!16 fix CVE-2021-40812

From: @liuyumeng1 Reviewed-by: @small_leek Signed-off-by: @small_leek
2021-09-23 06:39:24 +00:00 · 2021-09-23 06:39:24 +00:00 · c98899827b
commit c98899827b
parent ccfd66d13b cefcdb18f0
2 changed files with 88 additions and 1 deletions
--- a/backport-CVE-2021-40812.patch
+++ b/backport-CVE-2021-40812.patch
@ -0,0 +1,80 @@
+From e5c84f0b7a2e2cef8d8630bd8c26a2f859e959ff Mon Sep 17 00:00:00 2001
+From: Pierre Joye <pierre.php@gmail.com>
+Date: Tue, 7 Sep 2021 22:03:21 +0700
+Subject: [PATCH 1/2] Partial fix for #750
+
+Conflict:NA
+Reference:https://github.com/libgd/libgd/commit/6f5136821be86e7068fcdf651ae9420b5d42e9a9
+---
+ src/gd_bmp.c  | 14 +++++++++++---
+ src/gd_webp.c |  7 ++++++-
+ 2 files changed, 17 insertions(+), 4 deletions(-)
+
+diff --git a/src/gd_bmp.c b/src/gd_bmp.c
+index 34494ff..ec3267a 100755
+--- a/src/gd_bmp.c
+++ b/src/gd_bmp.c
+@@ -30,6 +30,7 @@
+ #include <stdlib.h>
+ #include "gd.h"
+ #include "gdhelpers.h"
+#include "gd_errors.h"
+ #include "bmp.h"
+ 
+ static int compress_row(unsigned char *uncompressed_row, int length);
+@@ -266,7 +267,11 @@ static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
+ 				bitmap_size += compressed_size;
+ 
+ 
+-				gdPutBuf(uncompressed_row, compressed_size, out);
+				if (gdPutBuf(uncompressed_row, compressed_size, out) != compressed_size){
+					gd_error("gd-bmp write error\n");
+					error = 1;
+					break;
+				}
+ 				Putchar(BMP_RLE_COMMAND, out);
+ 				Putchar(BMP_RLE_ENDOFLINE, out);
+ 				bitmap_size += 2;
+@@ -325,7 +330,10 @@ static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
+ 			if (buffer_size == 0) {
+ 				break;
+ 			}
+-			gdPutBuf(copy_buffer , buffer_size, out_original);
+			if (gdPutBuf(copy_buffer , buffer_size, out_original) != buffer_size) {
+				gd_error("gd-bmp write error\n");
+				error = 1;
+			}
+ 		}
+ 		gdFree(copy_buffer);
+ 
+@@ -335,7 +343,7 @@ static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
+ 		out_original = NULL;
+ 	}
+ 
+-	ret = 0;
+	ret = error;
+ cleanup:
+ 	if (tmpfile_for_compression) {
+ #ifdef _WIN32
+diff --git a/src/gd_webp.c b/src/gd_webp.c
+index b5ee264..b0f21b6 100755
+--- a/src/gd_webp.c
+++ b/src/gd_webp.c
+@@ -222,8 +222,13 @@ static int _gdImageWebpCtx (gdImagePtr im, gdIOCtx * outfile, int quality)
+         ret = 1;
+ 		goto freeargb;
+ 	}
+-	gdPutBuf(out, out_size, outfile);
+
+	int res = gdPutBuf(out, out_size, outfile);
+ 	free(out);
+	if (res != out_size) {
+		gd_error("gd-webp write error\n");
+		ret = 1;
+	}
+ 
+ freeargb:
+ 	gdFree(argb);
+-- 
+2.27.0
+
--- a/gd.spec
+++ b/gd.spec
@ -1,6 +1,6 @@
 Name:           gd
 Version:        2.3.0
-Release:        3
+Release:        4
 Summary:        A graphics library for quick creation of PNG or JPEG images
 License:        MIT
 URL:            http://libgd.github.io/
@ -10,6 +10,7 @@ Source0:        https://github.com/libgd/libgd/releases/download/gd-%{version}/l
 Source1:        https://raw.githubusercontent.com/libgd/libgd/gd-%{version}/config/getlib.sh

 Patch6000:      backport-CVE-2021-38115.patch
+Patch6001:	backport-CVE-2021-40812.patch

 BuildRequires:  freetype-devel fontconfig-devel gettext-devel libjpeg-devel libpng-devel libtiff-devel libwebp-devel
 BuildRequires:  libX11-devel libXpm-devel zlib-devel pkgconfig libtool perl-interpreter perl-generators liberation-sans-fonts
@ -102,6 +103,12 @@ grep %{version} $RPM_BUILD_ROOT%{_libdir}/pkgconfig/gdlib.pc
 %exclude %{_libdir}/libgd.a

 %changelog
+* Thu Sep 23 2021 liuyumeng<liuyumeng5@huawei.com> - 2.3.0-4
+- Type:CVE
+- CVE:CVE-2021-40812
+- SUG:NA
+- DESC:fix CVE-2021-40812
+
 * Sat Aug 14 2021 zhanzhimin<zhanzhimin@huawei.com> - 2.3.0-3
 - Type:CVE
 - ID:CVE-2021-38115