From f58c813f8afcd08acdd630f378cff1a5009655cc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= Date: Thu, 31 Jan 2019 16:02:19 +0000 Subject: [PATCH] merge in fixes for libgd CVE-2019-6978 --- README | 5 +++++ configure.ac | 2 +- src/extra/gd/gd_jpeg.c | 21 +++++++++++++++++---- src/extra/gd/gd_wbmp.c | 24 ++++++++++++++++++++++-- 4 files changed, 45 insertions(+), 7 deletions(-) diff --git a/src/extra/gd/gd_jpeg.c b/src/extra/gd/gd_jpeg.c index 7e6dfbb..b270186 100644 --- a/src/extra/gd/gd_jpeg.c +++ b/src/extra/gd/gd_jpeg.c @@ -72,6 +72,8 @@ fatal_jpeg_error (j_common_ptr cinfo) exit (99); } +static int _gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality); + /* * Write IM to OUTFILE as a JFIF-formatted JPEG image, using quality * QUALITY. If QUALITY is in the range 0-100, increasing values @@ -93,8 +95,12 @@ gdImageJpegPtr (gdImagePtr im, int *size, int quality) { void *rv; gdIOCtx *out = gdNewDynamicCtx (2048, NULL); - gdImageJpegCtx (im, out, quality); - rv = gdDPExtractData (out, size); + if (out == NULL) return NULL; + if (!_gdImageJpegCtx(im, out, quality)) { + rv = gdDPExtractData(out, size); + } else { + rv = NULL; + } out->free (out); return rv; } @@ -103,6 +109,12 @@ static void jpeg_gdIOCtx_dest (j_compress_ptr cinfo, gdIOCtx * outfile); void gdImageJpegCtx (gdImagePtr im, gdIOCtx * outfile, int quality) +{ + _gdImageJpegCtx(im, outfile, quality); +} + +/* returns 0 on success, 1 on failure */ +static int _gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality) { struct jpeg_compress_struct cinfo; struct jpeg_error_mgr jerr; @@ -139,7 +151,7 @@ gdImageJpegCtx (gdImagePtr im, gdIOCtx * outfile, int quality) /* we're here courtesy of longjmp */ if (row) gdFree (row); - return; + return 1; } cinfo.err->error_exit = fatal_jpeg_error; @@ -173,7 +185,7 @@ gdImageJpegCtx (gdImagePtr im, gdIOCtx * outfile, int quality) fprintf (stderr, "gd-jpeg: error: unable to allocate JPEG row " "structure: gdCalloc returns NULL\n"); jpeg_destroy_compress (&cinfo); - return; + return 1; } rowptr[0] = row; @@ -254,6 +266,7 @@ error: #endif jpeg_destroy_compress (&cinfo); gdFree (row); + return 0; } gdImagePtr diff --git a/src/extra/gd/gd_wbmp.c b/src/extra/gd/gd_wbmp.c index f1258da..4b27043 100644 --- a/src/extra/gd/gd_wbmp.c +++ b/src/extra/gd/gd_wbmp.c @@ -85,6 +85,7 @@ gd_getin (void *in) return (gdGetC ((gdIOCtx *) in)); } +static int _gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out); /* gdImageWBMPCtx ** -------------- @@ -97,6 +98,12 @@ gd_getin (void *in) */ void gdImageWBMPCtx (gdImagePtr image, int fg, gdIOCtx * out) +{ + _gdImageWBMPCtx(image, fg, out); +} + +/* returns 0 on success, 1 on failure */ +static int _gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out) { int x, y, pos; @@ -107,7 +114,7 @@ gdImageWBMPCtx (gdImagePtr image, int fg, gdIOCtx * out) if ((wbmp = createwbmp (gdImageSX (image), gdImageSY (image), WBMP_WHITE)) == NULL) { fprintf (stderr, "Could not create WBMP\n"); - return; + return 1; } /* fill up the WBMP structure */ @@ -126,9 +133,16 @@ gdImageWBMPCtx (gdImagePtr image, int fg, gdIOCtx * out) /* write the WBMP to a gd file descriptor */ if (writewbmp (wbmp, &gd_putout, out)) + { fprintf (stderr, "Could not save WBMP\n"); + freewbmp (wbmp); + return 1; + } + /* des submitted this bugfix: gdFree the memory. */ freewbmp (wbmp); + + return 0; } @@ -214,8 +228,12 @@ gdImageWBMPPtr (gdImagePtr im, int *size, int fg) { void *rv; gdIOCtx *out = gdNewDynamicCtx (2048, NULL); - gdImageWBMPCtx (im, fg, out); - rv = gdDPExtractData (out, size); + if (out == NULL) return NULL; + if (!_gdImageWBMPCtx(im, fg, out)) { + rv = gdDPExtractData(out, size); + } else { + rv = NULL; + } out->free (out); return rv; } -- 2.20.1