From 7f8d4d642ad643f553e0fe74c0d48d59c81d178c Mon Sep 17 00:00:00 2001 From: Max Rees Date: Sun, 29 Mar 2020 03:26:16 -0500 Subject: user/libgd: [CVE] bump to 2.3.0 --- user/libgd/APKBUILD | 35 +++--- user/libgd/CVE-2016-7568.patch | 33 ------ user/libgd/CVE-2018-1000222.patch | 73 ------------- user/libgd/CVE-2018-14553.patch | 99 ----------------- user/libgd/CVE-2018-5711.patch | 61 ----------- user/libgd/CVE-2019-6977.patch | 21 ---- user/libgd/CVE-2019-6978.patch | 216 -------------------------------------- 7 files changed, 12 insertions(+), 526 deletions(-) delete mode 100644 user/libgd/CVE-2016-7568.patch delete mode 100644 user/libgd/CVE-2018-1000222.patch delete mode 100644 user/libgd/CVE-2018-14553.patch delete mode 100644 user/libgd/CVE-2018-5711.patch delete mode 100644 user/libgd/CVE-2019-6977.patch delete mode 100644 user/libgd/CVE-2019-6978.patch (limited to 'user/libgd') diff --git a/user/libgd/APKBUILD b/user/libgd/APKBUILD index 2a537dfca..c5da3861e 100644 --- a/user/libgd/APKBUILD +++ b/user/libgd/APKBUILD @@ -1,27 +1,24 @@ # Contributor: Carlo Landmeter # Maintainer: pkgname=libgd -pkgver=2.2.5 -pkgrel=2 +pkgver=2.3.0 +pkgrel=0 pkgdesc="Library for dynamic image creation" url="http://libgd.github.io/" arch="all" -options="!check" # Upstream bug 201 regression. +options="!check" # Multiple test suite failures. Assumes SSE+ math. license="MIT" depends="" makedepends="autoconf automake bash fontconfig-dev freetype-dev libjpeg-turbo-dev libpng-dev libtool libwebp-dev tiff-dev zlib-dev " +# While the fontconfig/basic test checks for what happens if an empty +# fontlist is passed to gdImageStringFT(), there still needs to be at +# least one font installed on the system... +checkdepends="ttf-liberation" subpackages="$pkgname-dev" replaces="gd" -source="https://github.com/$pkgname/$pkgname/releases/download/gd-$pkgver/$pkgname-$pkgver.tar.xz - CVE-2016-7568.patch - CVE-2018-5711.patch - CVE-2018-14553.patch - CVE-2018-1000222.patch - CVE-2019-6977.patch - CVE-2019-6978.patch - " +source="https://github.com/$pkgname/$pkgname/releases/download/gd-$pkgver/$pkgname-$pkgver.tar.xz" # secfixes: # 2.2.5-r1: @@ -31,11 +28,8 @@ source="https://github.com/$pkgname/$pkgname/releases/download/gd-$pkgver/$pkgna # - CVE-2019-6978 # 2.2.5-r2: # - CVE-2018-14553 - -prepare() { - default_prepare - autoreconf -vif -} +# 2.3.0-r0: +# - CVE-2019-11038 build() { ./configure \ @@ -61,13 +55,8 @@ dev() { default_dev depends="$pkgname perl" replaces="gd-dev" + mkdir -p "$subpkgdir"/usr/bin mv "$pkgdir"/usr/bin/bdftogd "$subpkgdir"/usr/bin } -sha512sums="e4598e17a277a75e02255402182cab139cb3f2cffcd68ec05cc10bbeaf6bc7aa39162c3445cd4a7efc1a26b72b9152bbedb187351e3ed099ea51767319997a6b libgd-2.2.5.tar.xz -8310d11a2398e8617c9defc4500b9ce3897ac1026002ffa36000f1d1f8df19336005e8c1f6587533f1d787a4a54d7a3a28ad25bddbc966a018aedf4d8704a716 CVE-2016-7568.patch -d6577566814cbe2d93b141a4216b32acdeb2989dc1712eb137565081b913151bbb4c69911c96b2bb7c90695078a85152d368aad183de494d1283fde25021751b CVE-2018-5711.patch -353491fab6c6e0916dca910c9d14f0e0efab6d9d88c48f6f3f2f69e60312489039b25d26980e7c5c2c04ed9e56003b99eae77bd412fbbed1d8eb47d561f7af74 CVE-2018-14553.patch -d12462f1b159d50b9032435e9767a5d76e1797a88be950ed33dda7aa17005b7cb60560d04b9520e46d8111e1669d42ce28cb2c508f9c8825d545ac0335d2a10b CVE-2018-1000222.patch -df84e469515f684d79ebad163e137401627310a984ac1ae6a4d31b739b3dc6d9144f101e9bfc3211af1d7cdbaa827721d21a9fe528e69b9b60a943ec8a7ab74b CVE-2019-6977.patch -3bf31941365a878bef899afa14a89e4ad0fbfb3280d34b2118c8484698e15eff600751ae3ce146a4f006e6c21730cb18899bae3538f6cc2651025274b40cf1ca CVE-2019-6978.patch" +sha512sums="5b201d22560e147a3d5471010b898ad0268c3a2453b870d1267b6ba92e540cf9f75099336c1ab08217e41827ac86fe04525726bf29ad117e5dcbaef9a8d0622a libgd-2.3.0.tar.xz" diff --git a/user/libgd/CVE-2016-7568.patch b/user/libgd/CVE-2016-7568.patch deleted file mode 100644 index 56156411e..000000000 --- a/user/libgd/CVE-2016-7568.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 2806adfdc27a94d333199345394d7c302952b95f Mon Sep 17 00:00:00 2001 -From: trylab -Date: Tue, 6 Sep 2016 18:35:32 +0800 -Subject: [PATCH] Fix integer overflow in gdImageWebpCtx - -Integer overflow can be happened in expression gdImageSX(im) * 4 * -gdImageSY(im). It could lead to heap buffer overflow in the following -code. This issue has been reported to the PHP Bug Tracking System. The -proof-of-concept file will be supplied some days later. This issue was -discovered by Ke Liu of Tencent's Xuanwu LAB. ---- - src/gd_webp.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/src/gd_webp.c b/src/gd_webp.c -index 8eb4dee..9886399 100644 ---- a/src/gd_webp.c -+++ b/src/gd_webp.c -@@ -199,6 +199,14 @@ BGD_DECLARE(void) gdImageWebpCtx (gdImagePtr im, gdIOCtx * outfile, int quality) - quality = 80; - } - -+ if (overflow2(gdImageSX(im), 4)) { -+ return; -+ } -+ -+ if (overflow2(gdImageSX(im) * 4, gdImageSY(im))) { -+ return; -+ } -+ - argb = (uint8_t *)gdMalloc(gdImageSX(im) * 4 * gdImageSY(im)); - if (!argb) { - return; diff --git a/user/libgd/CVE-2018-1000222.patch b/user/libgd/CVE-2018-1000222.patch deleted file mode 100644 index 80f9712bf..000000000 --- a/user/libgd/CVE-2018-1000222.patch +++ /dev/null @@ -1,73 +0,0 @@ -From ac16bdf2d41724b5a65255d4c28fb0ec46bc42f5 Mon Sep 17 00:00:00 2001 -From: Mike Frysinger -Date: Sat, 14 Jul 2018 13:54:08 -0400 -Subject: [PATCH] bmp: check return value in gdImageBmpPtr - -Closes #447. ---- - src/gd_bmp.c | 17 ++++++++++++++--- - 1 file changed, 14 insertions(+), 3 deletions(-) - -diff --git a/src/gd_bmp.c b/src/gd_bmp.c -index bde0b9d3..78f40d9a 100644 ---- a/src/gd_bmp.c -+++ b/src/gd_bmp.c -@@ -47,6 +47,8 @@ static int bmp_read_4bit(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info, bmp - static int bmp_read_8bit(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info, bmp_hdr_t *header); - static int bmp_read_rle(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info); - -+static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression); -+ - #define BMP_DEBUG(s) - - static int gdBMPPutWord(gdIOCtx *out, int w) -@@ -87,8 +89,10 @@ BGD_DECLARE(void *) gdImageBmpPtr(gdImagePtr im, int *size, int compression) - void *rv; - gdIOCtx *out = gdNewDynamicCtx(2048, NULL); - if (out == NULL) return NULL; -- gdImageBmpCtx(im, out, compression); -- rv = gdDPExtractData(out, size); -+ if (!_gdImageBmpCtx(im, out, compression)) -+ rv = gdDPExtractData(out, size); -+ else -+ rv = NULL; - out->gd_free(out); - return rv; - } -@@ -141,6 +145,11 @@ BGD_DECLARE(void) gdImageBmp(gdImagePtr im, FILE *outFile, int compression) - compression - whether to apply RLE or not. - */ - BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression) -+{ -+ _gdImageBmpCtx(im, out, compression); -+} -+ -+static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression) - { - int bitmap_size = 0, info_size, total_size, padding; - int i, row, xpos, pixel; -@@ -148,6 +157,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression) - unsigned char *uncompressed_row = NULL, *uncompressed_row_start = NULL; - FILE *tmpfile_for_compression = NULL; - gdIOCtxPtr out_original = NULL; -+ int ret = 1; - - /* No compression if its true colour or we don't support seek */ - if (im->trueColor) { -@@ -325,6 +335,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression) - out_original = NULL; - } - -+ ret = 0; - cleanup: - if (tmpfile_for_compression) { - #ifdef _WIN32 -@@ -338,7 +349,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression) - if (out_original) { - out_original->gd_free(out_original); - } -- return; -+ return ret; - } - - static int compress_row(unsigned char *row, int length) diff --git a/user/libgd/CVE-2018-14553.patch b/user/libgd/CVE-2018-14553.patch deleted file mode 100644 index 7510101d1..000000000 --- a/user/libgd/CVE-2018-14553.patch +++ /dev/null @@ -1,99 +0,0 @@ -From a93eac0e843148dc2d631c3ba80af17e9c8c860f Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?F=C3=A1bio=20Cabral=20Pacheco?= -Date: Fri, 20 Dec 2019 12:03:33 -0300 -Subject: [PATCH] Fix potential NULL pointer dereference in gdImageClone() - ---- - src/gd.c | 9 +-------- - tests/gdimageclone/CMakeLists.txt | 1 + - tests/gdimageclone/Makemodule.am | 3 ++- - tests/gdimageclone/style.c | 30 ++++++++++++++++++++++++++++++ - 5 files changed, 35 insertions(+), 9 deletions(-) - create mode 100644 tests/gdimageclone/style.c - -diff --git a/src/gd.c b/src/gd.c -index 592a0286..d564d1f9 100644 ---- a/src/gd.c -+++ b/src/gd.c -@@ -2865,14 +2865,6 @@ BGD_DECLARE(gdImagePtr) gdImageClone (gdImagePtr src) { - } - } - -- if (src->styleLength > 0) { -- dst->styleLength = src->styleLength; -- dst->stylePos = src->stylePos; -- for (i = 0; i < src->styleLength; i++) { -- dst->style[i] = src->style[i]; -- } -- } -- - dst->interlace = src->interlace; - - dst->alphaBlendingFlag = src->alphaBlendingFlag; -@@ -2907,6 +2899,7 @@ BGD_DECLARE(gdImagePtr) gdImageClone (gdImagePtr src) { - - if (src->style) { - gdImageSetStyle(dst, src->style, src->styleLength); -+ dst->stylePos = src->stylePos; - } - - for (i = 0; i < gdMaxColors; i++) { -diff --git a/tests/gdimageclone/CMakeLists.txt b/tests/gdimageclone/CMakeLists.txt -index e6ccc318..662f4e96 100644 ---- a/tests/gdimageclone/CMakeLists.txt -+++ b/tests/gdimageclone/CMakeLists.txt -@@ -1,5 +1,6 @@ - LIST(APPEND TESTS_FILES - bug00300 -+ style - ) - - ADD_GD_TESTS() -diff --git a/tests/gdimageclone/Makemodule.am b/tests/gdimageclone/Makemodule.am -index 4b1b54c0..51abf5c1 100644 ---- a/tests/gdimageclone/Makemodule.am -+++ b/tests/gdimageclone/Makemodule.am -@@ -1,5 +1,6 @@ - libgd_test_programs += \ -- gdimageclone/bug00300 -+ gdimageclone/bug00300 \ -+ gdimageclone/style - - EXTRA_DIST += \ - gdimageclone/CMakeLists.txt -diff --git a/tests/gdimageclone/style.c b/tests/gdimageclone/style.c -new file mode 100644 -index 00000000..c2b246ed ---- /dev/null -+++ b/tests/gdimageclone/style.c -@@ -0,0 +1,30 @@ -+/** -+ * Cloning an image should exactly reproduce all style related data -+ */ -+ -+ -+#include -+#include "gd.h" -+#include "gdtest.h" -+ -+ -+int main() -+{ -+ gdImagePtr im, clone; -+ int style[] = {0, 0, 0}; -+ -+ im = gdImageCreate(8, 8); -+ gdImageSetStyle(im, style, sizeof(style)/sizeof(style[0])); -+ -+ clone = gdImageClone(im); -+ gdTestAssert(clone != NULL); -+ -+ gdTestAssert(clone->styleLength == im->styleLength); -+ gdTestAssert(clone->stylePos == im->stylePos); -+ gdTestAssert(!memcmp(clone->style, im->style, sizeof(style)/sizeof(style[0]))); -+ -+ gdImageDestroy(clone); -+ gdImageDestroy(im); -+ -+ return gdNumFailures(); -+} diff --git a/user/libgd/CVE-2018-5711.patch b/user/libgd/CVE-2018-5711.patch deleted file mode 100644 index dff2b9ea2..000000000 --- a/user/libgd/CVE-2018-5711.patch +++ /dev/null @@ -1,61 +0,0 @@ -From a11f47475e6443b7f32d21f2271f28f417e2ac04 Mon Sep 17 00:00:00 2001 -From: "Christoph M. Becker" -Date: Wed, 29 Nov 2017 19:37:38 +0100 -Subject: [PATCH] Fix #420: Potential infinite loop in gdImageCreateFromGifCtx - -Due to a signedness confusion in `GetCode_` a corrupt GIF file can -trigger an infinite loop. Furthermore we make sure that a GIF without -any palette entries is treated as invalid *after* open palette entries -have been removed. - -CVE-2018-5711 - -See also https://bugs.php.net/bug.php?id=75571. ---- - src/gd_gif_in.c | 12 ++++++------ - tests/gif/.gitignore | 1 + - tests/gif/CMakeLists.txt | 1 + - tests/gif/Makemodule.am | 2 ++ - tests/gif/php_bug_75571.c | 28 ++++++++++++++++++++++++++++ - tests/gif/php_bug_75571.gif | Bin 0 -> 1731 bytes - 6 files changed, 38 insertions(+), 6 deletions(-) - create mode 100644 tests/gif/php_bug_75571.c - create mode 100644 tests/gif/php_bug_75571.gif - -diff --git a/src/gd_gif_in.c b/src/gd_gif_in.c -index daf26e79..0a8bd717 100644 ---- a/src/gd_gif_in.c -+++ b/src/gd_gif_in.c -@@ -335,11 +335,6 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromGifCtx(gdIOCtxPtr fd) - return 0; - } - -- if(!im->colorsTotal) { -- gdImageDestroy(im); -- return 0; -- } -- - /* Check for open colors at the end, so - * we can reduce colorsTotal and ultimately - * BitsPerPixel */ -@@ -351,6 +346,11 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromGifCtx(gdIOCtxPtr fd) - } - } - -+ if(!im->colorsTotal) { -+ gdImageDestroy(im); -+ return 0; -+ } -+ - return im; - } - -@@ -447,7 +447,7 @@ static int - GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_size, int flag, int *ZeroDataBlockP) - { - int i, j, ret; -- unsigned char count; -+ int count; - - if(flag) { - scd->curbit = 0; diff --git a/user/libgd/CVE-2019-6977.patch b/user/libgd/CVE-2019-6977.patch deleted file mode 100644 index 4cfb9ab98..000000000 --- a/user/libgd/CVE-2019-6977.patch +++ /dev/null @@ -1,21 +0,0 @@ -Bug: https://bts.adelielinux.org/show_bug.cgi?id=159 -Backported-From: http://git.php.net/?p=php-src.git;a=commit;h=7a12dad4dd6c370835b13afae214b240082c7538 -Author: A. Wilcox -Bug: https://bugs.php.net/bug.php?id=77270 -Author: Christoph M. Becker -Committer: Stanislav Malyshev -Upstream-Status: unknown - ---- libgd-2.2.5/src/gd_color_match.c.old 2017-08-30 11:05:54.000000000 +0000 -+++ libgd-2.2.5/src/gd_color_match.c 2019-10-03 16:17:55.842322245 +0000 -@@ -31,8 +31,8 @@ - return -4; /* At least 1 color must be allocated */ - } - -- buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * im2->colorsTotal); -- memset (buf, 0, sizeof(unsigned long) * 5 * im2->colorsTotal ); -+ buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * gdMaxColors); -+ memset( buf, 0, sizeof(unsigned long) * 5 * gdMaxColors ); - - for (x=0; x < im1->sx; x++) { - for( y=0; ysy; y++ ) { diff --git a/user/libgd/CVE-2019-6978.patch b/user/libgd/CVE-2019-6978.patch deleted file mode 100644 index 0cfdda919..000000000 --- a/user/libgd/CVE-2019-6978.patch +++ /dev/null @@ -1,216 +0,0 @@ -From 553702980ae89c83f2d6e254d62cf82e204956d0 Mon Sep 17 00:00:00 2001 -From: "Christoph M. Becker" -Date: Thu, 17 Jan 2019 11:54:55 +0100 -Subject: [PATCH] Fix #492: Potential double-free in gdImage*Ptr() - -Whenever `gdImage*Ptr()` calls `gdImage*Ctx()` and the latter fails, we -must not call `gdDPExtractData()`; otherwise a double-free would -happen. Since `gdImage*Ctx()` are void functions, and we can't change -that for BC reasons, we're introducing static helpers which are used -internally. - -We're adding a regression test for `gdImageJpegPtr()`, but not for -`gdImageGifPtr()` and `gdImageWbmpPtr()` since we don't know how to -trigger failure of the respective `gdImage*Ctx()` calls. - -This potential security issue has been reported by Solmaz Salimi (aka. -Rooney). ---- - src/gd_gif_out.c | 18 +++++++++++++++--- - src/gd_jpeg.c | 20 ++++++++++++++++---- - src/gd_wbmp.c | 21 ++++++++++++++++++--- - tests/jpeg/.gitignore | 1 + - tests/jpeg/CMakeLists.txt | 1 + - tests/jpeg/Makemodule.am | 3 ++- - tests/jpeg/jpeg_ptr_double_free.c | 31 +++++++++++++++++++++++++++++++ - 7 files changed, 84 insertions(+), 11 deletions(-) - create mode 100644 tests/jpeg/jpeg_ptr_double_free.c - -diff --git a/src/gd_gif_out.c b/src/gd_gif_out.c -index 298a5812..d5a95346 100644 ---- a/src/gd_gif_out.c -+++ b/src/gd_gif_out.c -@@ -99,6 +99,7 @@ static void char_init(GifCtx *ctx); - static void char_out(int c, GifCtx *ctx); - static void flush_char(GifCtx *ctx); - -+static int _gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out); - - - -@@ -131,8 +132,11 @@ BGD_DECLARE(void *) gdImageGifPtr(gdImagePtr im, int *size) - void *rv; - gdIOCtx *out = gdNewDynamicCtx(2048, NULL); - if (out == NULL) return NULL; -- gdImageGifCtx(im, out); -- rv = gdDPExtractData(out, size); -+ if (!_gdImageGifCtx(im, out)) { -+ rv = gdDPExtractData(out, size); -+ } else { -+ rv = NULL; -+ } - out->gd_free(out); - return rv; - } -@@ -220,6 +224,12 @@ BGD_DECLARE(void) gdImageGif(gdImagePtr im, FILE *outFile) - - */ - BGD_DECLARE(void) gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out) -+{ -+ _gdImageGifCtx(im, out); -+} -+ -+/* returns 0 on success, 1 on failure */ -+static int _gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out) - { - gdImagePtr pim = 0, tim = im; - int interlace, BitsPerPixel; -@@ -231,7 +241,7 @@ BGD_DECLARE(void) gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out) - based temporary image. */ - pim = gdImageCreatePaletteFromTrueColor(im, 1, 256); - if(!pim) { -- return; -+ return 1; - } - tim = pim; - } -@@ -247,6 +257,8 @@ BGD_DECLARE(void) gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out) - /* Destroy palette based temporary image. */ - gdImageDestroy( pim); - } -+ -+ return 0; - } - - -diff --git a/src/gd_jpeg.c b/src/gd_jpeg.c -index fc058420..96ef4302 100644 ---- a/src/gd_jpeg.c -+++ b/src/gd_jpeg.c -@@ -123,6 +123,8 @@ static void fatal_jpeg_error(j_common_ptr cinfo) - exit(99); - } - -+static int _gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality); -+ - /* - * Write IM to OUTFILE as a JFIF-formatted JPEG image, using quality - * QUALITY. If QUALITY is in the range 0-100, increasing values -@@ -237,8 +239,11 @@ BGD_DECLARE(void *) gdImageJpegPtr(gdImagePtr im, int *size, int quality) - void *rv; - gdIOCtx *out = gdNewDynamicCtx(2048, NULL); - if (out == NULL) return NULL; -- gdImageJpegCtx(im, out, quality); -- rv = gdDPExtractData(out, size); -+ if (!_gdImageJpegCtx(im, out, quality)) { -+ rv = gdDPExtractData(out, size); -+ } else { -+ rv = NULL; -+ } - out->gd_free(out); - return rv; - } -@@ -259,6 +264,12 @@ void jpeg_gdIOCtx_dest(j_compress_ptr cinfo, gdIOCtx *outfile); - - */ - BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality) -+{ -+ _gdImageJpegCtx(im, outfile, quality); -+} -+ -+/* returns 0 on success, 1 on failure */ -+static int _gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality) - { - struct jpeg_compress_struct cinfo; - struct jpeg_error_mgr jerr; -@@ -293,7 +304,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality) - if(row) { - gdFree(row); - } -- return; -+ return 1; - } - - cinfo.err->emit_message = jpeg_emit_message; -@@ -334,7 +345,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality) - if(row == 0) { - gd_error("gd-jpeg: error: unable to allocate JPEG row structure: gdCalloc returns NULL\n"); - jpeg_destroy_compress(&cinfo); -- return; -+ return 1; - } - - rowptr[0] = row; -@@ -411,6 +424,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality) - jpeg_finish_compress(&cinfo); - jpeg_destroy_compress(&cinfo); - gdFree(row); -+ return 0; - } - - -diff --git a/src/gd_wbmp.c b/src/gd_wbmp.c -index f19a1c96..a49bdbec 100644 ---- a/src/gd_wbmp.c -+++ b/src/gd_wbmp.c -@@ -88,6 +88,8 @@ int gd_getin(void *in) - return (gdGetC((gdIOCtx *)in)); - } - -+static int _gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out); -+ - /* - Function: gdImageWBMPCtx - -@@ -100,6 +102,12 @@ int gd_getin(void *in) - out - the stream where to write - */ - BGD_DECLARE(void) gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out) -+{ -+ _gdImageWBMPCtx(image, fg, out); -+} -+ -+/* returns 0 on success, 1 on failure */ -+static int _gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out) - { - int x, y, pos; - Wbmp *wbmp; -@@ -107,7 +115,7 @@ BGD_DECLARE(void) gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out) - /* create the WBMP */ - if((wbmp = createwbmp(gdImageSX(image), gdImageSY(image), WBMP_WHITE)) == NULL) { - gd_error("Could not create WBMP\n"); -- return; -+ return 1; - } - - /* fill up the WBMP structure */ -@@ -123,11 +131,15 @@ BGD_DECLARE(void) gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out) - - /* write the WBMP to a gd file descriptor */ - if(writewbmp(wbmp, &gd_putout, out)) { -+ freewbmp(wbmp); - gd_error("Could not save WBMP\n"); -+ return 1; - } - - /* des submitted this bugfix: gdFree the memory. */ - freewbmp(wbmp); -+ -+ return 0; - } - - /* -@@ -271,8 +283,11 @@ BGD_DECLARE(void *) gdImageWBMPPtr(gdImagePtr im, int *size, int fg) - void *rv; - gdIOCtx *out = gdNewDynamicCtx(2048, NULL); - if (out == NULL) return NULL; -- gdImageWBMPCtx(im, fg, out); -- rv = gdDPExtractData(out, size); -+ if (!_gdImageWBMPCtx(im, fg, out)) { -+ rv = gdDPExtractData(out, size); -+ } else { -+ rv = NULL; -+ } - out->gd_free(out); - return rv; - } -- cgit v1.2.3-70-g09d2