diff --git a/.gitignore b/.gitignore index b95fae7..c063891 100644 --- a/.gitignore +++ b/.gitignore @@ -9,7 +9,3 @@ gd-2.0.35.tar.bz2 /libgd-2.2.3.tar.xz /libgd-2.2.4.tar.xz /libgd-2.2.5.tar.xz -/libgd-2.3.0.tar.xz -/libgd-2.3.1.tar.xz -/libgd-2.3.2.tar.xz -/libgd-2.3.3.tar.xz diff --git a/gd-2.1.0-multilib.patch b/gd-2.1.0-multilib.patch new file mode 100644 index 0000000..c4fdc63 --- /dev/null +++ b/gd-2.1.0-multilib.patch @@ -0,0 +1,33 @@ +diff -up gd-2.1.0/config/gdlib-config.in.multilib gd-2.1.0/config/gdlib-config.in +--- gd-2.1.0/config/gdlib-config.in.multilib 2013-04-21 16:58:17.820010758 +0200 ++++ gd-2.1.0/config/gdlib-config.in 2013-04-21 16:59:27.896317922 +0200 +@@ -7,9 +7,10 @@ + # installation directories + prefix=@prefix@ + exec_prefix=@exec_prefix@ +-libdir=@libdir@ ++libdir=`pkg-config gdlib --variable=libdir` + includedir=@includedir@ + bindir=@bindir@ ++ldflags=`pkg-config gdlib --variable=ldflags` + + usage() + { +@@ -68,7 +69,7 @@ while test $# -gt 0; do + echo @GDLIB_REVISION@ + ;; + --ldflags) +- echo @LDFLAGS@ ++ echo $ldflags + ;; + --libs) + echo -lgd @LIBS@ @LIBICONV@ +@@ -83,7 +84,7 @@ while test $# -gt 0; do + echo "GD library @VERSION@" + echo "includedir: $includedir" + echo "cflags: -I@includedir@" +- echo "ldflags: @LDFLAGS@" ++ echo "ldflags: $ldflags" + echo "libs: @LIBS@ @LIBICONV@" + echo "libdir: $libdir" + echo "features: @FEATURES@" diff --git a/gd-2.2.5-gdImageBmpPtr-double-free.patch b/gd-2.2.5-gdImageBmpPtr-double-free.patch new file mode 100644 index 0000000..80f9712 --- /dev/null +++ b/gd-2.2.5-gdImageBmpPtr-double-free.patch @@ -0,0 +1,73 @@ +From ac16bdf2d41724b5a65255d4c28fb0ec46bc42f5 Mon Sep 17 00:00:00 2001 +From: Mike Frysinger +Date: Sat, 14 Jul 2018 13:54:08 -0400 +Subject: [PATCH] bmp: check return value in gdImageBmpPtr + +Closes #447. +--- + src/gd_bmp.c | 17 ++++++++++++++--- + 1 file changed, 14 insertions(+), 3 deletions(-) + +diff --git a/src/gd_bmp.c b/src/gd_bmp.c +index bde0b9d3..78f40d9a 100644 +--- a/src/gd_bmp.c ++++ b/src/gd_bmp.c +@@ -47,6 +47,8 @@ static int bmp_read_4bit(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info, bmp + static int bmp_read_8bit(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info, bmp_hdr_t *header); + static int bmp_read_rle(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info); + ++static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression); ++ + #define BMP_DEBUG(s) + + static int gdBMPPutWord(gdIOCtx *out, int w) +@@ -87,8 +89,10 @@ BGD_DECLARE(void *) gdImageBmpPtr(gdImagePtr im, int *size, int compression) + void *rv; + gdIOCtx *out = gdNewDynamicCtx(2048, NULL); + if (out == NULL) return NULL; +- gdImageBmpCtx(im, out, compression); +- rv = gdDPExtractData(out, size); ++ if (!_gdImageBmpCtx(im, out, compression)) ++ rv = gdDPExtractData(out, size); ++ else ++ rv = NULL; + out->gd_free(out); + return rv; + } +@@ -141,6 +145,11 @@ BGD_DECLARE(void) gdImageBmp(gdImagePtr im, FILE *outFile, int compression) + compression - whether to apply RLE or not. + */ + BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression) ++{ ++ _gdImageBmpCtx(im, out, compression); ++} ++ ++static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression) + { + int bitmap_size = 0, info_size, total_size, padding; + int i, row, xpos, pixel; +@@ -148,6 +157,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression) + unsigned char *uncompressed_row = NULL, *uncompressed_row_start = NULL; + FILE *tmpfile_for_compression = NULL; + gdIOCtxPtr out_original = NULL; ++ int ret = 1; + + /* No compression if its true colour or we don't support seek */ + if (im->trueColor) { +@@ -325,6 +335,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression) + out_original = NULL; + } + ++ ret = 0; + cleanup: + if (tmpfile_for_compression) { + #ifdef _WIN32 +@@ -338,7 +349,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression) + if (out_original) { + out_original->gd_free(out_original); + } +- return; ++ return ret; + } + + static int compress_row(unsigned char *row, int length) diff --git a/gd-2.2.5-heap-based-buffer-overflow.patch b/gd-2.2.5-heap-based-buffer-overflow.patch new file mode 100644 index 0000000..ae795d0 --- /dev/null +++ b/gd-2.2.5-heap-based-buffer-overflow.patch @@ -0,0 +1,28 @@ +From 98b2e94e62d873acbcc6d968f1f97af9749fe021 Mon Sep 17 00:00:00 2001 +From: Ondrej Dubaj +Date: Tue, 4 Jun 2019 10:54:45 +0200 +Subject: [PATCH] heap based buffer overflow in + gd_color_match.c:gdImageColorMatch() in libgd as used in imagecolormatch() + +--- + src/gd_color_match.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/gd_color_match.c b/src/gd_color_match.c +index f0842b6..a94a841 100755 +--- a/src/gd_color_match.c ++++ b/src/gd_color_match.c +@@ -31,8 +31,8 @@ BGD_DECLARE(int) gdImageColorMatch (gdImagePtr im1, gdImagePtr im2) + return -4; /* At least 1 color must be allocated */ + } + +- buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * im2->colorsTotal); +- memset (buf, 0, sizeof(unsigned long) * 5 * im2->colorsTotal ); ++ buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * gdMaxColors); ++ memset (buf, 0, sizeof(unsigned long) * 5 * gdMaxColors ); + + for (x=0; x < im1->sx; x++) { + for( y=0; ysy; y++ ) { +-- +2.17.1 + diff --git a/gd-2.2.5-null-pointer.patch b/gd-2.2.5-null-pointer.patch new file mode 100644 index 0000000..afa18d9 --- /dev/null +++ b/gd-2.2.5-null-pointer.patch @@ -0,0 +1,74 @@ +From a93eac0e843148dc2d631c3ba80af17e9c8c860f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?F=C3=A1bio=20Cabral=20Pacheco?= +Date: Fri, 20 Dec 2019 12:03:33 -0300 +Subject: [PATCH] Fix potential NULL pointer dereference in gdImageClone() + +--- + src/gd.c | 9 +-------- + tests/gdimageclone/style.c | 30 ++++++++++++++++++++++++++++++ + 5 files changed, 35 insertions(+), 9 deletions(-) + create mode 100644 tests/gdimageclone/style.c + +diff --git a/src/gd.c b/src/gd.c +index 592a0286..d564d1f9 100644 +--- a/src/gd.c ++++ b/src/gd.c +@@ -2865,14 +2865,6 @@ BGD_DECLARE(gdImagePtr) gdImageClone (gdImagePtr src) { + } + } + +- if (src->styleLength > 0) { +- dst->styleLength = src->styleLength; +- dst->stylePos = src->stylePos; +- for (i = 0; i < src->styleLength; i++) { +- dst->style[i] = src->style[i]; +- } +- } +- + dst->interlace = src->interlace; + + dst->alphaBlendingFlag = src->alphaBlendingFlag; +@@ -2907,6 +2899,7 @@ BGD_DECLARE(gdImagePtr) gdImageClone (gdImagePtr src) { + + if (src->style) { + gdImageSetStyle(dst, src->style, src->styleLength); ++ dst->stylePos = src->stylePos; + } + + for (i = 0; i < gdMaxColors; i++) { +diff --git a/tests/gdimageclone/style.c b/tests/gdimageclone/style.c +new file mode 100644 +index 00000000..c2b246ed +--- /dev/null ++++ b/tests/gdimageclone/style.c +@@ -0,0 +1,30 @@ ++/** ++ * Cloning an image should exactly reproduce all style related data ++ */ ++ ++ ++#include ++#include "gd.h" ++#include "gdtest.h" ++ ++ ++int main() ++{ ++ gdImagePtr im, clone; ++ int style[] = {0, 0, 0}; ++ ++ im = gdImageCreate(8, 8); ++ gdImageSetStyle(im, style, sizeof(style)/sizeof(style[0])); ++ ++ clone = gdImageClone(im); ++ gdTestAssert(clone != NULL); ++ ++ gdTestAssert(clone->styleLength == im->styleLength); ++ gdTestAssert(clone->stylePos == im->stylePos); ++ gdTestAssert(!memcmp(clone->style, im->style, sizeof(style)/sizeof(style[0]))); ++ ++ gdImageDestroy(clone); ++ gdImageDestroy(im); ++ ++ return gdNumFailures(); ++} diff --git a/gd-2.2.5-potential-double-free.patch b/gd-2.2.5-potential-double-free.patch new file mode 100644 index 0000000..788a068 --- /dev/null +++ b/gd-2.2.5-potential-double-free.patch @@ -0,0 +1,283 @@ +From 4d9d8368d08c3a2be3ea4193b9314fffeddace52 Mon Sep 17 00:00:00 2001 +From: Ondrej Dubaj +Date: Tue, 4 Jun 2019 13:38:41 +0200 +Subject: [PATCH] Potential double-free in gdImage*Ptr() + +Whenever `gdImage*Ptr()` calls `gdImage*Ctx()` and the latter fails, we +must not call `gdDPExtractData()`; otherwise a double-free would +happen. Since `gdImage*Ctx()` are void functions, and we can't change +that for BC reasons, we're introducing static helpers which are used +internally. + +We're adding a regression test for `gdImageJpegPtr()`, but not for +`gdImageGifPtr()` and `gdImageWbmpPtr()` since we don't know how to +trigger failure of the respective `gdImage*Ctx()` calls. + +This potential security issue has been reported by Solmaz Salimi (aka. +Rooney). +--- + src/gd_gif_out.c | 19 +++++++++++++++---- + src/gd_jpeg.c | 20 ++++++++++++++++---- + src/gd_wbmp.c | 21 ++++++++++++++++++--- + tests/jpeg/CMakeLists.txt | 1 + + tests/jpeg/Makemodule.am | 3 ++- + tests/jpeg/jpeg_ptr_double_free.c | 31 +++++++++++++++++++++++++++++++ + 6 files changed, 83 insertions(+), 12 deletions(-) + create mode 100644 tests/jpeg/jpeg_ptr_double_free.c + +diff --git a/src/gd_gif_out.c b/src/gd_gif_out.c +index 6fe707d..4a05c09 100755 +--- a/src/gd_gif_out.c ++++ b/src/gd_gif_out.c +@@ -99,7 +99,7 @@ static void char_init(GifCtx *ctx); + static void char_out(int c, GifCtx *ctx); + static void flush_char(GifCtx *ctx); + +- ++static int _gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out); + + + /* +@@ -131,8 +131,11 @@ BGD_DECLARE(void *) gdImageGifPtr(gdImagePtr im, int *size) + void *rv; + gdIOCtx *out = gdNewDynamicCtx(2048, NULL); + if (out == NULL) return NULL; +- gdImageGifCtx(im, out); +- rv = gdDPExtractData(out, size); ++ if (!_gdImageGifCtx(im, out)) { ++ rv = gdDPExtractData(out, size); ++ } else { ++ rv = NULL; ++ } + out->gd_free(out); + return rv; + } +@@ -220,6 +223,12 @@ BGD_DECLARE(void) gdImageGif(gdImagePtr im, FILE *outFile) + + */ + BGD_DECLARE(void) gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out) ++{ ++ _gdImageGifCtx(im, out); ++} ++ ++/* returns 0 on success, 1 on failure */ ++static int _gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out) + { + gdImagePtr pim = 0, tim = im; + int interlace, BitsPerPixel; +@@ -231,7 +240,7 @@ BGD_DECLARE(void) gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out) + based temporary image. */ + pim = gdImageCreatePaletteFromTrueColor(im, 1, 256); + if(!pim) { +- return; ++ return 1; + } + tim = pim; + } +@@ -247,6 +256,8 @@ BGD_DECLARE(void) gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out) + /* Destroy palette based temporary image. */ + gdImageDestroy( pim); + } ++ ++ return 0; + } + + +diff --git a/src/gd_jpeg.c b/src/gd_jpeg.c +index 271ef46..bd8fc27 100755 +--- a/src/gd_jpeg.c ++++ b/src/gd_jpeg.c +@@ -123,6 +123,8 @@ static void fatal_jpeg_error(j_common_ptr cinfo) + exit(99); + } + ++static int _gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality); ++ + /* + * Write IM to OUTFILE as a JFIF-formatted JPEG image, using quality + * QUALITY. If QUALITY is in the range 0-100, increasing values +@@ -237,8 +239,11 @@ BGD_DECLARE(void *) gdImageJpegPtr(gdImagePtr im, int *size, int quality) + void *rv; + gdIOCtx *out = gdNewDynamicCtx(2048, NULL); + if (out == NULL) return NULL; +- gdImageJpegCtx(im, out, quality); +- rv = gdDPExtractData(out, size); ++ if (!_gdImageJpegCtx(im, out, quality)) { ++ rv = gdDPExtractData(out, size); ++ } else { ++ rv = NULL; ++ } + out->gd_free(out); + return rv; + } +@@ -259,6 +264,12 @@ void jpeg_gdIOCtx_dest(j_compress_ptr cinfo, gdIOCtx *outfile); + + */ + BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality) ++{ ++ _gdImageJpegCtx(im, outfile, quality); ++} ++ ++/* returns 0 on success, 1 on failure */ ++static int _gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality) + { + struct jpeg_compress_struct cinfo; + struct jpeg_error_mgr jerr; +@@ -293,7 +304,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality) + if(row) { + gdFree(row); + } +- return; ++ return 1; + } + + cinfo.err->emit_message = jpeg_emit_message; +@@ -334,7 +345,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality) + if(row == 0) { + gd_error("gd-jpeg: error: unable to allocate JPEG row structure: gdCalloc returns NULL\n"); + jpeg_destroy_compress(&cinfo); +- return; ++ return 1; + } + + rowptr[0] = row; +@@ -411,6 +422,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality) + jpeg_finish_compress(&cinfo); + jpeg_destroy_compress(&cinfo); + gdFree(row); ++ return 0; + } + + +diff --git a/src/gd_wbmp.c b/src/gd_wbmp.c +index 0028273..341ff6e 100755 +--- a/src/gd_wbmp.c ++++ b/src/gd_wbmp.c +@@ -88,6 +88,8 @@ int gd_getin(void *in) + return (gdGetC((gdIOCtx *)in)); + } + ++static int _gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out); ++ + /* + Function: gdImageWBMPCtx + +@@ -100,6 +102,12 @@ int gd_getin(void *in) + out - the stream where to write + */ + BGD_DECLARE(void) gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out) ++{ ++ _gdImageWBMPCtx(image, fg, out); ++} ++ ++/* returns 0 on success, 1 on failure */ ++static int _gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out) + { + int x, y, pos; + Wbmp *wbmp; +@@ -107,7 +115,7 @@ BGD_DECLARE(void) gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out) + /* create the WBMP */ + if((wbmp = createwbmp(gdImageSX(image), gdImageSY(image), WBMP_WHITE)) == NULL) { + gd_error("Could not create WBMP\n"); +- return; ++ return 1; + } + + /* fill up the WBMP structure */ +@@ -123,11 +131,15 @@ BGD_DECLARE(void) gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out) + + /* write the WBMP to a gd file descriptor */ + if(writewbmp(wbmp, &gd_putout, out)) { ++ freewbmp(wbmp); + gd_error("Could not save WBMP\n"); ++ return 1; + } + + /* des submitted this bugfix: gdFree the memory. */ + freewbmp(wbmp); ++ ++ return 0; + } + + /* +@@ -271,8 +283,11 @@ BGD_DECLARE(void *) gdImageWBMPPtr(gdImagePtr im, int *size, int fg) + void *rv; + gdIOCtx *out = gdNewDynamicCtx(2048, NULL); + if (out == NULL) return NULL; +- gdImageWBMPCtx(im, fg, out); +- rv = gdDPExtractData(out, size); ++ if (!_gdImageWBMPCtx(im, fg, out)) { ++ rv = gdDPExtractData(out, size); ++ } else { ++ rv = NULL; ++ } + out->gd_free(out); + return rv; + } +diff --git a/tests/jpeg/CMakeLists.txt b/tests/jpeg/CMakeLists.txt +index 19964b0..a8d8162 100755 +--- a/tests/jpeg/CMakeLists.txt ++++ b/tests/jpeg/CMakeLists.txt +@@ -2,6 +2,7 @@ IF(JPEG_FOUND) + LIST(APPEND TESTS_FILES + jpeg_empty_file + jpeg_im2im ++ jpeg_ptr_double_free + jpeg_null + ) + +diff --git a/tests/jpeg/Makemodule.am b/tests/jpeg/Makemodule.am +index 7e5d317..b89e169 100755 +--- a/tests/jpeg/Makemodule.am ++++ b/tests/jpeg/Makemodule.am +@@ -2,7 +2,8 @@ if HAVE_LIBJPEG + libgd_test_programs += \ + jpeg/jpeg_empty_file \ + jpeg/jpeg_im2im \ +- jpeg/jpeg_null ++ jpeg/jpeg_null \ ++ jpeg/jpeg_ptr_double_free + + if HAVE_LIBPNG + libgd_test_programs += \ +diff --git a/tests/jpeg/jpeg_ptr_double_free.c b/tests/jpeg/jpeg_ptr_double_free.c +new file mode 100644 +index 0000000..c80aeb6 +--- /dev/null ++++ b/tests/jpeg/jpeg_ptr_double_free.c +@@ -0,0 +1,31 @@ ++/** ++ * Test that failure to convert to JPEG returns NULL ++ * ++ * We are creating an image, set its width to zero, and pass this image to ++ * `gdImageJpegPtr()` which is supposed to fail, and as such should return NULL. ++ * ++ * See also ++ */ ++ ++ ++#include "gd.h" ++#include "gdtest.h" ++ ++ ++int main() ++{ ++ gdImagePtr src, dst; ++ int size; ++ ++ src = gdImageCreateTrueColor(1, 10); ++ gdTestAssert(src != NULL); ++ ++ src->sx = 0; /* this hack forces gdImageJpegPtr() to fail */ ++ ++ dst = gdImageJpegPtr(src, &size, 0); ++ gdTestAssert(dst == NULL); ++ ++ gdImageDestroy(src); ++ ++ return gdNumFailures(); ++} +\ No newline at end of file +-- +2.17.1 + diff --git a/gd-2.2.5-upstream.patch b/gd-2.2.5-upstream.patch new file mode 100644 index 0000000..0bc1bcb --- /dev/null +++ b/gd-2.2.5-upstream.patch @@ -0,0 +1,62 @@ +From a11f47475e6443b7f32d21f2271f28f417e2ac04 Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" +Date: Wed, 29 Nov 2017 19:37:38 +0100 +Subject: [PATCH] Fix #420: Potential infinite loop in gdImageCreateFromGifCtx + +Due to a signedness confusion in `GetCode_` a corrupt GIF file can +trigger an infinite loop. Furthermore we make sure that a GIF without +any palette entries is treated as invalid *after* open palette entries +have been removed. + +CVE-2018-5711 + +See also https://bugs.php.net/bug.php?id=75571. +--- + src/gd_gif_in.c | 12 ++++++------ + tests/gif/.gitignore | 1 + + tests/gif/CMakeLists.txt | 1 + + tests/gif/Makemodule.am | 2 ++ + tests/gif/php_bug_75571.c | 28 ++++++++++++++++++++++++++++ + tests/gif/php_bug_75571.gif | Bin 0 -> 1731 bytes + 6 files changed, 38 insertions(+), 6 deletions(-) + create mode 100644 tests/gif/php_bug_75571.c + create mode 100644 tests/gif/php_bug_75571.gif + +diff --git a/src/gd_gif_in.c b/src/gd_gif_in.c +index daf26e79..0a8bd717 100644 +--- a/src/gd_gif_in.c ++++ b/src/gd_gif_in.c +@@ -335,11 +335,6 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromGifCtx(gdIOCtxPtr fd) + return 0; + } + +- if(!im->colorsTotal) { +- gdImageDestroy(im); +- return 0; +- } +- + /* Check for open colors at the end, so + * we can reduce colorsTotal and ultimately + * BitsPerPixel */ +@@ -351,6 +346,11 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromGifCtx(gdIOCtxPtr fd) + } + } + ++ if(!im->colorsTotal) { ++ gdImageDestroy(im); ++ return 0; ++ } ++ + return im; + } + +@@ -447,7 +447,7 @@ static int + GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_size, int flag, int *ZeroDataBlockP) + { + int i, j, ret; +- unsigned char count; ++ int count; + + if(flag) { + scd->curbit = 0; + diff --git a/gd.spec b/gd.spec index 7f22720..ad787cf 100644 --- a/gd.spec +++ b/gd.spec @@ -1,25 +1,16 @@ -%if 0%{?rhel} -%bcond_with liq -%bcond_with raqm -%bcond_with avif -%else -# Enabled by default -%bcond_without liq -%bcond_without avif -%endif -# disabled as breaks vertical text -# See https://bugzilla.redhat.com/2022957 -%bcond_with raqm -# Not available in Fedora, only in rpmfusion -# Also see https://github.com/libgd/libgd/issues/678 segfault -%bcond_with heif +# requested by https://bugzilla.redhat.com/1468338 +# this break gdimagefile/gdnametest: +# gdimagefile/gdnametest.c:122: 255 pixels different on /tmp/gdtest.CrpdIb/img.gif +# gdimagefile/gdnametest.c:122: 255 pixels different on /tmp/gdtest.CrpdIb/img.GIF +# FAIL gdimagefile/gdnametest (exit status: 2) +%global with_liq 0 Summary: A graphics library for quick creation of PNG or JPEG images Name: gd -Version: 2.3.3 -Release: 20%{?prever}%{?short}%{?dist} -License: GD +Version: 2.2.5 +Release: 10%{?prever}%{?short}%{?dist} +License: MIT URL: http://libgd.github.io/ %if 0%{?commit:1} # git clone https://github.com/libgd/libgd.git; cd gd-libgd @@ -29,10 +20,17 @@ Source0: libgd-%{version}-%{commit}.tgz Source0: https://github.com/libgd/libgd/releases/download/gd-%{version}/libgd-%{version}.tar.xz %endif -# Needed by PHP see https://github.com/libgd/libgd/pull/766 -Patch0: libgd-flip.patch -# Missing header see https://github.com/libgd/libgd/pull/766 -Patch1: libgd-iostream.patch +Patch1: gd-2.1.0-multilib.patch +# CVE-2018-5711 - https://github.com/libgd/libgd/commit/a11f47475e6443b7f32d21f2271f28f417e2ac04 +Patch2: gd-2.2.5-upstream.patch +# CVE-2018-1000222 - https://github.com/libgd/libgd/commit/ac16bdf2d41724b5a65255d4c28fb0ec46bc42f5 +Patch3: gd-2.2.5-gdImageBmpPtr-double-free.patch +# CVE-2019-6977 +Patch4: gd-2.2.5-heap-based-buffer-overflow.patch +# CVE-2019-6978 +Patch5: gd-2.2.5-potential-double-free.patch +# NULL POINTER REFERENCE - https://github.com/libgd/libgd/commit/a93eac0e843148dc2d631c3ba80af17e9c8c860f +Patch6: gd-2.2.5-null-pointer.patch BuildRequires: freetype-devel BuildRequires: fontconfig-devel @@ -41,18 +39,9 @@ BuildRequires: libjpeg-devel BuildRequires: libpng-devel BuildRequires: libtiff-devel BuildRequires: libwebp-devel -%if %{with liq} +%if %{with_liq} BuildRequires: libimagequant-devel %endif -%if %{with raqm} -BuildRequires: libraqm-devel -%endif -%if %{with avif} -BuildRequires: libavif-devel -%endif -%if %{with heif} -BuildRequires: libheif-devel -%endif BuildRequires: libX11-devel BuildRequires: libXpm-devel BuildRequires: zlib-devel @@ -60,10 +49,9 @@ BuildRequires: pkgconfig BuildRequires: libtool BuildRequires: perl-interpreter BuildRequires: perl-generators -BuildRequires: perl(FindBin) # for fontconfig/basic test BuildRequires: liberation-sans-fonts -BuildRequires: make +BuildRequires: libimagequant-devel %description @@ -96,19 +84,7 @@ Requires: libwebp-devel%{?_isa} Requires: libX11-devel%{?_isa} Requires: libXpm-devel%{?_isa} Requires: zlib-devel%{?_isa} -%if %{with liq} Requires: libimagequant-devel%{?_isa} -%endif -%if %{with raqm} -Requires: libraqm-devel -%endif -%if %{with avif} -Requires: libavif-devel -%endif -%if %{with heif} -Requires: libheif-devel -%endif - %description devel The gd-devel package contains the development libraries and header @@ -117,8 +93,12 @@ files for gd, a graphics library for creating PNG and JPEG graphics. %prep %setup -q -n libgd-%{version}%{?prever:-%{prever}} -%patch -P0 -p1 -%patch -P1 -p1 +%patch1 -p1 -b .mlib +%patch2 -p1 -b .upstream +%patch3 -p1 -b .gdImageBmpPtr-free +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 : $(perl config/getver.pl) @@ -133,7 +113,7 @@ fi %build # Provide a correct default font search path -CFLAGS="-std=gnu17 $RPM_OPT_FLAGS -DDEFAULT_FONTPATH='\"\ +CFLAGS="$RPM_OPT_FLAGS -DDEFAULT_FONTPATH='\"\ /usr/share/fonts/bitstream-vera:\ /usr/share/fonts/dejavu:\ /usr/share/fonts/default/Type1:\ @@ -145,13 +125,12 @@ CFLAGS="-std=gnu17 $RPM_OPT_FLAGS -DDEFAULT_FONTPATH='\"\ CFLAGS="$CFLAGS -msse -mfpmath=sse" %endif -%ifarch aarch64 ppc64 ppc64le s390 s390x x86_64 riscv64 +%ifarch aarch64 ppc64 ppc64le s390 s390x # workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1359680 export CFLAGS="$CFLAGS -ffp-contract=off" %endif %configure \ - --enable-gd-formats \ --with-tiff=%{_prefix} \ --disable-rpath make %{?_smp_mflags} @@ -164,9 +143,6 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libgd.a %check -# Workaround to https://github.com/libgd/libgd/issues/763 -export TMPDIR=/tmp - : Upstream test suite make check @@ -184,141 +160,26 @@ grep %{version} $RPM_BUILD_ROOT%{_libdir}/pkgconfig/gdlib.pc %files progs %{_bindir}/* +%exclude %{_bindir}/gdlib-config %files devel +%{_bindir}/gdlib-config %{_includedir}/* %{_libdir}/*.so %{_libdir}/pkgconfig/gdlib.pc %changelog -* Tue Sep 09 2025 Sandro Mani - 2.3.3-20 -- Rebuild (libimagequant) - -* Wed Jul 23 2025 Fedora Release Engineering - 2.3.3-19 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild - -* Thu Jan 16 2025 Fedora Release Engineering - 2.3.3-18 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild - -* Thu Jul 18 2024 Fedora Release Engineering - 2.3.3-17 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild - -* Wed Mar 06 2024 Richard W.M. Jones - 2.3.3-16 -- Bump and rebuild package (for riscv64) - -* Wed Jan 31 2024 František Zatloukal - 2.3.3-15 -- Rebuilt for libavif 1.0.3 - -* Wed Jan 24 2024 Fedora Release Engineering - 2.3.3-14 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild - -* Fri Jan 19 2024 Fedora Release Engineering - 2.3.3-13 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild - -* Wed Jul 19 2023 Fedora Release Engineering - 2.3.3-12 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild - -* Sat Mar 04 2023 Sandro Mani - 2.3.3-11 -- Rebuild (libimagequant) - -* Thu Jan 19 2023 Fedora Release Engineering - 2.3.3-10 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild - -* Thu Dec 01 2022 Kalev Lember - 2.3.3-9 -- Rebuild for new libavif - -* Sun Oct 23 2022 Robert-André Mauchin - 2.3.3-8 -- Rebuild for new libavif - -* Sun Oct 23 2022 Robert-André Mauchin - 2.3.3-7 -- Rebuild for new libavif - -* Thu Jul 21 2022 Fedora Release Engineering - 2.3.3-6 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild - -* Thu Jan 20 2022 Fedora Release Engineering - 2.3.3-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild - -* Mon Nov 29 2021 Robert-André Mauchin - 2.3.3-4 -- Rebuild for libavif soname bump - -* Fri Nov 19 2021 Remi Collet - 2.3.3-3 -- disable libraqm usage, see #2022957 - -* Mon Sep 20 2021 Paul Howarth - 2.3.3-2 -- Explicitly enable gd/gd2 formats, wanted by perl bindings (#2005916) - -* Mon Sep 13 2021 Remi Collet - 2.3.3-1 -- update to 2.3.3 -- open https://github.com/libgd/libgd/pull/766 missing macros -- open https://github.com/libgd/libgd/pull/767 missing headers - -* Tue Jul 27 2021 Florian Weimer - 2.3.2-9 -- Rebuild again for libavif soname bump - -* Thu Jul 22 2021 Robert-André Mauchin - 2.3.2-8 -- Rebuild for libavif soname bump - -* Wed Jul 21 2021 Fedora Release Engineering - 2.3.2-7 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild - -* Mon Jul 19 2021 Robert-André Mauchin - 2.3.2-6 -- Rebuild for libavif soname bump - -* Sun May 23 2021 Robert-André Mauchin - 2.3.2-5 -- Rebuild for libavif soname bump - -* Mon Mar 29 2021 Robert-André Mauchin - 2.3.2-4 -- Rebuild for libavif soname bump - -* Wed Mar 17 2021 Filip Januš - 2.3.2-3 -- Add condition if fedora for packages not available in RHEL - -* Mon Mar 8 2021 Remi Collet - 2.3.2-2 -- enable avif support -- use bcond - -* Mon Mar 08 2021 Ondrej Dubaj - 2.3.2-1 -- rebase to version 2.3.2 - -* Wed Feb 3 2021 Filip Januš - 2.3.1-1 -- Upstream released new version 2.3.1 -- patch bug615 is no more needed - fixed by upstream in release -- gdimagestring16/gdimagestring16 gdimagestringup16/gdimagestringup16 passed on - x390s - XFAIL_TEST definition for x390s is no more necessary - -* Tue Jan 26 2021 Fedora Release Engineering - 2.3.0-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild - -* Mon Jul 27 2020 Fedora Release Engineering - 2.3.0-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild - -* Wed Jul 15 2020 Remi Collet - 2.3.0-2 -- fix gdImageStringFT() fails for empty strings - https://github.com/libgd/libgd/issues/615 - -* Tue Mar 24 2020 Remi Collet - 2.3.0-1 -- update to 2.3.0 -- add dependency on libraqm -- remove gdlib-config - -* Fri Jan 31 2020 Filip Januš - 2.2.5-12 +* Fri Jan 31 2020 Filip Januš - 2.2.5-10 - Add patch(gd-2.2.5-null-pointer.patch) - fix Null pointer reference in gdImageClone (gdImagePtr src) - Resolves: #1599032 -* Tue Jan 28 2020 Fedora Release Engineering - 2.2.5-11 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild - -* Fri Nov 01 2019 odubaj@redhat.com - 2.2.5-10 +* Fri Nov 01 2019 odubaj@redhat.com - 2.2.5-9 - Fixed heap based buffer overflow in gd_color_match.c:gdImageColorMatch() in libgd as used in imagecolormatch() - Resolves: RHBZ#1678104 (CVE-2019-6977) - Fixed potential double-free in gdImage*Ptr() - Resolves: RHBZ#1671391 (CVE-2019-6978) -* Thu Jul 25 2019 Fedora Release Engineering - 2.2.5-9 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild - * Thu Jan 31 2019 Fedora Release Engineering - 2.2.5-8 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild diff --git a/getlib.sh b/getlib.sh deleted file mode 100644 index 4835cf6..0000000 --- a/getlib.sh +++ /dev/null @@ -1,42 +0,0 @@ -#!/bin/sh - -GETVER="${0%/*}/getver.pl" -GDLIB_MAJOR=$("${GETVER}" MAJOR) -GDLIB_MINOR=$("${GETVER}" MINOR) -GDLIB_REVISION=$("${GETVER}" RELEASE) - -# Dynamic library version information -# See http://www.gnu.org/software/libtool/manual/libtool.html#Updating-version-info - -GDLIB_LT_CURRENT=3 -# This is the version where the soname (current above) changes. We use it -# to reset the revision base back to zero. It's a bit of a pain, but some -# systems restrict the revision range below to [0..255] (like OS X). -GDLIB_PREV_MAJOR=2 -GDLIB_PREV_MINOR=2 -# This isn't 100% correct, but it tends to be a close enough approximation -# for how we manage the codebase. It's rare to do a release that doesn't -# modify the library since this project is centered around the library. -GDLIB_LT_REVISION=$(( ((GDLIB_MAJOR - GDLIB_PREV_MAJOR) << 6) | ((GDLIB_MINOR - GDLIB_PREV_MINOR) << 3) | GDLIB_REVISION )) -GDLIB_LT_AGE=0 - -# The first three fields we feed into libtool and the OS target determines how -# they get used. The last two fields we feed into cmake. We use the same rules -# as Linux SONAME versioning in libtool, but cmake should handle it for us. -case $1 in -CURRENT) - printf '%s' "${GDLIB_LT_CURRENT}" - ;; -REVISION) - printf '%s' "${GDLIB_LT_REVISION}" - ;; -AGE) - printf '%s' "${GDLIB_LT_AGE}" - ;; -VERSION) - printf '%s' "$(( GDLIB_LT_CURRENT - GDLIB_LT_AGE )).${GDLIB_LT_AGE}.${GDLIB_LT_REVISION}" - ;; -SONAME) - printf '%s' "$(( GDLIB_LT_CURRENT - GDLIB_LT_AGE ))" - ;; -esac diff --git a/libgd-flip.patch b/libgd-flip.patch deleted file mode 100644 index 4fa964f..0000000 --- a/libgd-flip.patch +++ /dev/null @@ -1,50 +0,0 @@ -From f4bc1f5c26925548662946ed7cfa473c190a104a Mon Sep 17 00:00:00 2001 -From: Remi Collet -Date: Mon, 13 Sep 2021 14:57:52 +0200 -Subject: [PATCH 1/2] Revert "Fix #318, these macros are not used as planed, we - have separate functions for each" - -This reverts commit bdc281eadb1d58d5c0c7bbc1125ee4674256df08. ---- - src/gd.h | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/src/gd.h b/src/gd.h -index 30560395..1ad9e637 100644 ---- a/src/gd.h -+++ b/src/gd.h -@@ -1604,6 +1604,11 @@ BGD_DECLARE(void) gdImageFlipHorizontal(gdImagePtr im); - BGD_DECLARE(void) gdImageFlipVertical(gdImagePtr im); - BGD_DECLARE(void) gdImageFlipBoth(gdImagePtr im); - -+#define GD_FLIP_HORINZONTAL 1 /* typo, kept for BC */ -+#define GD_FLIP_HORIZONTAL 1 -+#define GD_FLIP_VERTICAL 2 -+#define GD_FLIP_BOTH 3 -+ - /** - * Group: Crop - * - -From e47c619d792455aad23708d2ec2947455394427e Mon Sep 17 00:00:00 2001 -From: Remi Collet -Date: Mon, 13 Sep 2021 14:59:47 +0200 -Subject: [PATCH 2/2] add comment to not remove these macros - ---- - src/gd.h | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/src/gd.h b/src/gd.h -index 1ad9e637..71f5a89c 100644 ---- a/src/gd.h -+++ b/src/gd.h -@@ -1604,6 +1604,8 @@ BGD_DECLARE(void) gdImageFlipHorizontal(gdImagePtr im); - BGD_DECLARE(void) gdImageFlipVertical(gdImagePtr im); - BGD_DECLARE(void) gdImageFlipBoth(gdImagePtr im); - -+/* Macros still used in gd extension up to PHP 8.0 -+ so please keep these unused macros for now */ - #define GD_FLIP_HORINZONTAL 1 /* typo, kept for BC */ - #define GD_FLIP_HORIZONTAL 1 - #define GD_FLIP_VERTICAL 2 diff --git a/libgd-iostream.patch b/libgd-iostream.patch deleted file mode 100644 index c80b3ec..0000000 --- a/libgd-iostream.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 01bcbdcae35b90de082012e639094c711a7aa2b3 Mon Sep 17 00:00:00 2001 -From: Remi Collet -Date: Mon, 13 Sep 2021 15:05:18 +0200 -Subject: [PATCH] install missing header, used by gdpp.h - ---- - src/CMakeLists.txt | 1 + - src/Makefile.am | 2 +- - 2 files changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt -index 3839bc78..c1eea100 100644 ---- a/src/CMakeLists.txt -+++ b/src/CMakeLists.txt -@@ -194,6 +194,7 @@ install(FILES - gdfontt.h - gdfx.h - gdpp.h -+ gd_io_stream.h - DESTINATION include) - - CONFIGURE_FILE(../config/gdlib.pc.cmake gdlib.pc @ONLY) -diff --git a/src/Makefile.am b/src/Makefile.am -index dbe9243c..c8c779f1 100644 ---- a/src/Makefile.am -+++ b/src/Makefile.am -@@ -52,7 +52,7 @@ EXTRA_DIST = \ - msinttypes/inttypes.h \ - msinttypes/stdint.h - --include_HEADERS = gd.h gdfx.h gd_io.h gdcache.h gdfontg.h gdfontl.h gdfontmb.h gdfonts.h gdfontt.h gd_color_map.h gd_errors.h gdpp.h -+include_HEADERS = gd.h gdfx.h gd_io.h gdcache.h gdfontg.h gdfontl.h gdfontmb.h gdfonts.h gdfontt.h gd_color_map.h gd_errors.h gdpp.h gd_io_stream.h - - lib_LTLIBRARIES = libgd.la - diff --git a/sources b/sources index 4bad33c..541711d 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (libgd-2.3.3.tar.xz) = aa49d4381d604a4360d556419d603df2ffd689a6dcc10f8e5e1d158ddaa3ab89912f6077ca77da4e370055074007971cf6d356ec9bf26dcf39bcff3208bc7e6c +SHA512 (libgd-2.2.5.tar.xz) = 946675b0a9dbecdee3dda927d496a35d6b5b071d3252a82cd649db0d959a82fcc65ce067ec34d07eed0e0497cd92cc0d93803609a4854f42d284e950764044d0