6 files changed, 4 insertions, 581 deletions
diff --git a/meta-oe/recipes-support/gd/gd/0001-annotate.c-gdft.c-Replace-strncpy-with-memccpy-to-fi.patch b/meta-oe/recipes-support/gd/gd/0001-annotate.c-gdft.c-Replace-strncpy-with-memccpy-to-fi.patch
deleted file mode 100644
index c377b370e..000000000
--- a/meta-oe/recipes-support/gd/gd/0001-annotate.c-gdft.c-Replace-strncpy-with-memccpy-to-fi.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From 85c7694a5cf34597909bdd1ca6931b0f99904c2e Mon Sep 17 00:00:00 2001
-From: Robert Yang <liezhi.yang@windriver.com>
-Date: Tue, 19 Jun 2018 00:40:49 -0700
-Subject: [PATCH] annotate.c/gdft.c: Replace strncpy with memccpy to fix
- -Wstringop-truncation.
-Fixed for gcc8:
-git/src/gdft.c:1699:2: error: 'strncpy' output truncated before terminating nul copying as many bytes from a string as its length [-Werror=stringop-truncation]
-Upstream-Status: Submitted [https://github.com/libgd/libgd/pull/442]
-Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
---
- src/annotate.c | 2 +-
- src/gdft.c     | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-diff --git a/src/annotate.c b/src/annotate.c
-index 00aaf49..17df813 100644
--- a/src/annotate.c
-+++ b/src/annotate.c
-@@ -104,7 +104,7 @@ int main(int argc, char *argv[])
-                                        fprintf(stderr, "Font maximum length is 1024, %d given\n", font_len);
-                                        goto badLine;
-                                }
-                               strncpy(font, st, font_len);
-+                               memcpy(font, st, font_len);
-                        }
-                } else if(!strcmp(st, "align")) {
-                        char *st = strtok(0, " \t\r\n");
-diff --git a/src/gdft.c b/src/gdft.c
-index 9fa8295..81dbe41 100644
--- a/src/gdft.c
-+++ b/src/gdft.c
-@@ -1696,7 +1696,7 @@ static char * font_path(char **fontpath, char *name_list)
-                gdFree(path);
-                return "could not alloc full list of fonts";
-        }
-       strncpy(fontlist, name_list, name_list_len);
-+       memcpy(fontlist, name_list, name_list_len);
-        fontlist[name_list_len] = 0;
- 
-        /*
-- 
-2.10.2
diff --git a/meta-oe/recipes-support/gd/gd/CVE-2017-6363.patch b/meta-oe/recipes-support/gd/gd/CVE-2017-6363.patch
deleted file mode 100644
index 25b5880ff..000000000
--- a/meta-oe/recipes-support/gd/gd/CVE-2017-6363.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 8f7b60ea7db87de5df76169e3f3918e401ef8bf7 Mon Sep 17 00:00:00 2001
-From: Mike Frysinger <vapier@gentoo.org>
-Date: Wed, 31 Jan 2018 14:50:16 -0500
-Subject: [PATCH] gd/gd2: make sure transparent palette index is within bounds
- #383
-The gd image formats allow for a palette of 256 colors,
-so if the transparent index is out of range, disable it.
-Upstream-Status: Backport
-[https://github.com/libgd/libgd.git commit:0be86e1926939a98afbd2f3a23c673dfc4df2a7c]
-CVE-2017-6363
-Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com>
---
- src/gd_gd.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-diff --git a/src/gd_gd.c b/src/gd_gd.c
-index f8d39cb..5a86fc3 100644
--- a/src/gd_gd.c
-+++ b/src/gd_gd.c
-@@ -54,7 +54,8 @@ _gdGetColors (gdIOCtx * in, gdImagePtr im, int gd2xFlag)
-                if (!gdGetWord (&im->transparent, in)) {
-                        goto fail1;
-                }
-               if (im->transparent == 257) {
-+               /* Make sure transparent index is within bounds of the palette. */
-+               if (im->transparent >= 256 || im->transparent < 0) {
-                        im->transparent = (-1);
-                }
-        }
-- 
-1.9.1
diff --git a/meta-oe/recipes-support/gd/gd/CVE-2018-1000222.patch b/meta-oe/recipes-support/gd/gd/CVE-2018-1000222.patch
deleted file mode 100644
index 25924d1aa..000000000
--- a/meta-oe/recipes-support/gd/gd/CVE-2018-1000222.patch
+++ /dev/null
@@ -1,82 +0,0 @@
-From 4b1e18a00ce7c4b7e6919c3b3109a034393b805a Mon Sep 17 00:00:00 2001
-From: Mike Frysinger <vapier@gentoo.org>
-Date: Sat, 14 Jul 2018 13:54:08 -0400
-Subject: [PATCH] bmp: check return value in gdImageBmpPtr
-Closes #447.
-(cherry picked from commit ac16bdf2d41724b5a65255d4c28fb0ec46bc42f5)
-Upstream-Status: Backport [https://github.com/libgd/libgd/commit/4b1e18a00ce7c4b7e6919c3b3109a034393b805a]
-CVE: CVE-2018-1000222
-Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
---
- src/gd_bmp.c | 17 ++++++++++++++---
- 1 file changed, 14 insertions(+), 3 deletions(-)
-diff --git a/src/gd_bmp.c b/src/gd_bmp.c
-index ccafdcd..d625da1 100644
--- a/src/gd_bmp.c
-+++ b/src/gd_bmp.c
-@@ -48,6 +48,8 @@ static int bmp_read_4bit(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info, bmp
- static int bmp_read_8bit(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info, bmp_hdr_t *header);
- static int bmp_read_rle(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info);
- 
-+static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression);
-+
- #define BMP_DEBUG(s)
- 
- static int gdBMPPutWord(gdIOCtx *out, int w)
-@@ -88,8 +90,10 @@ BGD_DECLARE(void *) gdImageBmpPtr(gdImagePtr im, int *size, int compression)
-        void *rv;
-        gdIOCtx *out = gdNewDynamicCtx(2048, NULL);
-        if (out == NULL) return NULL;
-       gdImageBmpCtx(im, out, compression);
-       rv = gdDPExtractData(out, size);
-+       if (!_gdImageBmpCtx(im, out, compression))
-+               rv = gdDPExtractData(out, size);
-+       else
-+               rv = NULL;
-        out->gd_free(out);
-        return rv;
- }
-@@ -142,6 +146,11 @@ BGD_DECLARE(void) gdImageBmp(gdImagePtr im, FILE *outFile, int compression)
-                compression - whether to apply RLE or not.
- */
- BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
-+{
-+       _gdImageBmpCtx(im, out, compression);
-+}
-+
-+static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
- {
-        int bitmap_size = 0, info_size, total_size, padding;
-        int i, row, xpos, pixel;
-@@ -149,6 +158,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
-        unsigned char *uncompressed_row = NULL, *uncompressed_row_start = NULL;
-        FILE *tmpfile_for_compression = NULL;
-        gdIOCtxPtr out_original = NULL;
-+       int ret = 1;
- 
-        /* No compression if its true colour or we don't support seek */
-        if (im->trueColor) {
-@@ -326,6 +336,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
-                out_original = NULL;
-        }
- 
-+       ret = 0;
- cleanup:
-        if (tmpfile_for_compression) {
- #ifdef _WIN32
-@@ -339,7 +350,7 @@ cleanup:
-        if (out_original) {
-                out_original->gd_free(out_original);
-        }
-       return;
-+       return ret;
- }
- 
- static int compress_row(unsigned char *row, int length)
-- 
-2.17.1
diff --git a/meta-oe/recipes-support/gd/gd/CVE-2018-14553.patch b/meta-oe/recipes-support/gd/gd/CVE-2018-14553.patch
deleted file mode 100644
index 344f34feb..000000000
--- a/meta-oe/recipes-support/gd/gd/CVE-2018-14553.patch
+++ /dev/null
@@ -1,110 +0,0 @@
-From a93eac0e843148dc2d631c3ba80af17e9c8c860f Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?F=C3=A1bio=20Cabral=20Pacheco?= <fcabralpacheco@gmail.com>
-Date: Fri, 20 Dec 2019 12:03:33 -0300
-Subject: [PATCH] Fix potential NULL pointer dereference in gdImageClone()
---
- src/gd.c                          |  9 +--------
- tests/gdimageclone/.gitignore     |  1 +
- tests/gdimageclone/CMakeLists.txt |  1 +
- tests/gdimageclone/Makemodule.am  |  3 ++-
- tests/gdimageclone/style.c        | 30 ++++++++++++++++++++++++++++++
- 5 files changed, 35 insertions(+), 9 deletions(-)
- create mode 100644 tests/gdimageclone/style.c
-diff --git a/src/gd.c b/src/gd.c
-index 592a028..d564d1f 100644
--- a/src/gd.c
-+++ b/src/gd.c
-@@ -2865,14 +2865,6 @@ BGD_DECLARE(gdImagePtr) gdImageClone (gdImagePtr src) {
-                }
-        }
- 
-       if (src->styleLength > 0) {
-               dst->styleLength = src->styleLength;
-               dst->stylePos    = src->stylePos;
-               for (i = 0; i < src->styleLength; i++) {
-                       dst->style[i] = src->style[i];
-               }
-       }
-
-        dst->interlace   = src->interlace;
- 
-        dst->alphaBlendingFlag = src->alphaBlendingFlag;
-@@ -2907,6 +2899,7 @@ BGD_DECLARE(gdImagePtr) gdImageClone (gdImagePtr src) {
- 
-        if (src->style) {
-                gdImageSetStyle(dst, src->style, src->styleLength);
-+               dst->stylePos = src->stylePos;
-        }
- 
-        for (i = 0; i < gdMaxColors; i++) {
-diff --git a/tests/gdimageclone/.gitignore b/tests/gdimageclone/.gitignore
-index a70782d..f4129cc 100644
--- a/tests/gdimageclone/.gitignore
-+++ b/tests/gdimageclone/.gitignore
-@@ -1 +1,2 @@
- /bug00300
-+/style
-diff --git a/tests/gdimageclone/CMakeLists.txt b/tests/gdimageclone/CMakeLists.txt
-index e6ccc31..662f4e9 100644
--- a/tests/gdimageclone/CMakeLists.txt
-+++ b/tests/gdimageclone/CMakeLists.txt
-@@ -1,5 +1,6 @@
- LIST(APPEND TESTS_FILES
-        bug00300
-+       style
- )
- 
- ADD_GD_TESTS()
-diff --git a/tests/gdimageclone/Makemodule.am b/tests/gdimageclone/Makemodule.am
-index 4b1b54c..51abf5c 100644
--- a/tests/gdimageclone/Makemodule.am
-+++ b/tests/gdimageclone/Makemodule.am
-@@ -1,5 +1,6 @@
- libgd_test_programs += \
-       gdimageclone/bug00300
-+       gdimageclone/bug00300 \
-+       gdimageclone/style
- 
- EXTRA_DIST += \
-        gdimageclone/CMakeLists.txt
-diff --git a/tests/gdimageclone/style.c b/tests/gdimageclone/style.c
-new file mode 100644
-index 0000000..c2b246e
--- /dev/null
-+++ b/tests/gdimageclone/style.c
-@@ -0,0 +1,30 @@
-+/**
-+ * Cloning an image should exactly reproduce all style related data
-+ */
-+
-+
-+#include <string.h>
-+#include "gd.h"
-+#include "gdtest.h"
-+
-+
-+int main()
-+{
-+    gdImagePtr im, clone;
-+    int style[] = {0, 0, 0};
-+
-+    im = gdImageCreate(8, 8);
-+    gdImageSetStyle(im, style, sizeof(style)/sizeof(style[0]));
-+
-+    clone = gdImageClone(im);
-+    gdTestAssert(clone != NULL);
-+
-+    gdTestAssert(clone->styleLength == im->styleLength);
-+    gdTestAssert(clone->stylePos == im->stylePos);
-+    gdTestAssert(!memcmp(clone->style, im->style, sizeof(style)/sizeof(style[0])));
-+
-+    gdImageDestroy(clone);
-+    gdImageDestroy(im);
-+
-+    return gdNumFailures();
-+}
-- 
-2.20.1
diff --git a/meta-oe/recipes-support/gd/gd/CVE-2019-6978.patch b/meta-oe/recipes-support/gd/gd/CVE-2019-6978.patch
deleted file mode 100644
index 9beb23e83..000000000
--- a/meta-oe/recipes-support/gd/gd/CVE-2019-6978.patch
+++ /dev/null
@@ -1,299 +0,0 @@
-From 553702980ae89c83f2d6e254d62cf82e204956d0 Mon Sep 17 00:00:00 2001
-From: "Christoph M. Becker" <cmbecker69@gmx.de>
-Date: Thu, 17 Jan 2019 11:54:55 +0100
-Subject: [PATCH] Fix #492: Potential double-free in gdImage*Ptr()
-Whenever `gdImage*Ptr()` calls `gdImage*Ctx()` and the latter fails, we
-must not call `gdDPExtractData()`; otherwise a double-free would
-happen.  Since `gdImage*Ctx()` are void functions, and we can't change
-that for BC reasons, we're introducing static helpers which are used
-internally.
-We're adding a regression test for `gdImageJpegPtr()`, but not for
-`gdImageGifPtr()` and `gdImageWbmpPtr()` since we don't know how to
-trigger failure of the respective `gdImage*Ctx()` calls.
-This potential security issue has been reported by Solmaz Salimi (aka.
-Rooney).
---
- src/gd_gif_out.c                  | 18 +++++++++++++++---
- src/gd_jpeg.c                     | 20 ++++++++++++++++----
- src/gd_wbmp.c                     | 21 ++++++++++++++++++---
- tests/jpeg/.gitignore             |  1 +
- tests/jpeg/CMakeLists.txt         |  1 +
- tests/jpeg/Makemodule.am          |  3 ++-
- tests/jpeg/jpeg_ptr_double_free.c | 31 +++++++++++++++++++++++++++++++
- 7 files changed, 84 insertions(+), 11 deletions(-)
- create mode 100644 tests/jpeg/jpeg_ptr_double_free.c
-Upstream-Status: Backport [https://github.com/libgd/libgd/commit/553702980ae89c83f2d6e254d62cf82e204956d0]
-CVE: CVE-2019-6978
-Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
-diff --git a/src/gd_gif_out.c b/src/gd_gif_out.c
-index 298a581..d5a9534 100644
--- a/src/gd_gif_out.c
-+++ b/src/gd_gif_out.c
-@@ -99,6 +99,7 @@ static void char_init(GifCtx *ctx);
- static void char_out(int c, GifCtx *ctx);
- static void flush_char(GifCtx *ctx);
- 
-+static int _gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out);
- 
- 
- 
-@@ -131,8 +132,11 @@ BGD_DECLARE(void *) gdImageGifPtr(gdImagePtr im, int *size)
-        void *rv;
-        gdIOCtx *out = gdNewDynamicCtx(2048, NULL);
-        if (out == NULL) return NULL;
-       gdImageGifCtx(im, out);
-       rv = gdDPExtractData(out, size);
-+       if (!_gdImageGifCtx(im, out)) {
-+               rv = gdDPExtractData(out, size);
-+       } else {
-+               rv = NULL;
-+       }
-        out->gd_free(out);
-        return rv;
- }
-@@ -220,6 +224,12 @@ BGD_DECLARE(void) gdImageGif(gdImagePtr im, FILE *outFile)
- 
- */
- BGD_DECLARE(void) gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out)
-+{
-+       _gdImageGifCtx(im, out);
-+}
-+
-+/* returns 0 on success, 1 on failure */
-+static int _gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out)
- {
-        gdImagePtr pim = 0, tim = im;
-        int interlace, BitsPerPixel;
-@@ -231,7 +241,7 @@ BGD_DECLARE(void) gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out)
-                based temporary image. */
-                pim = gdImageCreatePaletteFromTrueColor(im, 1, 256);
-                if(!pim) {
-                       return;
-+                       return 1;
-                }
-                tim = pim;
-        }
-@@ -247,6 +257,8 @@ BGD_DECLARE(void) gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out)
-                /* Destroy palette based temporary image. */
-                gdImageDestroy( pim);
-        }
-+
-+       return 0;
- }
- 
- 
-diff --git a/src/gd_jpeg.c b/src/gd_jpeg.c
-index fc05842..96ef430 100644
--- a/src/gd_jpeg.c
-+++ b/src/gd_jpeg.c
-@@ -117,6 +117,8 @@ static void fatal_jpeg_error(j_common_ptr cinfo)
-        exit(99);
- }
- 
-+static int _gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality);
-+
- /*
-  * Write IM to OUTFILE as a JFIF-formatted JPEG image, using quality
-  * QUALITY.  If QUALITY is in the range 0-100, increasing values
-@@ -231,8 +233,11 @@ BGD_DECLARE(void *) gdImageJpegPtr(gdImagePtr im, int *size, int quality)
-        void *rv;
-        gdIOCtx *out = gdNewDynamicCtx(2048, NULL);
-        if (out == NULL) return NULL;
-       gdImageJpegCtx(im, out, quality);
-       rv = gdDPExtractData(out, size);
-+       if (!_gdImageJpegCtx(im, out, quality)) {
-+               rv = gdDPExtractData(out, size);
-+       } else {
-+               rv = NULL;
-+       }
-        out->gd_free(out);
-        return rv;
- }
-@@ -253,6 +258,12 @@ void jpeg_gdIOCtx_dest(j_compress_ptr cinfo, gdIOCtx *outfile);
- 
- */
- BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality)
-+{
-+       _gdImageJpegCtx(im, outfile, quality);
-+}
-+
-+/* returns 0 on success, 1 on failure */
-+static int _gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality)
- {
-        struct jpeg_compress_struct cinfo;
-        struct jpeg_error_mgr jerr;
-@@ -287,7 +298,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality)
-                if(row) {
-                        gdFree(row);
-                }
-               return;
-+               return 1;
-        }
- 
-        cinfo.err->emit_message = jpeg_emit_message;
-@@ -328,7 +339,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality)
-        if(row == 0) {
-                gd_error("gd-jpeg: error: unable to allocate JPEG row structure: gdCalloc returns NULL\n");
-                jpeg_destroy_compress(&cinfo);
-               return;
-+               return 1;
-        }
- 
-        rowptr[0] = row;
-@@ -405,6 +416,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality)
-        jpeg_finish_compress(&cinfo);
-        jpeg_destroy_compress(&cinfo);
-        gdFree(row);
-+       return 0;
- }
- 
- 
-diff --git a/src/gd_wbmp.c b/src/gd_wbmp.c
-index f19a1c9..a49bdbe 100644
--- a/src/gd_wbmp.c
-+++ b/src/gd_wbmp.c
-@@ -88,6 +88,8 @@ int gd_getin(void *in)
-        return (gdGetC((gdIOCtx *)in));
- }
- 
-+static int _gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out);
-+
- /*
-        Function: gdImageWBMPCtx
- 
-@@ -100,6 +102,12 @@ int gd_getin(void *in)
-                out   - the stream where to write
- */
- BGD_DECLARE(void) gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out)
-+{
-+       _gdImageWBMPCtx(image, fg, out);
-+}
-+
-+/* returns 0 on success, 1 on failure */
-+static int _gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out)
- {
-        int x, y, pos;
-        Wbmp *wbmp;
-@@ -107,7 +115,7 @@ BGD_DECLARE(void) gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out)
-        /* create the WBMP */
-        if((wbmp = createwbmp(gdImageSX(image), gdImageSY(image), WBMP_WHITE)) == NULL) {
-                gd_error("Could not create WBMP\n");
-               return;
-+               return 1;
-        }
- 
-        /* fill up the WBMP structure */
-@@ -123,11 +131,15 @@ BGD_DECLARE(void) gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out)
- 
-        /* write the WBMP to a gd file descriptor */
-        if(writewbmp(wbmp, &gd_putout, out)) {
-+               freewbmp(wbmp);
-                gd_error("Could not save WBMP\n");
-+               return 1;
-        }
- 
-        /* des submitted this bugfix: gdFree the memory. */
-        freewbmp(wbmp);
-+
-+       return 0;
- }
- 
- /*
-@@ -271,8 +283,11 @@ BGD_DECLARE(void *) gdImageWBMPPtr(gdImagePtr im, int *size, int fg)
-        void *rv;
-        gdIOCtx *out = gdNewDynamicCtx(2048, NULL);
-        if (out == NULL) return NULL;
-       gdImageWBMPCtx(im, fg, out);
-       rv = gdDPExtractData(out, size);
-+       if (!_gdImageWBMPCtx(im, fg, out)) {
-+               rv = gdDPExtractData(out, size);
-+       } else {
-+               rv = NULL;
-+       }
-        out->gd_free(out);
-        return rv;
- }
-diff --git a/tests/jpeg/.gitignore b/tests/jpeg/.gitignore
-index c28aa87..13bcf04 100644
--- a/tests/jpeg/.gitignore
-+++ b/tests/jpeg/.gitignore
-@@ -3,5 +3,6 @@
- /jpeg_empty_file
- /jpeg_im2im
- /jpeg_null
-+/jpeg_ptr_double_free
- /jpeg_read
- /jpeg_resolution
-diff --git a/tests/jpeg/CMakeLists.txt b/tests/jpeg/CMakeLists.txt
-index 19964b0..a8d8162 100644
--- a/tests/jpeg/CMakeLists.txt
-+++ b/tests/jpeg/CMakeLists.txt
-@@ -2,6 +2,7 @@ IF(JPEG_FOUND)
- LIST(APPEND TESTS_FILES
-        jpeg_empty_file
-        jpeg_im2im
-+       jpeg_ptr_double_free
-        jpeg_null
- )
- 
-diff --git a/tests/jpeg/Makemodule.am b/tests/jpeg/Makemodule.am
-index 7e5d317..b89e169 100644
--- a/tests/jpeg/Makemodule.am
-+++ b/tests/jpeg/Makemodule.am
-@@ -2,7 +2,8 @@ if HAVE_LIBJPEG
- libgd_test_programs += \
-        jpeg/jpeg_empty_file \
-        jpeg/jpeg_im2im \
-       jpeg/jpeg_null
-+       jpeg/jpeg_null \
-+       jpeg/jpeg_ptr_double_free
- 
- if HAVE_LIBPNG
- libgd_test_programs += \
-diff --git a/tests/jpeg/jpeg_ptr_double_free.c b/tests/jpeg/jpeg_ptr_double_free.c
-new file mode 100644
-index 0000000..df5a510
--- /dev/null
-+++ b/tests/jpeg/jpeg_ptr_double_free.c
-@@ -0,0 +1,31 @@
-+/**
-+ * Test that failure to convert to JPEG returns NULL
-+ *
-+ * We are creating an image, set its width to zero, and pass this image to
-+ * `gdImageJpegPtr()` which is supposed to fail, and as such should return NULL.
-+ *
-+ * See also <https://github.com/libgd/libgd/issues/381>
-+ */
-+
-+
-+#include "gd.h"
-+#include "gdtest.h"
-+
-+
-+int main()
-+{
-+    gdImagePtr src, dst;
-+    int size;
-+
-+    src = gdImageCreateTrueColor(1, 10);
-+    gdTestAssert(src != NULL);
-+
-+    src->sx = 0; /* this hack forces gdImageJpegPtr() to fail */
-+
-+    dst = gdImageJpegPtr(src, &size, 0);
-+    gdTestAssert(dst == NULL);
-+
-+    gdImageDestroy(src);
-+
-+    return gdNumFailures();
-+}
-- 
-2.17.1
diff --git a/meta-oe/recipes-support/gd/gd_2.2.5.bb b/meta-oe/recipes-support/gd/gd_2.3.0.bb
index a665de4bf..eec8a05ae 100644
--- a/meta-oe/recipes-support/gd/gd_2.2.5.bb
+++ b/meta-oe/recipes-support/gd/gd_2.3.0.bb
@@ -5,23 +5,18 @@ images, and flood fills, and to write out the result as a PNG or JPEG file. \
 This is particularly useful in Web applications, where PNG and JPEG are two \
 of the formats accepted for inline images by most browsers. Note that gd is not \
 a paint program."
-HOMEPAGE = "http://libgd.bitbucket.org/"
+HOMEPAGE = "http://libgd.github.io/"
 SECTION = "libs"
 LICENSE = "GD"
-LIC_FILES_CHKSUM = "file://COPYING;md5=07384b3aa2e0d39afca0d6c40286f545"
+LIC_FILES_CHKSUM = "file://COPYING;md5=8e5bc8627b9494741c905d65238c66b7"
 DEPENDS = "freetype libpng jpeg zlib tiff"
-SRC_URI = "git://github.com/libgd/libgd.git;branch=GD-2.2 \
+SRC_URI = "git://github.com/libgd/libgd.git;branch=master \
-           file://0001-annotate.c-gdft.c-Replace-strncpy-with-memccpy-to-fi.patch \
-           file://CVE-2018-1000222.patch \
-           file://CVE-2019-6978.patch \
-           file://CVE-2017-6363.patch \
-           file://CVE-2018-14553.patch \
          "
-SRCREV = "8255231b68889597d04d451a72438ab92a405aba"
+SRCREV = "b079fa06223c3ab862c8f0eea58a968727971988"
 S = "${WORKDIR}/git"

diff --git a/meta-oe/recipes-support/gd/gd/0001-annotate.c-gdft.c-Replace-strncpy-with-memccpy-to-fi.patch b/meta-oe/recipes-support/gd/gd/0001-annotate.c-gdft.c-Replace-strncpy-with-memccpy-to-fi.patch deleted file mode 100644 index c377b370e..000000000 --- a/meta-oe/recipes-support/gd/gd/0001-annotate.c-gdft.c-Replace-strncpy-with-memccpy-to-fi.patch +++ /dev/null
@@ -1,46 +0,0 @@
1	From 85c7694a5cf34597909bdd1ca6931b0f99904c2e Mon Sep 17 00:00:00 2001
2	From: Robert Yang <liezhi.yang@windriver.com>
3	Date: Tue, 19 Jun 2018 00:40:49 -0700
4	Subject: [PATCH] annotate.c/gdft.c: Replace strncpy with memccpy to fix
5	-Wstringop-truncation.
6
7	Fixed for gcc8:
8	git/src/gdft.c:1699:2: error: 'strncpy' output truncated before terminating nul copying as many bytes from a string as its length [-Werror=stringop-truncation]
9
10	Upstream-Status: Submitted [https://github.com/libgd/libgd/pull/442]
11
12	Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
13	---
14	src/annotate.c \| 2 +-
15	src/gdft.c \| 2 +-
16	2 files changed, 2 insertions(+), 2 deletions(-)
17
18	diff --git a/src/annotate.c b/src/annotate.c
19	index 00aaf49..17df813 100644
20	--- a/src/annotate.c
21	+++ b/src/annotate.c
22	@@ -104,7 +104,7 @@ int main(int argc, char *argv[])
23	fprintf(stderr, "Font maximum length is 1024, %d given\n", font_len);
24	goto badLine;
25	}
26	- strncpy(font, st, font_len);
27	+ memcpy(font, st, font_len);
28	}
29	} else if(!strcmp(st, "align")) {
30	char *st = strtok(0, " \t\r\n");
31	diff --git a/src/gdft.c b/src/gdft.c
32	index 9fa8295..81dbe41 100644
33	--- a/src/gdft.c
34	+++ b/src/gdft.c
35	@@ -1696,7 +1696,7 @@ static char * font_path(char *fontpath, char name_list)
36	gdFree(path);
37	return "could not alloc full list of fonts";
38	}
39	- strncpy(fontlist, name_list, name_list_len);
40	+ memcpy(fontlist, name_list, name_list_len);
41	fontlist[name_list_len] = 0;
42
43	/*
44	--
45	2.10.2
46


diff --git a/meta-oe/recipes-support/gd/gd/CVE-2017-6363.patch b/meta-oe/recipes-support/gd/gd/CVE-2017-6363.patch deleted file mode 100644 index 25b5880ff..000000000 --- a/meta-oe/recipes-support/gd/gd/CVE-2017-6363.patch +++ /dev/null
@@ -1,35 +0,0 @@
1	From 8f7b60ea7db87de5df76169e3f3918e401ef8bf7 Mon Sep 17 00:00:00 2001
2	From: Mike Frysinger <vapier@gentoo.org>
3	Date: Wed, 31 Jan 2018 14:50:16 -0500
4	Subject: [PATCH] gd/gd2: make sure transparent palette index is within bounds
5	#383
6
7	The gd image formats allow for a palette of 256 colors,
8	so if the transparent index is out of range, disable it.
9
10	Upstream-Status: Backport
11	[https://github.com/libgd/libgd.git commit:0be86e1926939a98afbd2f3a23c673dfc4df2a7c]
12	CVE-2017-6363
13
14	Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com>
15	---
16	src/gd_gd.c \| 3 ++-
17	1 file changed, 2 insertions(+), 1 deletion(-)
18
19	diff --git a/src/gd_gd.c b/src/gd_gd.c
20	index f8d39cb..5a86fc3 100644
21	--- a/src/gd_gd.c
22	+++ b/src/gd_gd.c
23	@@ -54,7 +54,8 @@ _gdGetColors (gdIOCtx * in, gdImagePtr im, int gd2xFlag)
24	if (!gdGetWord (&im->transparent, in)) {
25	goto fail1;
26	}
27	- if (im->transparent == 257) {
28	+ /* Make sure transparent index is within bounds of the palette. */
29	+ if (im->transparent >= 256 \|\| im->transparent < 0) {
30	im->transparent = (-1);
31	}
32	}
33	--
34	1.9.1
35


diff --git a/meta-oe/recipes-support/gd/gd/CVE-2018-1000222.patch b/meta-oe/recipes-support/gd/gd/CVE-2018-1000222.patch deleted file mode 100644 index 25924d1aa..000000000 --- a/meta-oe/recipes-support/gd/gd/CVE-2018-1000222.patch +++ /dev/null
@@ -1,82 +0,0 @@
1	From 4b1e18a00ce7c4b7e6919c3b3109a034393b805a Mon Sep 17 00:00:00 2001
2	From: Mike Frysinger <vapier@gentoo.org>
3	Date: Sat, 14 Jul 2018 13:54:08 -0400
4	Subject: [PATCH] bmp: check return value in gdImageBmpPtr
5
6	Closes #447.
7
8	(cherry picked from commit ac16bdf2d41724b5a65255d4c28fb0ec46bc42f5)
9
10	Upstream-Status: Backport [https://github.com/libgd/libgd/commit/4b1e18a00ce7c4b7e6919c3b3109a034393b805a]
11	CVE: CVE-2018-1000222
12	Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
13	---
14	src/gd_bmp.c \| 17 ++++++++++++++---
15	1 file changed, 14 insertions(+), 3 deletions(-)
16
17	diff --git a/src/gd_bmp.c b/src/gd_bmp.c
18	index ccafdcd..d625da1 100644
19	--- a/src/gd_bmp.c
20	+++ b/src/gd_bmp.c
21	@@ -48,6 +48,8 @@ static int bmp_read_4bit(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info, bmp
22	static int bmp_read_8bit(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t info, bmp_hdr_t header);
23	static int bmp_read_rle(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info);
24
25	+static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression);
26	+
27	#define BMP_DEBUG(s)
28
29	static int gdBMPPutWord(gdIOCtx *out, int w)
30	@@ -88,8 +90,10 @@ BGD_DECLARE(void ) gdImageBmpPtr(gdImagePtr im, int size, int compression)
31	void *rv;
32	gdIOCtx *out = gdNewDynamicCtx(2048, NULL);
33	if (out == NULL) return NULL;
34	- gdImageBmpCtx(im, out, compression);
35	- rv = gdDPExtractData(out, size);
36	+ if (!_gdImageBmpCtx(im, out, compression))
37	+ rv = gdDPExtractData(out, size);
38	+ else
39	+ rv = NULL;
40	out->gd_free(out);
41	return rv;
42	}
43	@@ -142,6 +146,11 @@ BGD_DECLARE(void) gdImageBmp(gdImagePtr im, FILE *outFile, int compression)
44	compression - whether to apply RLE or not.
45	*/
46	BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
47	+{
48	+ _gdImageBmpCtx(im, out, compression);
49	+}
50	+
51	+static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
52	{
53	int bitmap_size = 0, info_size, total_size, padding;
54	int i, row, xpos, pixel;
55	@@ -149,6 +158,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
56	unsigned char uncompressed_row = NULL, uncompressed_row_start = NULL;
57	FILE *tmpfile_for_compression = NULL;
58	gdIOCtxPtr out_original = NULL;
59	+ int ret = 1;
60
61	/* No compression if its true colour or we don't support seek */
62	if (im->trueColor) {
63	@@ -326,6 +336,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
64	out_original = NULL;
65	}
66
67	+ ret = 0;
68	cleanup:
69	if (tmpfile_for_compression) {
70	#ifdef _WIN32
71	@@ -339,7 +350,7 @@ cleanup:
72	if (out_original) {
73	out_original->gd_free(out_original);
74	}
75	- return;
76	+ return ret;
77	}
78
79	static int compress_row(unsigned char *row, int length)
80	--
81	2.17.1
82


diff --git a/meta-oe/recipes-support/gd/gd/CVE-2018-14553.patch b/meta-oe/recipes-support/gd/gd/CVE-2018-14553.patch deleted file mode 100644 index 344f34feb..000000000 --- a/meta-oe/recipes-support/gd/gd/CVE-2018-14553.patch +++ /dev/null
@@ -1,110 +0,0 @@
1	From a93eac0e843148dc2d631c3ba80af17e9c8c860f Mon Sep 17 00:00:00 2001
2	From: =?UTF-8?q?F=C3=A1bio=20Cabral=20Pacheco?= <fcabralpacheco@gmail.com>
3	Date: Fri, 20 Dec 2019 12:03:33 -0300
4	Subject: [PATCH] Fix potential NULL pointer dereference in gdImageClone()
5
6	---
7	src/gd.c \| 9 +--------
8	tests/gdimageclone/.gitignore \| 1 +
9	tests/gdimageclone/CMakeLists.txt \| 1 +
10	tests/gdimageclone/Makemodule.am \| 3 ++-
11	tests/gdimageclone/style.c \| 30 ++++++++++++++++++++++++++++++
12	5 files changed, 35 insertions(+), 9 deletions(-)
13	create mode 100644 tests/gdimageclone/style.c
14
15	diff --git a/src/gd.c b/src/gd.c
16	index 592a028..d564d1f 100644
17	--- a/src/gd.c
18	+++ b/src/gd.c
19	@@ -2865,14 +2865,6 @@ BGD_DECLARE(gdImagePtr) gdImageClone (gdImagePtr src) {
20	}
21	}
22
23	- if (src->styleLength > 0) {
24	- dst->styleLength = src->styleLength;
25	- dst->stylePos = src->stylePos;
26	- for (i = 0; i < src->styleLength; i++) {
27	- dst->style[i] = src->style[i];
28	- }
29	- }
30	-
31	dst->interlace = src->interlace;
32
33	dst->alphaBlendingFlag = src->alphaBlendingFlag;
34	@@ -2907,6 +2899,7 @@ BGD_DECLARE(gdImagePtr) gdImageClone (gdImagePtr src) {
35
36	if (src->style) {
37	gdImageSetStyle(dst, src->style, src->styleLength);
38	+ dst->stylePos = src->stylePos;
39	}
40
41	for (i = 0; i < gdMaxColors; i++) {
42	diff --git a/tests/gdimageclone/.gitignore b/tests/gdimageclone/.gitignore
43	index a70782d..f4129cc 100644
44	--- a/tests/gdimageclone/.gitignore
45	+++ b/tests/gdimageclone/.gitignore
46	@@ -1 +1,2 @@
47	/bug00300
48	+/style
49	diff --git a/tests/gdimageclone/CMakeLists.txt b/tests/gdimageclone/CMakeLists.txt
50	index e6ccc31..662f4e9 100644
51	--- a/tests/gdimageclone/CMakeLists.txt
52	+++ b/tests/gdimageclone/CMakeLists.txt
53	@@ -1,5 +1,6 @@
54	LIST(APPEND TESTS_FILES
55	bug00300
56	+ style
57	)
58
59	ADD_GD_TESTS()
60	diff --git a/tests/gdimageclone/Makemodule.am b/tests/gdimageclone/Makemodule.am
61	index 4b1b54c..51abf5c 100644
62	--- a/tests/gdimageclone/Makemodule.am
63	+++ b/tests/gdimageclone/Makemodule.am
64	@@ -1,5 +1,6 @@
65	libgd_test_programs += \
66	- gdimageclone/bug00300
67	+ gdimageclone/bug00300 \
68	+ gdimageclone/style
69
70	EXTRA_DIST += \
71	gdimageclone/CMakeLists.txt
72	diff --git a/tests/gdimageclone/style.c b/tests/gdimageclone/style.c
73	new file mode 100644
74	index 0000000..c2b246e
75	--- /dev/null
76	+++ b/tests/gdimageclone/style.c
77	@@ -0,0 +1,30 @@
78	+/**
79	+ * Cloning an image should exactly reproduce all style related data
80	+ */
81	+
82	+
83	+#include <string.h>
84	+#include "gd.h"
85	+#include "gdtest.h"
86	+
87	+
88	+int main()
89	+{
90	+ gdImagePtr im, clone;
91	+ int style[] = {0, 0, 0};
92	+
93	+ im = gdImageCreate(8, 8);
94	+ gdImageSetStyle(im, style, sizeof(style)/sizeof(style[0]));
95	+
96	+ clone = gdImageClone(im);
97	+ gdTestAssert(clone != NULL);
98	+
99	+ gdTestAssert(clone->styleLength == im->styleLength);
100	+ gdTestAssert(clone->stylePos == im->stylePos);
101	+ gdTestAssert(!memcmp(clone->style, im->style, sizeof(style)/sizeof(style[0])));
102	+
103	+ gdImageDestroy(clone);
104	+ gdImageDestroy(im);
105	+
106	+ return gdNumFailures();
107	+}
108	--
109	2.20.1
110


diff --git a/meta-oe/recipes-support/gd/gd/CVE-2019-6978.patch b/meta-oe/recipes-support/gd/gd/CVE-2019-6978.patch deleted file mode 100644 index 9beb23e83..000000000 --- a/meta-oe/recipes-support/gd/gd/CVE-2019-6978.patch +++ /dev/null
@@ -1,299 +0,0 @@
1	From 553702980ae89c83f2d6e254d62cf82e204956d0 Mon Sep 17 00:00:00 2001
2	From: "Christoph M. Becker" <cmbecker69@gmx.de>
3	Date: Thu, 17 Jan 2019 11:54:55 +0100
4	Subject: [PATCH] Fix #492: Potential double-free in gdImage*Ptr()
5
6	Whenever `gdImagePtr()` calls `gdImageCtx()` and the latter fails, we
7	must not call `gdDPExtractData()`; otherwise a double-free would
8	happen. Since `gdImage*Ctx()` are void functions, and we can't change
9	that for BC reasons, we're introducing static helpers which are used
10	internally.
11
12	We're adding a regression test for `gdImageJpegPtr()`, but not for
13	`gdImageGifPtr()` and `gdImageWbmpPtr()` since we don't know how to
14	trigger failure of the respective `gdImage*Ctx()` calls.
15
16	This potential security issue has been reported by Solmaz Salimi (aka.
17	Rooney).
18	---
19	src/gd_gif_out.c \| 18 +++++++++++++++---
20	src/gd_jpeg.c \| 20 ++++++++++++++++----
21	src/gd_wbmp.c \| 21 ++++++++++++++++++---
22	tests/jpeg/.gitignore \| 1 +
23	tests/jpeg/CMakeLists.txt \| 1 +
24	tests/jpeg/Makemodule.am \| 3 ++-
25	tests/jpeg/jpeg_ptr_double_free.c \| 31 +++++++++++++++++++++++++++++++
26	7 files changed, 84 insertions(+), 11 deletions(-)
27	create mode 100644 tests/jpeg/jpeg_ptr_double_free.c
28
29	Upstream-Status: Backport [https://github.com/libgd/libgd/commit/553702980ae89c83f2d6e254d62cf82e204956d0]
30	CVE: CVE-2019-6978
31
32	Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
33
34
35	diff --git a/src/gd_gif_out.c b/src/gd_gif_out.c
36	index 298a581..d5a9534 100644
37	--- a/src/gd_gif_out.c
38	+++ b/src/gd_gif_out.c
39	@@ -99,6 +99,7 @@ static void char_init(GifCtx *ctx);
40	static void char_out(int c, GifCtx *ctx);
41	static void flush_char(GifCtx *ctx);
42
43	+static int _gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out);
44
45
46
47	@@ -131,8 +132,11 @@ BGD_DECLARE(void ) gdImageGifPtr(gdImagePtr im, int size)
48	void *rv;
49	gdIOCtx *out = gdNewDynamicCtx(2048, NULL);
50	if (out == NULL) return NULL;
51	- gdImageGifCtx(im, out);
52	- rv = gdDPExtractData(out, size);
53	+ if (!_gdImageGifCtx(im, out)) {
54	+ rv = gdDPExtractData(out, size);
55	+ } else {
56	+ rv = NULL;
57	+ }
58	out->gd_free(out);
59	return rv;
60	}
61	@@ -220,6 +224,12 @@ BGD_DECLARE(void) gdImageGif(gdImagePtr im, FILE *outFile)
62
63	*/
64	BGD_DECLARE(void) gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out)
65	+{
66	+ _gdImageGifCtx(im, out);
67	+}
68	+
69	+/* returns 0 on success, 1 on failure */
70	+static int _gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out)
71	{
72	gdImagePtr pim = 0, tim = im;
73	int interlace, BitsPerPixel;
74	@@ -231,7 +241,7 @@ BGD_DECLARE(void) gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out)
75	based temporary image. */
76	pim = gdImageCreatePaletteFromTrueColor(im, 1, 256);
77	if(!pim) {
78	- return;
79	+ return 1;
80	}
81	tim = pim;
82	}
83	@@ -247,6 +257,8 @@ BGD_DECLARE(void) gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out)
84	/* Destroy palette based temporary image. */
85	gdImageDestroy( pim);
86	}
87	+
88	+ return 0;
89	}
90
91
92	diff --git a/src/gd_jpeg.c b/src/gd_jpeg.c
93	index fc05842..96ef430 100644
94	--- a/src/gd_jpeg.c
95	+++ b/src/gd_jpeg.c
96	@@ -117,6 +117,8 @@ static void fatal_jpeg_error(j_common_ptr cinfo)
97	exit(99);
98	}
99
100	+static int _gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality);
101	+
102	/*
103	* Write IM to OUTFILE as a JFIF-formatted JPEG image, using quality
104	* QUALITY. If QUALITY is in the range 0-100, increasing values
105	@@ -231,8 +233,11 @@ BGD_DECLARE(void ) gdImageJpegPtr(gdImagePtr im, int size, int quality)
106	void *rv;
107	gdIOCtx *out = gdNewDynamicCtx(2048, NULL);
108	if (out == NULL) return NULL;
109	- gdImageJpegCtx(im, out, quality);
110	- rv = gdDPExtractData(out, size);
111	+ if (!_gdImageJpegCtx(im, out, quality)) {
112	+ rv = gdDPExtractData(out, size);
113	+ } else {
114	+ rv = NULL;
115	+ }
116	out->gd_free(out);
117	return rv;
118	}
119	@@ -253,6 +258,12 @@ void jpeg_gdIOCtx_dest(j_compress_ptr cinfo, gdIOCtx *outfile);
120
121	*/
122	BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality)
123	+{
124	+ _gdImageJpegCtx(im, outfile, quality);
125	+}
126	+
127	+/* returns 0 on success, 1 on failure */
128	+static int _gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality)
129	{
130	struct jpeg_compress_struct cinfo;
131	struct jpeg_error_mgr jerr;
132	@@ -287,7 +298,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality)
133	if(row) {
134	gdFree(row);
135	}
136	- return;
137	+ return 1;
138	}
139
140	cinfo.err->emit_message = jpeg_emit_message;
141	@@ -328,7 +339,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality)
142	if(row == 0) {
143	gd_error("gd-jpeg: error: unable to allocate JPEG row structure: gdCalloc returns NULL\n");
144	jpeg_destroy_compress(&cinfo);
145	- return;
146	+ return 1;
147	}
148
149	rowptr[0] = row;
150	@@ -405,6 +416,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality)
151	jpeg_finish_compress(&cinfo);
152	jpeg_destroy_compress(&cinfo);
153	gdFree(row);
154	+ return 0;
155	}
156
157
158	diff --git a/src/gd_wbmp.c b/src/gd_wbmp.c
159	index f19a1c9..a49bdbe 100644
160	--- a/src/gd_wbmp.c
161	+++ b/src/gd_wbmp.c
162	@@ -88,6 +88,8 @@ int gd_getin(void *in)
163	return (gdGetC((gdIOCtx *)in));
164	}
165
166	+static int _gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out);
167	+
168	/*
169	Function: gdImageWBMPCtx
170
171	@@ -100,6 +102,12 @@ int gd_getin(void *in)
172	out - the stream where to write
173	*/
174	BGD_DECLARE(void) gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out)
175	+{
176	+ _gdImageWBMPCtx(image, fg, out);
177	+}
178	+
179	+/* returns 0 on success, 1 on failure */
180	+static int _gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out)
181	{
182	int x, y, pos;
183	Wbmp *wbmp;
184	@@ -107,7 +115,7 @@ BGD_DECLARE(void) gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out)
185	/* create the WBMP */
186	if((wbmp = createwbmp(gdImageSX(image), gdImageSY(image), WBMP_WHITE)) == NULL) {
187	gd_error("Could not create WBMP\n");
188	- return;
189	+ return 1;
190	}
191
192	/* fill up the WBMP structure */
193	@@ -123,11 +131,15 @@ BGD_DECLARE(void) gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out)
194
195	/* write the WBMP to a gd file descriptor */
196	if(writewbmp(wbmp, &gd_putout, out)) {
197	+ freewbmp(wbmp);
198	gd_error("Could not save WBMP\n");
199	+ return 1;
200	}
201
202	/* des submitted this bugfix: gdFree the memory. */
203	freewbmp(wbmp);
204	+
205	+ return 0;
206	}
207
208	/*
209	@@ -271,8 +283,11 @@ BGD_DECLARE(void ) gdImageWBMPPtr(gdImagePtr im, int size, int fg)
210	void *rv;
211	gdIOCtx *out = gdNewDynamicCtx(2048, NULL);
212	if (out == NULL) return NULL;
213	- gdImageWBMPCtx(im, fg, out);
214	- rv = gdDPExtractData(out, size);
215	+ if (!_gdImageWBMPCtx(im, fg, out)) {
216	+ rv = gdDPExtractData(out, size);
217	+ } else {
218	+ rv = NULL;
219	+ }
220	out->gd_free(out);
221	return rv;
222	}
223	diff --git a/tests/jpeg/.gitignore b/tests/jpeg/.gitignore
224	index c28aa87..13bcf04 100644
225	--- a/tests/jpeg/.gitignore
226	+++ b/tests/jpeg/.gitignore
227	@@ -3,5 +3,6 @@
228	/jpeg_empty_file
229	/jpeg_im2im
230	/jpeg_null
231	+/jpeg_ptr_double_free
232	/jpeg_read
233	/jpeg_resolution
234	diff --git a/tests/jpeg/CMakeLists.txt b/tests/jpeg/CMakeLists.txt
235	index 19964b0..a8d8162 100644
236	--- a/tests/jpeg/CMakeLists.txt
237	+++ b/tests/jpeg/CMakeLists.txt
238	@@ -2,6 +2,7 @@ IF(JPEG_FOUND)
239	LIST(APPEND TESTS_FILES
240	jpeg_empty_file
241	jpeg_im2im
242	+ jpeg_ptr_double_free
243	jpeg_null
244	)
245
246	diff --git a/tests/jpeg/Makemodule.am b/tests/jpeg/Makemodule.am
247	index 7e5d317..b89e169 100644
248	--- a/tests/jpeg/Makemodule.am
249	+++ b/tests/jpeg/Makemodule.am
250	@@ -2,7 +2,8 @@ if HAVE_LIBJPEG
251	libgd_test_programs += \
252	jpeg/jpeg_empty_file \
253	jpeg/jpeg_im2im \
254	- jpeg/jpeg_null
255	+ jpeg/jpeg_null \
256	+ jpeg/jpeg_ptr_double_free
257
258	if HAVE_LIBPNG
259	libgd_test_programs += \
260	diff --git a/tests/jpeg/jpeg_ptr_double_free.c b/tests/jpeg/jpeg_ptr_double_free.c
261	new file mode 100644
262	index 0000000..df5a510
263	--- /dev/null
264	+++ b/tests/jpeg/jpeg_ptr_double_free.c
265	@@ -0,0 +1,31 @@
266	+/**
267	+ * Test that failure to convert to JPEG returns NULL
268	+ *
269	+ * We are creating an image, set its width to zero, and pass this image to
270	+ * `gdImageJpegPtr()` which is supposed to fail, and as such should return NULL.
271	+ *
272	+ * See also <https://github.com/libgd/libgd/issues/381>
273	+ */
274	+
275	+
276	+#include "gd.h"
277	+#include "gdtest.h"
278	+
279	+
280	+int main()
281	+{
282	+ gdImagePtr src, dst;
283	+ int size;
284	+
285	+ src = gdImageCreateTrueColor(1, 10);
286	+ gdTestAssert(src != NULL);
287	+
288	+ src->sx = 0; /* this hack forces gdImageJpegPtr() to fail */
289	+
290	+ dst = gdImageJpegPtr(src, &size, 0);
291	+ gdTestAssert(dst == NULL);
292	+
293	+ gdImageDestroy(src);
294	+
295	+ return gdNumFailures();
296	+}
297	--
298	2.17.1
299


diff --git a/meta-oe/recipes-support/gd/gd_2.2.5.bb b/meta-oe/recipes-support/gd/gd_2.3.0.bb index a665de4bf..eec8a05ae 100644 --- a/meta-oe/recipes-support/gd/gd_2.2.5.bb +++ b/meta-oe/recipes-support/gd/gd_2.3.0.bb
@@ -5,23 +5,18 @@ images, and flood fills, and to write out the result as a PNG or JPEG file. \
5	This is particularly useful in Web applications, where PNG and JPEG are two \	5	This is particularly useful in Web applications, where PNG and JPEG are two \
6	of the formats accepted for inline images by most browsers. Note that gd is not \	6	of the formats accepted for inline images by most browsers. Note that gd is not \
7	a paint program."	7	a paint program."
8	HOMEPAGE = "http://libgd.bitbucket.org/"	8	HOMEPAGE = "http://libgd.github.io/"
9		9
10	SECTION = "libs"	10	SECTION = "libs"
11	LICENSE = "GD"	11	LICENSE = "GD"
12	LIC_FILES_CHKSUM = "file://COPYING;md5=07384b3aa2e0d39afca0d6c40286f545"	12	LIC_FILES_CHKSUM = "file://COPYING;md5=8e5bc8627b9494741c905d65238c66b7"
13		13
14	DEPENDS = "freetype libpng jpeg zlib tiff"	14	DEPENDS = "freetype libpng jpeg zlib tiff"
15		15
16	SRC_URI = "git://github.com/libgd/libgd.git;branch=GD-2.2 \	16	SRC_URI = "git://github.com/libgd/libgd.git;branch=master \
17	file://0001-annotate.c-gdft.c-Replace-strncpy-with-memccpy-to-fi.patch \
18	file://CVE-2018-1000222.patch \
19	file://CVE-2019-6978.patch \
20	file://CVE-2017-6363.patch \
21	file://CVE-2018-14553.patch \
22	"	17	"
23		18
24	SRCREV = "8255231b68889597d04d451a72438ab92a405aba"	19	SRCREV = "b079fa06223c3ab862c8f0eea58a968727971988"
25		20
26	S = "${WORKDIR}/git"	21	S = "${WORKDIR}/git"
27		22