!16 fix CVE-2021-40812

From: @liuyumeng1 Reviewed-by: @small_leek Signed-off-by: @small_leek
2021-09-23 06:39:24 +00:00 · 2021-09-23 06:39:24 +00:00 · c98899827b
commit c98899827b
parent ccfd66d13b cefcdb18f0
2 changed files with 88 additions and 1 deletions
--- a/backport-CVE-2021-40812.patch
+++ b/backport-CVE-2021-40812.patch
@ -0,0 +1,80 @@
 From e5c84f0b7a2e2cef8d8630bd8c26a2f859e959ff Mon Sep 17 00:00:00 2001
 From: Pierre Joye <pierre.php@gmail.com>
 Date: Tue, 7 Sep 2021 22:03:21 +0700
 Subject: [PATCH 1/2] Partial fix for #750
 Conflict:NA
 Reference:https://github.com/libgd/libgd/commit/6f5136821be86e7068fcdf651ae9420b5d42e9a9
 ---
 src/gd_bmp.c  | 14 +++++++++++---
 src/gd_webp.c |  7 ++++++-
 2 files changed, 17 insertions(+), 4 deletions(-)
 diff --git a/src/gd_bmp.c b/src/gd_bmp.c
 index 34494ff..ec3267a 100755
 --- a/src/gd_bmp.c
 +++ b/src/gd_bmp.c
@@ -30,6 +30,7 @@
 #include <stdlib.h>
 #include "gd.h"
 #include "gdhelpers.h"
 +#include "gd_errors.h"
 #include "bmp.h"
 static int compress_row(unsigned char *uncompressed_row, int length);
@@ -266,7 +267,11 @@ static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
 				bitmap_size += compressed_size;
 -				gdPutBuf(uncompressed_row, compressed_size, out);
 +				if (gdPutBuf(uncompressed_row, compressed_size, out) != compressed_size){
 +					gd_error("gd-bmp write error\n");
 +					error = 1;
 +					break;
 +				}
 				Putchar(BMP_RLE_COMMAND, out);
 				Putchar(BMP_RLE_ENDOFLINE, out);
 				bitmap_size += 2;
@@ -325,7 +330,10 @@ static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
 			if (buffer_size == 0) {
 				break;
 			}
 -			gdPutBuf(copy_buffer , buffer_size, out_original);
 +			if (gdPutBuf(copy_buffer , buffer_size, out_original) != buffer_size) {
 +				gd_error("gd-bmp write error\n");
 +				error = 1;
 +			}
 		}
 		gdFree(copy_buffer);
@@ -335,7 +343,7 @@ static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
 		out_original = NULL;
 	}
 -	ret = 0;
 +	ret = error;
 cleanup:
 	if (tmpfile_for_compression) {
 #ifdef _WIN32
 diff --git a/src/gd_webp.c b/src/gd_webp.c
 index b5ee264..b0f21b6 100755
 --- a/src/gd_webp.c
 +++ b/src/gd_webp.c
@@ -222,8 +222,13 @@ static int _gdImageWebpCtx (gdImagePtr im, gdIOCtx * outfile, int quality)
         ret = 1;
 		goto freeargb;
 	}
 -	gdPutBuf(out, out_size, outfile);
 +
 +	int res = gdPutBuf(out, out_size, outfile);
 	free(out);
 +	if (res != out_size) {
 +		gd_error("gd-webp write error\n");
 +		ret = 1;
 +	}
 freeargb:
 	gdFree(argb);
 -- 
 2.27.0
--- a/gd.spec
+++ b/gd.spec
@ -1,6 +1,6 @@
 Name:           gd
 Version:        2.3.0
-Release:        3
+Release:        4
 Summary:        A graphics library for quick creation of PNG or JPEG images
 License:        MIT
 URL:            http://libgd.github.io/
@ -10,6 +10,7 @@ Source0:        https://github.com/libgd/libgd/releases/download/gd-%{version}/l
 Source1:        https://raw.githubusercontent.com/libgd/libgd/gd-%{version}/config/getlib.sh
 Patch6000:      backport-CVE-2021-38115.patch
 Patch6001:	backport-CVE-2021-40812.patch
 BuildRequires:  freetype-devel fontconfig-devel gettext-devel libjpeg-devel libpng-devel libtiff-devel libwebp-devel
 BuildRequires:  libX11-devel libXpm-devel zlib-devel pkgconfig libtool perl-interpreter perl-generators liberation-sans-fonts
@ -102,6 +103,12 @@ grep %{version} $RPM_BUILD_ROOT%{_libdir}/pkgconfig/gdlib.pc
 %exclude %{_libdir}/libgd.a
 %changelog
 * Thu Sep 23 2021 liuyumeng<liuyumeng5@huawei.com> - 2.3.0-4
 - Type:CVE
 - CVE:CVE-2021-40812
 - SUG:NA
 - DESC:fix CVE-2021-40812
 * Sat Aug 14 2021 zhanzhimin<zhanzhimin@huawei.com> - 2.3.0-3
 - Type:CVE
 - ID:CVE-2021-38115