51 @@
+# Contributor: Carlo Landmeter <clandmeter@gmail.com>
+# Maintainer:
+pkgname=libgd
+pkgver=2.2.5
+pkgrel=0
+pkgdesc="Library for dynamic image creation"
+url="http://libgd.github.io/"
+arch="all"
+options="!check" # Upstream bug 201 regression.
+license="MIT"
+depends=""
+makedepends="bash fontconfig-dev freetype-dev libjpeg-turbo-dev libpng-dev
+ libwebp-dev zlib-dev"
+subpackages="$pkgname-dev"
+replaces="gd"
+source="https://github.com/$pkgname/$pkgname/releases/download/gd-$pkgver/$pkgname-$pkgver.tar.xz
+ CVE-2016-7568.patch
+ "
+
+build() {
+ cd "$builddir"
+ ./configure \
+ --build=$CBUILD \
+ --host=$CHOST \
+ --prefix=/usr \
+ --sysconfdir=/etc \
+ --mandir=/usr/share/man \
+ --infodir=/usr/share/info \
+ --disable-werror
+ make
+}
+
+check() {
+ cd "$builddir"
+ make check
+}
+
+package() {
+ cd "$builddir"
+ make DESTDIR="$pkgdir" install
+}
+
+dev() {
+ default_dev
+ depends="$pkgname perl"
+ replaces="gd-dev"
+ mv "$pkgdir"/usr/bin/bdftogd "$subpkgdir"/usr/bin
+}
+
+sha512sums="e4598e17a277a75e02255402182cab139cb3f2cffcd68ec05cc10bbeaf6bc7aa39162c3445cd4a7efc1a26b72b9152bbedb187351e3ed099ea51767319997a6b libgd-2.2.5.tar.xz
+8310d11a2398e8617c9defc4500b9ce3897ac1026002ffa36000f1d1f8df19336005e8c1f6587533f1d787a4a54d7a3a28ad25bddbc966a018aedf4d8704a716 CVE-2016-7568.patch"
diff --git a/user/libgd/CVE-2016-7568.patch b/user/libgd/CVE-2016-7568.patch
new file mode 100644
index 000000000..56156411e
--- /dev/null
+++ b/user/libgd/CVE-2016-7568.patch
@@ -0,0 +1,33 @@
+From 2806adfdc27a94d333199345394d7c302952b95f Mon Sep 17 00:00:00 2001
+From: trylab <trylab@users.noreply.github.com>
+Date: Tue, 6 Sep 2016 18:35:32 +0800
+Subject: [PATCH] Fix integer overflow in gdImageWebpCtx
+
+Integer overflow can be happened in expression gdImageSX(im) * 4 *
+gdImageSY(im). It could lead to heap buffer overflow in the following
+code. This issue has been reported to the PHP Bug Tracking System. The
+proof-of-concept file will be supplied some days later. This issue was
+discovered by Ke Liu of Tencent's Xuanwu LAB.
+---
+ src/gd_webp.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/src/gd_webp.c b/src/gd_webp.c
+index 8eb4dee..9886399 100644
+--- a/src/gd_webp.c
++++ b/src/gd_webp.c
+@@ -199,6 +199,14 @@ BGD_DECLARE(void) gdImageWebpCtx (gdImagePtr im, gdIOCtx * outfile, int quality)
+ quality = 80;
+ }
+
++ if (overflow2(gdImageSX(im), 4)) {
++ return;
++ }
++
++ if (overflow2(gdImageSX(im) * 4, gdImageSY(im))) {
++ return;
++ }
++
+ argb = (uint8_t *)gdMalloc(gdImageSX(im) * 4 * gdImageSY(im));
+ if (!argb) {
+ return;