From 9aea795890af4de0b8e6587f1f2778109446736d Mon Sep 17 00:00:00 2001
From: Haiqing Bai <Haiqing.Bai@windriver.com>
Date: Wed, 4 Mar 2020 14:24:13 +0800
Subject: gd: fix CVE-2017-6363

Backport the CVE patch from the upstream to fix the heap-based buffer
over-read in tiffWriter.

Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta-oe/recipes-support/gd/gd/CVE-2017-6363.patch | 35 +++++++++++++++++++++++
 meta-oe/recipes-support/gd/gd_2.2.5.bb            |  1 +
 2 files changed, 36 insertions(+)
 create mode 100644 meta-oe/recipes-support/gd/gd/CVE-2017-6363.patch

diff --git a/meta-oe/recipes-support/gd/gd/CVE-2017-6363.patch b/meta-oe/recipes-support/gd/gd/CVE-2017-6363.patch
new file mode 100644
index 000000000..25b5880ff
--- /dev/null
+++ b/meta-oe/recipes-support/gd/gd/CVE-2017-6363.patch
@@ -0,0 +1,35 @@
+From 8f7b60ea7db87de5df76169e3f3918e401ef8bf7 Mon Sep 17 00:00:00 2001
+From: Mike Frysinger <vapier@gentoo.org>
+Date: Wed, 31 Jan 2018 14:50:16 -0500
+Subject: [PATCH] gd/gd2: make sure transparent palette index is within bounds
+ #383
+
+The gd image formats allow for a palette of 256 colors,
+so if the transparent index is out of range, disable it.
+
+Upstream-Status: Backport
+[https://github.com/libgd/libgd.git commit:0be86e1926939a98afbd2f3a23c673dfc4df2a7c]
+CVE-2017-6363
+
+Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com>
+---
+ src/gd_gd.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/gd_gd.c b/src/gd_gd.c
+index f8d39cb..5a86fc3 100644
+--- a/src/gd_gd.c
++++ b/src/gd_gd.c
+@@ -54,7 +54,8 @@ _gdGetColors (gdIOCtx * in, gdImagePtr im, int gd2xFlag)
+ 		if (!gdGetWord (&im->transparent, in)) {
+ 			goto fail1;
+ 		}
+-		if (im->transparent == 257) {
++		/* Make sure transparent index is within bounds of the palette. */
++		if (im->transparent >= 256 || im->transparent < 0) {
+ 			im->transparent = (-1);
+ 		}
+ 	}
+-- 
+1.9.1
+
diff --git a/meta-oe/recipes-support/gd/gd_2.2.5.bb b/meta-oe/recipes-support/gd/gd_2.2.5.bb
index 35f9bb251..dda2e67d6 100644
--- a/meta-oe/recipes-support/gd/gd_2.2.5.bb
+++ b/meta-oe/recipes-support/gd/gd_2.2.5.bb
@@ -17,6 +17,7 @@ SRC_URI = "git://github.com/libgd/libgd.git;branch=GD-2.2 \
            file://0001-annotate.c-gdft.c-Replace-strncpy-with-memccpy-to-fi.patch \
            file://CVE-2018-1000222.patch \
            file://CVE-2019-6978.patch \
+           file://CVE-2017-6363.patch \
           "
 
 SRCREV = "8255231b68889597d04d451a72438ab92a405aba"
-- 
cgit v1.2.3-54-g00ecf