summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta-oe/recipes-support/gd/gd/0001-annotate.c-gdft.c-Replace-strncpy-with-memccpy-to-fi.patch46
-rw-r--r--meta-oe/recipes-support/gd/gd/CVE-2017-6363.patch35
-rw-r--r--meta-oe/recipes-support/gd/gd/CVE-2018-1000222.patch82
-rw-r--r--meta-oe/recipes-support/gd/gd/CVE-2018-14553.patch110
-rw-r--r--meta-oe/recipes-support/gd/gd/CVE-2019-6978.patch299
-rw-r--r--meta-oe/recipes-support/gd/gd_2.3.0.bb (renamed from meta-oe/recipes-support/gd/gd_2.2.5.bb)13
6 files changed, 4 insertions, 581 deletions
diff --git a/meta-oe/recipes-support/gd/gd/0001-annotate.c-gdft.c-Replace-strncpy-with-memccpy-to-fi.patch b/meta-oe/recipes-support/gd/gd/0001-annotate.c-gdft.c-Replace-strncpy-with-memccpy-to-fi.patch
deleted file mode 100644
index c377b370e..000000000
--- a/meta-oe/recipes-support/gd/gd/0001-annotate.c-gdft.c-Replace-strncpy-with-memccpy-to-fi.patch
+++ /dev/null
@@ -1,46 +0,0 @@
1From 85c7694a5cf34597909bdd1ca6931b0f99904c2e Mon Sep 17 00:00:00 2001
2From: Robert Yang <liezhi.yang@windriver.com>
3Date: Tue, 19 Jun 2018 00:40:49 -0700
4Subject: [PATCH] annotate.c/gdft.c: Replace strncpy with memccpy to fix
5 -Wstringop-truncation.
6
7Fixed for gcc8:
8git/src/gdft.c:1699:2: error: 'strncpy' output truncated before terminating nul copying as many bytes from a string as its length [-Werror=stringop-truncation]
9
10Upstream-Status: Submitted [https://github.com/libgd/libgd/pull/442]
11
12Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
13---
14 src/annotate.c | 2 +-
15 src/gdft.c | 2 +-
16 2 files changed, 2 insertions(+), 2 deletions(-)
17
18diff --git a/src/annotate.c b/src/annotate.c
19index 00aaf49..17df813 100644
20--- a/src/annotate.c
21+++ b/src/annotate.c
22@@ -104,7 +104,7 @@ int main(int argc, char *argv[])
23 fprintf(stderr, "Font maximum length is 1024, %d given\n", font_len);
24 goto badLine;
25 }
26- strncpy(font, st, font_len);
27+ memcpy(font, st, font_len);
28 }
29 } else if(!strcmp(st, "align")) {
30 char *st = strtok(0, " \t\r\n");
31diff --git a/src/gdft.c b/src/gdft.c
32index 9fa8295..81dbe41 100644
33--- a/src/gdft.c
34+++ b/src/gdft.c
35@@ -1696,7 +1696,7 @@ static char * font_path(char **fontpath, char *name_list)
36 gdFree(path);
37 return "could not alloc full list of fonts";
38 }
39- strncpy(fontlist, name_list, name_list_len);
40+ memcpy(fontlist, name_list, name_list_len);
41 fontlist[name_list_len] = 0;
42
43 /*
44--
452.10.2
46
diff --git a/meta-oe/recipes-support/gd/gd/CVE-2017-6363.patch b/meta-oe/recipes-support/gd/gd/CVE-2017-6363.patch
deleted file mode 100644
index 25b5880ff..000000000
--- a/meta-oe/recipes-support/gd/gd/CVE-2017-6363.patch
+++ /dev/null
@@ -1,35 +0,0 @@
1From 8f7b60ea7db87de5df76169e3f3918e401ef8bf7 Mon Sep 17 00:00:00 2001
2From: Mike Frysinger <vapier@gentoo.org>
3Date: Wed, 31 Jan 2018 14:50:16 -0500
4Subject: [PATCH] gd/gd2: make sure transparent palette index is within bounds
5 #383
6
7The gd image formats allow for a palette of 256 colors,
8so if the transparent index is out of range, disable it.
9
10Upstream-Status: Backport
11[https://github.com/libgd/libgd.git commit:0be86e1926939a98afbd2f3a23c673dfc4df2a7c]
12CVE-2017-6363
13
14Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com>
15---
16 src/gd_gd.c | 3 ++-
17 1 file changed, 2 insertions(+), 1 deletion(-)
18
19diff --git a/src/gd_gd.c b/src/gd_gd.c
20index f8d39cb..5a86fc3 100644
21--- a/src/gd_gd.c
22+++ b/src/gd_gd.c
23@@ -54,7 +54,8 @@ _gdGetColors (gdIOCtx * in, gdImagePtr im, int gd2xFlag)
24 if (!gdGetWord (&im->transparent, in)) {
25 goto fail1;
26 }
27- if (im->transparent == 257) {
28+ /* Make sure transparent index is within bounds of the palette. */
29+ if (im->transparent >= 256 || im->transparent < 0) {
30 im->transparent = (-1);
31 }
32 }
33--
341.9.1
35
diff --git a/meta-oe/recipes-support/gd/gd/CVE-2018-1000222.patch b/meta-oe/recipes-support/gd/gd/CVE-2018-1000222.patch
deleted file mode 100644
index 25924d1aa..000000000
--- a/meta-oe/recipes-support/gd/gd/CVE-2018-1000222.patch
+++ /dev/null
@@ -1,82 +0,0 @@
1From 4b1e18a00ce7c4b7e6919c3b3109a034393b805a Mon Sep 17 00:00:00 2001
2From: Mike Frysinger <vapier@gentoo.org>
3Date: Sat, 14 Jul 2018 13:54:08 -0400
4Subject: [PATCH] bmp: check return value in gdImageBmpPtr
5
6Closes #447.
7
8(cherry picked from commit ac16bdf2d41724b5a65255d4c28fb0ec46bc42f5)
9
10Upstream-Status: Backport [https://github.com/libgd/libgd/commit/4b1e18a00ce7c4b7e6919c3b3109a034393b805a]
11CVE: CVE-2018-1000222
12Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
13---
14 src/gd_bmp.c | 17 ++++++++++++++---
15 1 file changed, 14 insertions(+), 3 deletions(-)
16
17diff --git a/src/gd_bmp.c b/src/gd_bmp.c
18index ccafdcd..d625da1 100644
19--- a/src/gd_bmp.c
20+++ b/src/gd_bmp.c
21@@ -48,6 +48,8 @@ static int bmp_read_4bit(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info, bmp
22 static int bmp_read_8bit(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info, bmp_hdr_t *header);
23 static int bmp_read_rle(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info);
24
25+static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression);
26+
27 #define BMP_DEBUG(s)
28
29 static int gdBMPPutWord(gdIOCtx *out, int w)
30@@ -88,8 +90,10 @@ BGD_DECLARE(void *) gdImageBmpPtr(gdImagePtr im, int *size, int compression)
31 void *rv;
32 gdIOCtx *out = gdNewDynamicCtx(2048, NULL);
33 if (out == NULL) return NULL;
34- gdImageBmpCtx(im, out, compression);
35- rv = gdDPExtractData(out, size);
36+ if (!_gdImageBmpCtx(im, out, compression))
37+ rv = gdDPExtractData(out, size);
38+ else
39+ rv = NULL;
40 out->gd_free(out);
41 return rv;
42 }
43@@ -142,6 +146,11 @@ BGD_DECLARE(void) gdImageBmp(gdImagePtr im, FILE *outFile, int compression)
44 compression - whether to apply RLE or not.
45 */
46 BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
47+{
48+ _gdImageBmpCtx(im, out, compression);
49+}
50+
51+static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
52 {
53 int bitmap_size = 0, info_size, total_size, padding;
54 int i, row, xpos, pixel;
55@@ -149,6 +158,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
56 unsigned char *uncompressed_row = NULL, *uncompressed_row_start = NULL;
57 FILE *tmpfile_for_compression = NULL;
58 gdIOCtxPtr out_original = NULL;
59+ int ret = 1;
60
61 /* No compression if its true colour or we don't support seek */
62 if (im->trueColor) {
63@@ -326,6 +336,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
64 out_original = NULL;
65 }
66
67+ ret = 0;
68 cleanup:
69 if (tmpfile_for_compression) {
70 #ifdef _WIN32
71@@ -339,7 +350,7 @@ cleanup:
72 if (out_original) {
73 out_original->gd_free(out_original);
74 }
75- return;
76+ return ret;
77 }
78
79 static int compress_row(unsigned char *row, int length)
80--
812.17.1
82
diff --git a/meta-oe/recipes-support/gd/gd/CVE-2018-14553.patch b/meta-oe/recipes-support/gd/gd/CVE-2018-14553.patch
deleted file mode 100644
index 344f34feb..000000000
--- a/meta-oe/recipes-support/gd/gd/CVE-2018-14553.patch
+++ /dev/null
@@ -1,110 +0,0 @@
1From a93eac0e843148dc2d631c3ba80af17e9c8c860f Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?F=C3=A1bio=20Cabral=20Pacheco?= <fcabralpacheco@gmail.com>
3Date: Fri, 20 Dec 2019 12:03:33 -0300
4Subject: [PATCH] Fix potential NULL pointer dereference in gdImageClone()
5
6---
7 src/gd.c | 9 +--------
8 tests/gdimageclone/.gitignore | 1 +
9 tests/gdimageclone/CMakeLists.txt | 1 +
10 tests/gdimageclone/Makemodule.am | 3 ++-
11 tests/gdimageclone/style.c | 30 ++++++++++++++++++++++++++++++
12 5 files changed, 35 insertions(+), 9 deletions(-)
13 create mode 100644 tests/gdimageclone/style.c
14
15diff --git a/src/gd.c b/src/gd.c
16index 592a028..d564d1f 100644
17--- a/src/gd.c
18+++ b/src/gd.c
19@@ -2865,14 +2865,6 @@ BGD_DECLARE(gdImagePtr) gdImageClone (gdImagePtr src) {
20 }
21 }
22
23- if (src->styleLength > 0) {
24- dst->styleLength = src->styleLength;
25- dst->stylePos = src->stylePos;
26- for (i = 0; i < src->styleLength; i++) {
27- dst->style[i] = src->style[i];
28- }
29- }
30-
31 dst->interlace = src->interlace;
32
33 dst->alphaBlendingFlag = src->alphaBlendingFlag;
34@@ -2907,6 +2899,7 @@ BGD_DECLARE(gdImagePtr) gdImageClone (gdImagePtr src) {
35
36 if (src->style) {
37 gdImageSetStyle(dst, src->style, src->styleLength);
38+ dst->stylePos = src->stylePos;
39 }
40
41 for (i = 0; i < gdMaxColors; i++) {
42diff --git a/tests/gdimageclone/.gitignore b/tests/gdimageclone/.gitignore
43index a70782d..f4129cc 100644
44--- a/tests/gdimageclone/.gitignore
45+++ b/tests/gdimageclone/.gitignore
46@@ -1 +1,2 @@
47 /bug00300
48+/style
49diff --git a/tests/gdimageclone/CMakeLists.txt b/tests/gdimageclone/CMakeLists.txt
50index e6ccc31..662f4e9 100644
51--- a/tests/gdimageclone/CMakeLists.txt
52+++ b/tests/gdimageclone/CMakeLists.txt
53@@ -1,5 +1,6 @@
54 LIST(APPEND TESTS_FILES
55 bug00300
56+ style
57 )
58
59 ADD_GD_TESTS()
60diff --git a/tests/gdimageclone/Makemodule.am b/tests/gdimageclone/Makemodule.am
61index 4b1b54c..51abf5c 100644
62--- a/tests/gdimageclone/Makemodule.am
63+++ b/tests/gdimageclone/Makemodule.am
64@@ -1,5 +1,6 @@
65 libgd_test_programs += \
66- gdimageclone/bug00300
67+ gdimageclone/bug00300 \
68+ gdimageclone/style
69
70 EXTRA_DIST += \
71 gdimageclone/CMakeLists.txt
72diff --git a/tests/gdimageclone/style.c b/tests/gdimageclone/style.c
73new file mode 100644
74index 0000000..c2b246e
75--- /dev/null
76+++ b/tests/gdimageclone/style.c
77@@ -0,0 +1,30 @@
78+/**
79+ * Cloning an image should exactly reproduce all style related data
80+ */
81+
82+
83+#include <string.h>
84+#include "gd.h"
85+#include "gdtest.h"
86+
87+
88+int main()
89+{
90+ gdImagePtr im, clone;
91+ int style[] = {0, 0, 0};
92+
93+ im = gdImageCreate(8, 8);
94+ gdImageSetStyle(im, style, sizeof(style)/sizeof(style[0]));
95+
96+ clone = gdImageClone(im);
97+ gdTestAssert(clone != NULL);
98+
99+ gdTestAssert(clone->styleLength == im->styleLength);
100+ gdTestAssert(clone->stylePos == im->stylePos);
101+ gdTestAssert(!memcmp(clone->style, im->style, sizeof(style)/sizeof(style[0])));
102+
103+ gdImageDestroy(clone);
104+ gdImageDestroy(im);
105+
106+ return gdNumFailures();
107+}
108--
1092.20.1
110
diff --git a/meta-oe/recipes-support/gd/gd/CVE-2019-6978.patch b/meta-oe/recipes-support/gd/gd/CVE-2019-6978.patch
deleted file mode 100644
index 9beb23e83..000000000
--- a/meta-oe/recipes-support/gd/gd/CVE-2019-6978.patch
+++ /dev/null
@@ -1,299 +0,0 @@
1From 553702980ae89c83f2d6e254d62cf82e204956d0 Mon Sep 17 00:00:00 2001
2From: "Christoph M. Becker" <cmbecker69@gmx.de>
3Date: Thu, 17 Jan 2019 11:54:55 +0100
4Subject: [PATCH] Fix #492: Potential double-free in gdImage*Ptr()
5
6Whenever `gdImage*Ptr()` calls `gdImage*Ctx()` and the latter fails, we
7must not call `gdDPExtractData()`; otherwise a double-free would
8happen. Since `gdImage*Ctx()` are void functions, and we can't change
9that for BC reasons, we're introducing static helpers which are used
10internally.
11
12We're adding a regression test for `gdImageJpegPtr()`, but not for
13`gdImageGifPtr()` and `gdImageWbmpPtr()` since we don't know how to
14trigger failure of the respective `gdImage*Ctx()` calls.
15
16This potential security issue has been reported by Solmaz Salimi (aka.
17Rooney).
18---
19 src/gd_gif_out.c | 18 +++++++++++++++---
20 src/gd_jpeg.c | 20 ++++++++++++++++----
21 src/gd_wbmp.c | 21 ++++++++++++++++++---
22 tests/jpeg/.gitignore | 1 +
23 tests/jpeg/CMakeLists.txt | 1 +
24 tests/jpeg/Makemodule.am | 3 ++-
25 tests/jpeg/jpeg_ptr_double_free.c | 31 +++++++++++++++++++++++++++++++
26 7 files changed, 84 insertions(+), 11 deletions(-)
27 create mode 100644 tests/jpeg/jpeg_ptr_double_free.c
28
29Upstream-Status: Backport [https://github.com/libgd/libgd/commit/553702980ae89c83f2d6e254d62cf82e204956d0]
30CVE: CVE-2019-6978
31
32Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
33
34
35diff --git a/src/gd_gif_out.c b/src/gd_gif_out.c
36index 298a581..d5a9534 100644
37--- a/src/gd_gif_out.c
38+++ b/src/gd_gif_out.c
39@@ -99,6 +99,7 @@ static void char_init(GifCtx *ctx);
40 static void char_out(int c, GifCtx *ctx);
41 static void flush_char(GifCtx *ctx);
42
43+static int _gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out);
44
45
46
47@@ -131,8 +132,11 @@ BGD_DECLARE(void *) gdImageGifPtr(gdImagePtr im, int *size)
48 void *rv;
49 gdIOCtx *out = gdNewDynamicCtx(2048, NULL);
50 if (out == NULL) return NULL;
51- gdImageGifCtx(im, out);
52- rv = gdDPExtractData(out, size);
53+ if (!_gdImageGifCtx(im, out)) {
54+ rv = gdDPExtractData(out, size);
55+ } else {
56+ rv = NULL;
57+ }
58 out->gd_free(out);
59 return rv;
60 }
61@@ -220,6 +224,12 @@ BGD_DECLARE(void) gdImageGif(gdImagePtr im, FILE *outFile)
62
63 */
64 BGD_DECLARE(void) gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out)
65+{
66+ _gdImageGifCtx(im, out);
67+}
68+
69+/* returns 0 on success, 1 on failure */
70+static int _gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out)
71 {
72 gdImagePtr pim = 0, tim = im;
73 int interlace, BitsPerPixel;
74@@ -231,7 +241,7 @@ BGD_DECLARE(void) gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out)
75 based temporary image. */
76 pim = gdImageCreatePaletteFromTrueColor(im, 1, 256);
77 if(!pim) {
78- return;
79+ return 1;
80 }
81 tim = pim;
82 }
83@@ -247,6 +257,8 @@ BGD_DECLARE(void) gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out)
84 /* Destroy palette based temporary image. */
85 gdImageDestroy( pim);
86 }
87+
88+ return 0;
89 }
90
91
92diff --git a/src/gd_jpeg.c b/src/gd_jpeg.c
93index fc05842..96ef430 100644
94--- a/src/gd_jpeg.c
95+++ b/src/gd_jpeg.c
96@@ -117,6 +117,8 @@ static void fatal_jpeg_error(j_common_ptr cinfo)
97 exit(99);
98 }
99
100+static int _gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality);
101+
102 /*
103 * Write IM to OUTFILE as a JFIF-formatted JPEG image, using quality
104 * QUALITY. If QUALITY is in the range 0-100, increasing values
105@@ -231,8 +233,11 @@ BGD_DECLARE(void *) gdImageJpegPtr(gdImagePtr im, int *size, int quality)
106 void *rv;
107 gdIOCtx *out = gdNewDynamicCtx(2048, NULL);
108 if (out == NULL) return NULL;
109- gdImageJpegCtx(im, out, quality);
110- rv = gdDPExtractData(out, size);
111+ if (!_gdImageJpegCtx(im, out, quality)) {
112+ rv = gdDPExtractData(out, size);
113+ } else {
114+ rv = NULL;
115+ }
116 out->gd_free(out);
117 return rv;
118 }
119@@ -253,6 +258,12 @@ void jpeg_gdIOCtx_dest(j_compress_ptr cinfo, gdIOCtx *outfile);
120
121 */
122 BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality)
123+{
124+ _gdImageJpegCtx(im, outfile, quality);
125+}
126+
127+/* returns 0 on success, 1 on failure */
128+static int _gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality)
129 {
130 struct jpeg_compress_struct cinfo;
131 struct jpeg_error_mgr jerr;
132@@ -287,7 +298,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality)
133 if(row) {
134 gdFree(row);
135 }
136- return;
137+ return 1;
138 }
139
140 cinfo.err->emit_message = jpeg_emit_message;
141@@ -328,7 +339,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality)
142 if(row == 0) {
143 gd_error("gd-jpeg: error: unable to allocate JPEG row structure: gdCalloc returns NULL\n");
144 jpeg_destroy_compress(&cinfo);
145- return;
146+ return 1;
147 }
148
149 rowptr[0] = row;
150@@ -405,6 +416,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality)
151 jpeg_finish_compress(&cinfo);
152 jpeg_destroy_compress(&cinfo);
153 gdFree(row);
154+ return 0;
155 }
156
157
158diff --git a/src/gd_wbmp.c b/src/gd_wbmp.c
159index f19a1c9..a49bdbe 100644
160--- a/src/gd_wbmp.c
161+++ b/src/gd_wbmp.c
162@@ -88,6 +88,8 @@ int gd_getin(void *in)
163 return (gdGetC((gdIOCtx *)in));
164 }
165
166+static int _gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out);
167+
168 /*
169 Function: gdImageWBMPCtx
170
171@@ -100,6 +102,12 @@ int gd_getin(void *in)
172 out - the stream where to write
173 */
174 BGD_DECLARE(void) gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out)
175+{
176+ _gdImageWBMPCtx(image, fg, out);
177+}
178+
179+/* returns 0 on success, 1 on failure */
180+static int _gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out)
181 {
182 int x, y, pos;
183 Wbmp *wbmp;
184@@ -107,7 +115,7 @@ BGD_DECLARE(void) gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out)
185 /* create the WBMP */
186 if((wbmp = createwbmp(gdImageSX(image), gdImageSY(image), WBMP_WHITE)) == NULL) {
187 gd_error("Could not create WBMP\n");
188- return;
189+ return 1;
190 }
191
192 /* fill up the WBMP structure */
193@@ -123,11 +131,15 @@ BGD_DECLARE(void) gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out)
194
195 /* write the WBMP to a gd file descriptor */
196 if(writewbmp(wbmp, &gd_putout, out)) {
197+ freewbmp(wbmp);
198 gd_error("Could not save WBMP\n");
199+ return 1;
200 }
201
202 /* des submitted this bugfix: gdFree the memory. */
203 freewbmp(wbmp);
204+
205+ return 0;
206 }
207
208 /*
209@@ -271,8 +283,11 @@ BGD_DECLARE(void *) gdImageWBMPPtr(gdImagePtr im, int *size, int fg)
210 void *rv;
211 gdIOCtx *out = gdNewDynamicCtx(2048, NULL);
212 if (out == NULL) return NULL;
213- gdImageWBMPCtx(im, fg, out);
214- rv = gdDPExtractData(out, size);
215+ if (!_gdImageWBMPCtx(im, fg, out)) {
216+ rv = gdDPExtractData(out, size);
217+ } else {
218+ rv = NULL;
219+ }
220 out->gd_free(out);
221 return rv;
222 }
223diff --git a/tests/jpeg/.gitignore b/tests/jpeg/.gitignore
224index c28aa87..13bcf04 100644
225--- a/tests/jpeg/.gitignore
226+++ b/tests/jpeg/.gitignore
227@@ -3,5 +3,6 @@
228 /jpeg_empty_file
229 /jpeg_im2im
230 /jpeg_null
231+/jpeg_ptr_double_free
232 /jpeg_read
233 /jpeg_resolution
234diff --git a/tests/jpeg/CMakeLists.txt b/tests/jpeg/CMakeLists.txt
235index 19964b0..a8d8162 100644
236--- a/tests/jpeg/CMakeLists.txt
237+++ b/tests/jpeg/CMakeLists.txt
238@@ -2,6 +2,7 @@ IF(JPEG_FOUND)
239 LIST(APPEND TESTS_FILES
240 jpeg_empty_file
241 jpeg_im2im
242+ jpeg_ptr_double_free
243 jpeg_null
244 )
245
246diff --git a/tests/jpeg/Makemodule.am b/tests/jpeg/Makemodule.am
247index 7e5d317..b89e169 100644
248--- a/tests/jpeg/Makemodule.am
249+++ b/tests/jpeg/Makemodule.am
250@@ -2,7 +2,8 @@ if HAVE_LIBJPEG
251 libgd_test_programs += \
252 jpeg/jpeg_empty_file \
253 jpeg/jpeg_im2im \
254- jpeg/jpeg_null
255+ jpeg/jpeg_null \
256+ jpeg/jpeg_ptr_double_free
257
258 if HAVE_LIBPNG
259 libgd_test_programs += \
260diff --git a/tests/jpeg/jpeg_ptr_double_free.c b/tests/jpeg/jpeg_ptr_double_free.c
261new file mode 100644
262index 0000000..df5a510
263--- /dev/null
264+++ b/tests/jpeg/jpeg_ptr_double_free.c
265@@ -0,0 +1,31 @@
266+/**
267+ * Test that failure to convert to JPEG returns NULL
268+ *
269+ * We are creating an image, set its width to zero, and pass this image to
270+ * `gdImageJpegPtr()` which is supposed to fail, and as such should return NULL.
271+ *
272+ * See also <https://github.com/libgd/libgd/issues/381>
273+ */
274+
275+
276+#include "gd.h"
277+#include "gdtest.h"
278+
279+
280+int main()
281+{
282+ gdImagePtr src, dst;
283+ int size;
284+
285+ src = gdImageCreateTrueColor(1, 10);
286+ gdTestAssert(src != NULL);
287+
288+ src->sx = 0; /* this hack forces gdImageJpegPtr() to fail */
289+
290+ dst = gdImageJpegPtr(src, &size, 0);
291+ gdTestAssert(dst == NULL);
292+
293+ gdImageDestroy(src);
294+
295+ return gdNumFailures();
296+}
297--
2982.17.1
299
diff --git a/meta-oe/recipes-support/gd/gd_2.2.5.bb b/meta-oe/recipes-support/gd/gd_2.3.0.bb
index a665de4bf..eec8a05ae 100644
--- a/meta-oe/recipes-support/gd/gd_2.2.5.bb
+++ b/meta-oe/recipes-support/gd/gd_2.3.0.bb
@@ -5,23 +5,18 @@ images, and flood fills, and to write out the result as a PNG or JPEG file. \
5This is particularly useful in Web applications, where PNG and JPEG are two \ 5This is particularly useful in Web applications, where PNG and JPEG are two \
6of the formats accepted for inline images by most browsers. Note that gd is not \ 6of the formats accepted for inline images by most browsers. Note that gd is not \
7a paint program." 7a paint program."
8HOMEPAGE = "http://libgd.bitbucket.org/" 8HOMEPAGE = "http://libgd.github.io/"
9 9
10SECTION = "libs" 10SECTION = "libs"
11LICENSE = "GD" 11LICENSE = "GD"
12LIC_FILES_CHKSUM = "file://COPYING;md5=07384b3aa2e0d39afca0d6c40286f545" 12LIC_FILES_CHKSUM = "file://COPYING;md5=8e5bc8627b9494741c905d65238c66b7"
13 13
14DEPENDS = "freetype libpng jpeg zlib tiff" 14DEPENDS = "freetype libpng jpeg zlib tiff"
15 15
16SRC_URI = "git://github.com/libgd/libgd.git;branch=GD-2.2 \ 16SRC_URI = "git://github.com/libgd/libgd.git;branch=master \
17 file://0001-annotate.c-gdft.c-Replace-strncpy-with-memccpy-to-fi.patch \
18 file://CVE-2018-1000222.patch \
19 file://CVE-2019-6978.patch \
20 file://CVE-2017-6363.patch \
21 file://CVE-2018-14553.patch \
22 " 17 "
23 18
24SRCREV = "8255231b68889597d04d451a72438ab92a405aba" 19SRCREV = "b079fa06223c3ab862c8f0eea58a968727971988"
25 20
26S = "${WORKDIR}/git" 21S = "${WORKDIR}/git"
27 22