From cefcdb18f0433d3d5aa281ee42964aca6b37876e Mon Sep 17 00:00:00 2001 From: liuyumeng Date: Thu, 23 Sep 2021 14:07:40 +0800 Subject: [PATCH] fix CVE-2021-40812 --- backport-CVE-2021-40812.patch | 80 +++++++++++++++++++++++++++++++++++ gd.spec | 9 +++- 2 files changed, 88 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2021-40812.patch diff --git a/backport-CVE-2021-40812.patch b/backport-CVE-2021-40812.patch new file mode 100644 index 0000000..7a34d1f --- /dev/null +++ b/backport-CVE-2021-40812.patch @@ -0,0 +1,80 @@ +From e5c84f0b7a2e2cef8d8630bd8c26a2f859e959ff Mon Sep 17 00:00:00 2001 +From: Pierre Joye +Date: Tue, 7 Sep 2021 22:03:21 +0700 +Subject: [PATCH 1/2] Partial fix for #750 + +Conflict:NA +Reference:https://github.com/libgd/libgd/commit/6f5136821be86e7068fcdf651ae9420b5d42e9a9 +--- + src/gd_bmp.c | 14 +++++++++++--- + src/gd_webp.c | 7 ++++++- + 2 files changed, 17 insertions(+), 4 deletions(-) + +diff --git a/src/gd_bmp.c b/src/gd_bmp.c +index 34494ff..ec3267a 100755 +--- a/src/gd_bmp.c ++++ b/src/gd_bmp.c +@@ -30,6 +30,7 @@ + #include + #include "gd.h" + #include "gdhelpers.h" ++#include "gd_errors.h" + #include "bmp.h" + + static int compress_row(unsigned char *uncompressed_row, int length); +@@ -266,7 +267,11 @@ static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression) + bitmap_size += compressed_size; + + +- gdPutBuf(uncompressed_row, compressed_size, out); ++ if (gdPutBuf(uncompressed_row, compressed_size, out) != compressed_size){ ++ gd_error("gd-bmp write error\n"); ++ error = 1; ++ break; ++ } + Putchar(BMP_RLE_COMMAND, out); + Putchar(BMP_RLE_ENDOFLINE, out); + bitmap_size += 2; +@@ -325,7 +330,10 @@ static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression) + if (buffer_size == 0) { + break; + } +- gdPutBuf(copy_buffer , buffer_size, out_original); ++ if (gdPutBuf(copy_buffer , buffer_size, out_original) != buffer_size) { ++ gd_error("gd-bmp write error\n"); ++ error = 1; ++ } + } + gdFree(copy_buffer); + +@@ -335,7 +343,7 @@ static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression) + out_original = NULL; + } + +- ret = 0; ++ ret = error; + cleanup: + if (tmpfile_for_compression) { + #ifdef _WIN32 +diff --git a/src/gd_webp.c b/src/gd_webp.c +index b5ee264..b0f21b6 100755 +--- a/src/gd_webp.c ++++ b/src/gd_webp.c +@@ -222,8 +222,13 @@ static int _gdImageWebpCtx (gdImagePtr im, gdIOCtx * outfile, int quality) + ret = 1; + goto freeargb; + } +- gdPutBuf(out, out_size, outfile); ++ ++ int res = gdPutBuf(out, out_size, outfile); + free(out); ++ if (res != out_size) { ++ gd_error("gd-webp write error\n"); ++ ret = 1; ++ } + + freeargb: + gdFree(argb); +-- +2.27.0 + diff --git a/gd.spec b/gd.spec index 719f531..7e2b6d1 100644 --- a/gd.spec +++ b/gd.spec @@ -1,6 +1,6 @@ Name: gd Version: 2.3.0 -Release: 3 +Release: 4 Summary: A graphics library for quick creation of PNG or JPEG images License: MIT URL: http://libgd.github.io/ @@ -10,6 +10,7 @@ Source0: https://github.com/libgd/libgd/releases/download/gd-%{version}/l Source1: https://raw.githubusercontent.com/libgd/libgd/gd-%{version}/config/getlib.sh Patch6000: backport-CVE-2021-38115.patch +Patch6001: backport-CVE-2021-40812.patch BuildRequires: freetype-devel fontconfig-devel gettext-devel libjpeg-devel libpng-devel libtiff-devel libwebp-devel BuildRequires: libX11-devel libXpm-devel zlib-devel pkgconfig libtool perl-interpreter perl-generators liberation-sans-fonts @@ -102,6 +103,12 @@ grep %{version} $RPM_BUILD_ROOT%{_libdir}/pkgconfig/gdlib.pc %exclude %{_libdir}/libgd.a %changelog +* Thu Sep 23 2021 liuyumeng - 2.3.0-4 +- Type:CVE +- CVE:CVE-2021-40812 +- SUG:NA +- DESC:fix CVE-2021-40812 + * Sat Aug 14 2021 zhanzhimin - 2.3.0-3 - Type:CVE - ID:CVE-2021-38115