From a1dfa0223329734d2cb4f9aa034183fb2573bb9c Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Thu, 28 Jul 2016 16:43:53 -0400
Subject: Revert "gnu: gd: Update to 2.2.3 [fixes CVE-2016-6207]."

This reverts commit ae46cd0e4cfb1f06d099b2cda1f9e702e86c90e9.
---
 gnu/packages/patches/gd-CVE-2016-6132.patch | 55 +++++++++++++++++++++++++++++
 1 file changed, 55 insertions(+)
 create mode 100644 gnu/packages/patches/gd-CVE-2016-6132.patch

(limited to 'gnu/packages/patches/gd-CVE-2016-6132.patch')

diff --git a/gnu/packages/patches/gd-CVE-2016-6132.patch b/gnu/packages/patches/gd-CVE-2016-6132.patch
new file mode 100644
index 0000000000..4c475b71b2
--- /dev/null
+++ b/gnu/packages/patches/gd-CVE-2016-6132.patch
@@ -0,0 +1,55 @@
+Fix CVE-2016-6132 (read out-of-bounds when parsing TGA files).
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-6132
+
+Copied from upstream commit:
+https://github.com/libgd/libgd/commit/ead349e99868303b37f5e6e9d9d680c9dc71ff8d
+
+From ead349e99868303b37f5e6e9d9d680c9dc71ff8d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
+Date: Tue, 12 Jul 2016 11:24:09 +0200
+Subject: [PATCH] Fix #247, A read out-of-bands was found in the parsing of TGA
+ files (CVE-2016-6132)
+
+---
+ src/gd_tga.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/src/gd_tga.c b/src/gd_tga.c
+index ef20f86..20fe2d2 100644
+--- a/src/gd_tga.c
++++ b/src/gd_tga.c
+@@ -237,7 +237,11 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga )
+ 			return -1;
+ 		}
+ 
+-		gdGetBuf(conversion_buffer, image_block_size, ctx);
++		if (gdGetBuf(conversion_buffer, image_block_size, ctx) != image_block_size) {
++			gd_error("gd-tga: premature end of image data\n");
++			gdFree(conversion_buffer);
++			return -1;
++		}
+ 
+ 		while (buffer_caret < image_block_size) {
+ 			tga->bitmap[buffer_caret] = (int) conversion_buffer[buffer_caret];
+@@ -257,11 +261,16 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga )
+ 		}
+ 		conversion_buffer = (unsigned char *) gdMalloc(image_block_size * sizeof(unsigned char));
+ 		if (conversion_buffer == NULL) {
++			gd_error("gd-tga: premature end of image data\n");
+ 			gdFree( decompression_buffer );
+ 			return -1;
+ 		}
+ 
+-		gdGetBuf( conversion_buffer, image_block_size, ctx );
++		if (gdGetBuf(conversion_buffer, image_block_size, ctx) != image_block_size) {
++			gdFree(conversion_buffer);
++			gdFree(decompression_buffer);
++			return -1;
++		}
+ 
+ 		buffer_caret = 0;
+ 
+-- 
+2.9.1
+
-- 
cgit v1.2.3