gd: fix CVE-2019-6978

CVE: CVE-2019-6978 Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Trevor Gamblin <trevor.gamblin@windriver.com> 2019-10-03 14:58:51 -0400
committer: Armin Kuster <akuster808@gmail.com> 2019-10-09 11:26:49 -0700
commit: dc66a2a10c3bc0e1491ddd656eff10bac521d862 (patch)
tree: 1807e633bfbb83bff38c2879a2a6d7c0fb341e2d
parent: 6f4dcd00ce677d9df3fed7e12d87a4588dc65661 (diff)
download: meta-openembedded-dc66a2a10c3bc0e1491ddd656eff10bac521d862.tar.gz
2 files changed, 300 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/gd/gd/CVE-2019-6978.patch b/meta-oe/recipes-support/gd/gd/CVE-2019-6978.patch
new file mode 100644
index 000000000..9beb23e83
--- /dev/null
+++ b/meta-oe/recipes-support/gd/gd/CVE-2019-6978.patch
@@ -0,0 +1,299 @@
+From 553702980ae89c83f2d6e254d62cf82e204956d0 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Thu, 17 Jan 2019 11:54:55 +0100
+Subject: [PATCH] Fix #492: Potential double-free in gdImage*Ptr()
+Whenever `gdImage*Ptr()` calls `gdImage*Ctx()` and the latter fails, we
+must not call `gdDPExtractData()`; otherwise a double-free would
+happen.  Since `gdImage*Ctx()` are void functions, and we can't change
+that for BC reasons, we're introducing static helpers which are used
+internally.
+We're adding a regression test for `gdImageJpegPtr()`, but not for
+`gdImageGifPtr()` and `gdImageWbmpPtr()` since we don't know how to
+trigger failure of the respective `gdImage*Ctx()` calls.
+This potential security issue has been reported by Solmaz Salimi (aka.
+Rooney).
+---
+ src/gd_gif_out.c                  | 18 +++++++++++++++---
+ src/gd_jpeg.c                     | 20 ++++++++++++++++----
+ src/gd_wbmp.c                     | 21 ++++++++++++++++++---
+ tests/jpeg/.gitignore             |  1 +
+ tests/jpeg/CMakeLists.txt         |  1 +
+ tests/jpeg/Makemodule.am          |  3 ++-
+ tests/jpeg/jpeg_ptr_double_free.c | 31 +++++++++++++++++++++++++++++++
+ 7 files changed, 84 insertions(+), 11 deletions(-)
+ create mode 100644 tests/jpeg/jpeg_ptr_double_free.c
+Upstream-Status: Backport [https://github.com/libgd/libgd/commit/553702980ae89c83f2d6e254d62cf82e204956d0]
+CVE: CVE-2019-6978
+Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
+diff --git a/src/gd_gif_out.c b/src/gd_gif_out.c
+index 298a581..d5a9534 100644
+--- a/src/gd_gif_out.c
+++ b/src/gd_gif_out.c
+@@ -99,6 +99,7 @@ static void char_init(GifCtx *ctx);
+ static void char_out(int c, GifCtx *ctx);
+ static void flush_char(GifCtx *ctx);
+ 
+static int _gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out);
+ 
+ 
+ 
+@@ -131,8 +132,11 @@ BGD_DECLARE(void *) gdImageGifPtr(gdImagePtr im, int *size)
+        void *rv;
+        gdIOCtx *out = gdNewDynamicCtx(2048, NULL);
+        if (out == NULL) return NULL;
+-       gdImageGifCtx(im, out);
+-       rv = gdDPExtractData(out, size);
+       if (!_gdImageGifCtx(im, out)) {
+               rv = gdDPExtractData(out, size);
+       } else {
+               rv = NULL;
+       }
+        out->gd_free(out);
+        return rv;
+ }
+@@ -220,6 +224,12 @@ BGD_DECLARE(void) gdImageGif(gdImagePtr im, FILE *outFile)
+ 
+ */
+ BGD_DECLARE(void) gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out)
+{
+       _gdImageGifCtx(im, out);
+}
+
+/* returns 0 on success, 1 on failure */
+static int _gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out)
+ {
+        gdImagePtr pim = 0, tim = im;
+        int interlace, BitsPerPixel;
+@@ -231,7 +241,7 @@ BGD_DECLARE(void) gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out)
+                based temporary image. */
+                pim = gdImageCreatePaletteFromTrueColor(im, 1, 256);
+                if(!pim) {
+-                       return;
+                       return 1;
+                }
+                tim = pim;
+        }
+@@ -247,6 +257,8 @@ BGD_DECLARE(void) gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out)
+                /* Destroy palette based temporary image. */
+                gdImageDestroy( pim);
+        }
+
+       return 0;
+ }
+ 
+ 
+diff --git a/src/gd_jpeg.c b/src/gd_jpeg.c
+index fc05842..96ef430 100644
+--- a/src/gd_jpeg.c
+++ b/src/gd_jpeg.c
+@@ -117,6 +117,8 @@ static void fatal_jpeg_error(j_common_ptr cinfo)
+        exit(99);
+ }
+ 
+static int _gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality);
+
+ /*
+  * Write IM to OUTFILE as a JFIF-formatted JPEG image, using quality
+  * QUALITY.  If QUALITY is in the range 0-100, increasing values
+@@ -231,8 +233,11 @@ BGD_DECLARE(void *) gdImageJpegPtr(gdImagePtr im, int *size, int quality)
+        void *rv;
+        gdIOCtx *out = gdNewDynamicCtx(2048, NULL);
+        if (out == NULL) return NULL;
+-       gdImageJpegCtx(im, out, quality);
+-       rv = gdDPExtractData(out, size);
+       if (!_gdImageJpegCtx(im, out, quality)) {
+               rv = gdDPExtractData(out, size);
+       } else {
+               rv = NULL;
+       }
+        out->gd_free(out);
+        return rv;
+ }
+@@ -253,6 +258,12 @@ void jpeg_gdIOCtx_dest(j_compress_ptr cinfo, gdIOCtx *outfile);
+ 
+ */
+ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality)
+{
+       _gdImageJpegCtx(im, outfile, quality);
+}
+
+/* returns 0 on success, 1 on failure */
+static int _gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality)
+ {
+        struct jpeg_compress_struct cinfo;
+        struct jpeg_error_mgr jerr;
+@@ -287,7 +298,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality)
+                if(row) {
+                        gdFree(row);
+                }
+-               return;
+               return 1;
+        }
+ 
+        cinfo.err->emit_message = jpeg_emit_message;
+@@ -328,7 +339,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality)
+        if(row == 0) {
+                gd_error("gd-jpeg: error: unable to allocate JPEG row structure: gdCalloc returns NULL\n");
+                jpeg_destroy_compress(&cinfo);
+-               return;
+               return 1;
+        }
+ 
+        rowptr[0] = row;
+@@ -405,6 +416,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality)
+        jpeg_finish_compress(&cinfo);
+        jpeg_destroy_compress(&cinfo);
+        gdFree(row);
+       return 0;
+ }
+ 
+ 
+diff --git a/src/gd_wbmp.c b/src/gd_wbmp.c
+index f19a1c9..a49bdbe 100644
+--- a/src/gd_wbmp.c
+++ b/src/gd_wbmp.c
+@@ -88,6 +88,8 @@ int gd_getin(void *in)
+        return (gdGetC((gdIOCtx *)in));
+ }
+ 
+static int _gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out);
+
+ /*
+        Function: gdImageWBMPCtx
+ 
+@@ -100,6 +102,12 @@ int gd_getin(void *in)
+                out   - the stream where to write
+ */
+ BGD_DECLARE(void) gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out)
+{
+       _gdImageWBMPCtx(image, fg, out);
+}
+
+/* returns 0 on success, 1 on failure */
+static int _gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out)
+ {
+        int x, y, pos;
+        Wbmp *wbmp;
+@@ -107,7 +115,7 @@ BGD_DECLARE(void) gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out)
+        /* create the WBMP */
+        if((wbmp = createwbmp(gdImageSX(image), gdImageSY(image), WBMP_WHITE)) == NULL) {
+                gd_error("Could not create WBMP\n");
+-               return;
+               return 1;
+        }
+ 
+        /* fill up the WBMP structure */
+@@ -123,11 +131,15 @@ BGD_DECLARE(void) gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out)
+ 
+        /* write the WBMP to a gd file descriptor */
+        if(writewbmp(wbmp, &gd_putout, out)) {
+               freewbmp(wbmp);
+                gd_error("Could not save WBMP\n");
+               return 1;
+        }
+ 
+        /* des submitted this bugfix: gdFree the memory. */
+        freewbmp(wbmp);
+
+       return 0;
+ }
+ 
+ /*
+@@ -271,8 +283,11 @@ BGD_DECLARE(void *) gdImageWBMPPtr(gdImagePtr im, int *size, int fg)
+        void *rv;
+        gdIOCtx *out = gdNewDynamicCtx(2048, NULL);
+        if (out == NULL) return NULL;
+-       gdImageWBMPCtx(im, fg, out);
+-       rv = gdDPExtractData(out, size);
+       if (!_gdImageWBMPCtx(im, fg, out)) {
+               rv = gdDPExtractData(out, size);
+       } else {
+               rv = NULL;
+       }
+        out->gd_free(out);
+        return rv;
+ }
+diff --git a/tests/jpeg/.gitignore b/tests/jpeg/.gitignore
+index c28aa87..13bcf04 100644
+--- a/tests/jpeg/.gitignore
+++ b/tests/jpeg/.gitignore
+@@ -3,5 +3,6 @@
+ /jpeg_empty_file
+ /jpeg_im2im
+ /jpeg_null
+/jpeg_ptr_double_free
+ /jpeg_read
+ /jpeg_resolution
+diff --git a/tests/jpeg/CMakeLists.txt b/tests/jpeg/CMakeLists.txt
+index 19964b0..a8d8162 100644
+--- a/tests/jpeg/CMakeLists.txt
+++ b/tests/jpeg/CMakeLists.txt
+@@ -2,6 +2,7 @@ IF(JPEG_FOUND)
+ LIST(APPEND TESTS_FILES
+        jpeg_empty_file
+        jpeg_im2im
+       jpeg_ptr_double_free
+        jpeg_null
+ )
+ 
+diff --git a/tests/jpeg/Makemodule.am b/tests/jpeg/Makemodule.am
+index 7e5d317..b89e169 100644
+--- a/tests/jpeg/Makemodule.am
+++ b/tests/jpeg/Makemodule.am
+@@ -2,7 +2,8 @@ if HAVE_LIBJPEG
+ libgd_test_programs += \
+        jpeg/jpeg_empty_file \
+        jpeg/jpeg_im2im \
+-       jpeg/jpeg_null
+       jpeg/jpeg_null \
+       jpeg/jpeg_ptr_double_free
+ 
+ if HAVE_LIBPNG
+ libgd_test_programs += \
+diff --git a/tests/jpeg/jpeg_ptr_double_free.c b/tests/jpeg/jpeg_ptr_double_free.c
+new file mode 100644
+index 0000000..df5a510
+--- /dev/null
+++ b/tests/jpeg/jpeg_ptr_double_free.c
+@@ -0,0 +1,31 @@
+/**
+ * Test that failure to convert to JPEG returns NULL
+ *
+ * We are creating an image, set its width to zero, and pass this image to
+ * `gdImageJpegPtr()` which is supposed to fail, and as such should return NULL.
+ *
+ * See also <https://github.com/libgd/libgd/issues/381>
+ */
+
+
+#include "gd.h"
+#include "gdtest.h"
+
+
+int main()
+{
+    gdImagePtr src, dst;
+    int size;
+
+    src = gdImageCreateTrueColor(1, 10);
+    gdTestAssert(src != NULL);
+
+    src->sx = 0; /* this hack forces gdImageJpegPtr() to fail */
+
+    dst = gdImageJpegPtr(src, &size, 0);
+    gdTestAssert(dst == NULL);
+
+    gdImageDestroy(src);
+
+    return gdNumFailures();
+}
+-- 
+2.17.1
diff --git a/meta-oe/recipes-support/gd/gd_2.2.5.bb b/meta-oe/recipes-support/gd/gd_2.2.5.bb
index c846bda6b..35f9bb251 100644
--- a/meta-oe/recipes-support/gd/gd_2.2.5.bb
+++ b/meta-oe/recipes-support/gd/gd_2.2.5.bb
@@ -16,6 +16,7 @@ DEPENDS = "freetype libpng jpeg zlib tiff"
 SRC_URI = "git://github.com/libgd/libgd.git;branch=GD-2.2 \
           file://0001-annotate.c-gdft.c-Replace-strncpy-with-memccpy-to-fi.patch \
           file://CVE-2018-1000222.patch \
+           file://CVE-2019-6978.patch \
          "
 SRCREV = "8255231b68889597d04d451a72438ab92a405aba"
author	Trevor Gamblin <trevor.gamblin@windriver.com>	2019-10-03 14:58:51 -0400
committer	Armin Kuster <akuster808@gmail.com>	2019-10-09 11:26:49 -0700
commit	dc66a2a10c3bc0e1491ddd656eff10bac521d862 (patch)
tree	1807e633bfbb83bff38c2879a2a6d7c0fb341e2d
parent	6f4dcd00ce677d9df3fed7e12d87a4588dc65661 (diff)
download	meta-openembedded-dc66a2a10c3bc0e1491ddd656eff10bac521d862.tar.gz

diff --git a/meta-oe/recipes-support/gd/gd/CVE-2019-6978.patch b/meta-oe/recipes-support/gd/gd/CVE-2019-6978.patch new file mode 100644 index 000000000..9beb23e83 --- /dev/null +++ b/meta-oe/recipes-support/gd/gd/CVE-2019-6978.patch
@@ -0,0 +1,299 @@
		1	From 553702980ae89c83f2d6e254d62cf82e204956d0 Mon Sep 17 00:00:00 2001
		2	From: "Christoph M. Becker" <cmbecker69@gmx.de>
		3	Date: Thu, 17 Jan 2019 11:54:55 +0100
		4	Subject: [PATCH] Fix #492: Potential double-free in gdImage*Ptr()
		5
		6	Whenever `gdImagePtr()` calls `gdImageCtx()` and the latter fails, we
		7	must not call `gdDPExtractData()`; otherwise a double-free would
		8	happen. Since `gdImage*Ctx()` are void functions, and we can't change
		9	that for BC reasons, we're introducing static helpers which are used
		10	internally.
		11
		12	We're adding a regression test for `gdImageJpegPtr()`, but not for
		13	`gdImageGifPtr()` and `gdImageWbmpPtr()` since we don't know how to
		14	trigger failure of the respective `gdImage*Ctx()` calls.
		15
		16	This potential security issue has been reported by Solmaz Salimi (aka.
		17	Rooney).
		18	---
		19	src/gd_gif_out.c \| 18 +++++++++++++++---
		20	src/gd_jpeg.c \| 20 ++++++++++++++++----
		21	src/gd_wbmp.c \| 21 ++++++++++++++++++---
		22	tests/jpeg/.gitignore \| 1 +
		23	tests/jpeg/CMakeLists.txt \| 1 +
		24	tests/jpeg/Makemodule.am \| 3 ++-
		25	tests/jpeg/jpeg_ptr_double_free.c \| 31 +++++++++++++++++++++++++++++++
		26	7 files changed, 84 insertions(+), 11 deletions(-)
		27	create mode 100644 tests/jpeg/jpeg_ptr_double_free.c
		28
		29	Upstream-Status: Backport [https://github.com/libgd/libgd/commit/553702980ae89c83f2d6e254d62cf82e204956d0]
		30	CVE: CVE-2019-6978
		31
		32	Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
		33
		34
		35	diff --git a/src/gd_gif_out.c b/src/gd_gif_out.c
		36	index 298a581..d5a9534 100644
		37	--- a/src/gd_gif_out.c
		38	+++ b/src/gd_gif_out.c
		39	@@ -99,6 +99,7 @@ static void char_init(GifCtx *ctx);
		40	static void char_out(int c, GifCtx *ctx);
		41	static void flush_char(GifCtx *ctx);
		42
		43	+static int _gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out);
		44
		45
		46
		47	@@ -131,8 +132,11 @@ BGD_DECLARE(void ) gdImageGifPtr(gdImagePtr im, int size)
		48	void *rv;
		49	gdIOCtx *out = gdNewDynamicCtx(2048, NULL);
		50	if (out == NULL) return NULL;
		51	- gdImageGifCtx(im, out);
		52	- rv = gdDPExtractData(out, size);
		53	+ if (!_gdImageGifCtx(im, out)) {
		54	+ rv = gdDPExtractData(out, size);
		55	+ } else {
		56	+ rv = NULL;
		57	+ }
		58	out->gd_free(out);
		59	return rv;
		60	}
		61	@@ -220,6 +224,12 @@ BGD_DECLARE(void) gdImageGif(gdImagePtr im, FILE *outFile)
		62
		63	*/
		64	BGD_DECLARE(void) gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out)
		65	+{
		66	+ _gdImageGifCtx(im, out);
		67	+}
		68	+
		69	+/* returns 0 on success, 1 on failure */
		70	+static int _gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out)
		71	{
		72	gdImagePtr pim = 0, tim = im;
		73	int interlace, BitsPerPixel;
		74	@@ -231,7 +241,7 @@ BGD_DECLARE(void) gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out)
		75	based temporary image. */
		76	pim = gdImageCreatePaletteFromTrueColor(im, 1, 256);
		77	if(!pim) {
		78	- return;
		79	+ return 1;
		80	}
		81	tim = pim;
		82	}
		83	@@ -247,6 +257,8 @@ BGD_DECLARE(void) gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out)
		84	/* Destroy palette based temporary image. */
		85	gdImageDestroy( pim);
		86	}
		87	+
		88	+ return 0;
		89	}
		90
		91
		92	diff --git a/src/gd_jpeg.c b/src/gd_jpeg.c
		93	index fc05842..96ef430 100644
		94	--- a/src/gd_jpeg.c
		95	+++ b/src/gd_jpeg.c
		96	@@ -117,6 +117,8 @@ static void fatal_jpeg_error(j_common_ptr cinfo)
		97	exit(99);
		98	}
		99
		100	+static int _gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality);
		101	+
		102	/*
		103	* Write IM to OUTFILE as a JFIF-formatted JPEG image, using quality
		104	* QUALITY. If QUALITY is in the range 0-100, increasing values
		105	@@ -231,8 +233,11 @@ BGD_DECLARE(void ) gdImageJpegPtr(gdImagePtr im, int size, int quality)
		106	void *rv;
		107	gdIOCtx *out = gdNewDynamicCtx(2048, NULL);
		108	if (out == NULL) return NULL;
		109	- gdImageJpegCtx(im, out, quality);
		110	- rv = gdDPExtractData(out, size);
		111	+ if (!_gdImageJpegCtx(im, out, quality)) {
		112	+ rv = gdDPExtractData(out, size);
		113	+ } else {
		114	+ rv = NULL;
		115	+ }
		116	out->gd_free(out);
		117	return rv;
		118	}
		119	@@ -253,6 +258,12 @@ void jpeg_gdIOCtx_dest(j_compress_ptr cinfo, gdIOCtx *outfile);
		120
		121	*/
		122	BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality)
		123	+{
		124	+ _gdImageJpegCtx(im, outfile, quality);
		125	+}
		126	+
		127	+/* returns 0 on success, 1 on failure */
		128	+static int _gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality)
		129	{
		130	struct jpeg_compress_struct cinfo;
		131	struct jpeg_error_mgr jerr;
		132	@@ -287,7 +298,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality)
		133	if(row) {
		134	gdFree(row);
		135	}
		136	- return;
		137	+ return 1;
		138	}
		139
		140	cinfo.err->emit_message = jpeg_emit_message;
		141	@@ -328,7 +339,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality)
		142	if(row == 0) {
		143	gd_error("gd-jpeg: error: unable to allocate JPEG row structure: gdCalloc returns NULL\n");
		144	jpeg_destroy_compress(&cinfo);
		145	- return;
		146	+ return 1;
		147	}
		148
		149	rowptr[0] = row;
		150	@@ -405,6 +416,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality)
		151	jpeg_finish_compress(&cinfo);
		152	jpeg_destroy_compress(&cinfo);
		153	gdFree(row);
		154	+ return 0;
		155	}
		156
		157
		158	diff --git a/src/gd_wbmp.c b/src/gd_wbmp.c
		159	index f19a1c9..a49bdbe 100644
		160	--- a/src/gd_wbmp.c
		161	+++ b/src/gd_wbmp.c
		162	@@ -88,6 +88,8 @@ int gd_getin(void *in)
		163	return (gdGetC((gdIOCtx *)in));
		164	}
		165
		166	+static int _gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out);
		167	+
		168	/*
		169	Function: gdImageWBMPCtx
		170
		171	@@ -100,6 +102,12 @@ int gd_getin(void *in)
		172	out - the stream where to write
		173	*/
		174	BGD_DECLARE(void) gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out)
		175	+{
		176	+ _gdImageWBMPCtx(image, fg, out);
		177	+}
		178	+
		179	+/* returns 0 on success, 1 on failure */
		180	+static int _gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out)
		181	{
		182	int x, y, pos;
		183	Wbmp *wbmp;
		184	@@ -107,7 +115,7 @@ BGD_DECLARE(void) gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out)
		185	/* create the WBMP */
		186	if((wbmp = createwbmp(gdImageSX(image), gdImageSY(image), WBMP_WHITE)) == NULL) {
		187	gd_error("Could not create WBMP\n");
		188	- return;
		189	+ return 1;
		190	}
		191
		192	/* fill up the WBMP structure */
		193	@@ -123,11 +131,15 @@ BGD_DECLARE(void) gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out)
		194
		195	/* write the WBMP to a gd file descriptor */
		196	if(writewbmp(wbmp, &gd_putout, out)) {
		197	+ freewbmp(wbmp);
		198	gd_error("Could not save WBMP\n");
		199	+ return 1;
		200	}
		201
		202	/* des submitted this bugfix: gdFree the memory. */
		203	freewbmp(wbmp);
		204	+
		205	+ return 0;
		206	}
		207
		208	/*
		209	@@ -271,8 +283,11 @@ BGD_DECLARE(void ) gdImageWBMPPtr(gdImagePtr im, int size, int fg)
		210	void *rv;
		211	gdIOCtx *out = gdNewDynamicCtx(2048, NULL);
		212	if (out == NULL) return NULL;
		213	- gdImageWBMPCtx(im, fg, out);
		214	- rv = gdDPExtractData(out, size);
		215	+ if (!_gdImageWBMPCtx(im, fg, out)) {
		216	+ rv = gdDPExtractData(out, size);
		217	+ } else {
		218	+ rv = NULL;
		219	+ }
		220	out->gd_free(out);
		221	return rv;
		222	}
		223	diff --git a/tests/jpeg/.gitignore b/tests/jpeg/.gitignore
		224	index c28aa87..13bcf04 100644
		225	--- a/tests/jpeg/.gitignore
		226	+++ b/tests/jpeg/.gitignore
		227	@@ -3,5 +3,6 @@
		228	/jpeg_empty_file
		229	/jpeg_im2im
		230	/jpeg_null
		231	+/jpeg_ptr_double_free
		232	/jpeg_read
		233	/jpeg_resolution
		234	diff --git a/tests/jpeg/CMakeLists.txt b/tests/jpeg/CMakeLists.txt
		235	index 19964b0..a8d8162 100644
		236	--- a/tests/jpeg/CMakeLists.txt
		237	+++ b/tests/jpeg/CMakeLists.txt
		238	@@ -2,6 +2,7 @@ IF(JPEG_FOUND)
		239	LIST(APPEND TESTS_FILES
		240	jpeg_empty_file
		241	jpeg_im2im
		242	+ jpeg_ptr_double_free
		243	jpeg_null
		244	)
		245
		246	diff --git a/tests/jpeg/Makemodule.am b/tests/jpeg/Makemodule.am
		247	index 7e5d317..b89e169 100644
		248	--- a/tests/jpeg/Makemodule.am
		249	+++ b/tests/jpeg/Makemodule.am
		250	@@ -2,7 +2,8 @@ if HAVE_LIBJPEG
		251	libgd_test_programs += \
		252	jpeg/jpeg_empty_file \
		253	jpeg/jpeg_im2im \
		254	- jpeg/jpeg_null
		255	+ jpeg/jpeg_null \
		256	+ jpeg/jpeg_ptr_double_free
		257
		258	if HAVE_LIBPNG
		259	libgd_test_programs += \
		260	diff --git a/tests/jpeg/jpeg_ptr_double_free.c b/tests/jpeg/jpeg_ptr_double_free.c
		261	new file mode 100644
		262	index 0000000..df5a510
		263	--- /dev/null
		264	+++ b/tests/jpeg/jpeg_ptr_double_free.c
		265	@@ -0,0 +1,31 @@
		266	+/**
		267	+ * Test that failure to convert to JPEG returns NULL
		268	+ *
		269	+ * We are creating an image, set its width to zero, and pass this image to
		270	+ * `gdImageJpegPtr()` which is supposed to fail, and as such should return NULL.
		271	+ *
		272	+ * See also <https://github.com/libgd/libgd/issues/381>
		273	+ */
		274	+
		275	+
		276	+#include "gd.h"
		277	+#include "gdtest.h"
		278	+
		279	+
		280	+int main()
		281	+{
		282	+ gdImagePtr src, dst;
		283	+ int size;
		284	+
		285	+ src = gdImageCreateTrueColor(1, 10);
		286	+ gdTestAssert(src != NULL);
		287	+
		288	+ src->sx = 0; /* this hack forces gdImageJpegPtr() to fail */
		289	+
		290	+ dst = gdImageJpegPtr(src, &size, 0);
		291	+ gdTestAssert(dst == NULL);
		292	+
		293	+ gdImageDestroy(src);
		294	+
		295	+ return gdNumFailures();
		296	+}
		297	--
		298	2.17.1
		299


diff --git a/meta-oe/recipes-support/gd/gd_2.2.5.bb b/meta-oe/recipes-support/gd/gd_2.2.5.bb index c846bda6b..35f9bb251 100644 --- a/meta-oe/recipes-support/gd/gd_2.2.5.bb +++ b/meta-oe/recipes-support/gd/gd_2.2.5.bb
@@ -16,6 +16,7 @@ DEPENDS = "freetype libpng jpeg zlib tiff"
16	SRC_URI = "git://github.com/libgd/libgd.git;branch=GD-2.2 \	16	SRC_URI = "git://github.com/libgd/libgd.git;branch=GD-2.2 \
17	file://0001-annotate.c-gdft.c-Replace-strncpy-with-memccpy-to-fi.patch \	17	file://0001-annotate.c-gdft.c-Replace-strncpy-with-memccpy-to-fi.patch \
18	file://CVE-2018-1000222.patch \	18	file://CVE-2018-1000222.patch \
		19	file://CVE-2019-6978.patch \
19	"	20	"
20		21
21	SRCREV = "8255231b68889597d04d451a72438ab92a405aba"	22	SRCREV = "8255231b68889597d04d451a72438ab92a405aba"