[packages/gd.git] / bmp-check-return-value-in-gdImageBmpPtr.patch

From: Mike Frysinger <vapier@gentoo.org>
Date: Sat, 14 Jul 2018 13:54:08 -0400
Subject: bmp: check return value in gdImageBmpPtr
Origin: https://github.com/libgd/libgd/commit/ac16bdf2d41724b5a65255d4c28fb0ec46bc42f5
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-1000222
Bug-Debian: https://bugs.debian.org/906886
Bug: https://github.com/libgd/libgd/issues/447

Closes #447.
---
 src/gd_bmp.c | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/src/gd_bmp.c b/src/gd_bmp.c
index bde0b9d3abbd..78f40d9a475e 100644
--- a/src/gd_bmp.c
+++ b/src/gd_bmp.c
@@ -47,6 +47,8 @@ static int bmp_read_4bit(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info, bmp
 static int bmp_read_8bit(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info, bmp_hdr_t *header);
 static int bmp_read_rle(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info);
 
+static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression);
+
 #define BMP_DEBUG(s)
 
 static int gdBMPPutWord(gdIOCtx *out, int w)
@@ -87,8 +89,10 @@ BGD_DECLARE(void *) gdImageBmpPtr(gdImagePtr im, int *size, int compression)
 	void *rv;
 	gdIOCtx *out = gdNewDynamicCtx(2048, NULL);
 	if (out == NULL) return NULL;
-	gdImageBmpCtx(im, out, compression);
-	rv = gdDPExtractData(out, size);
+	if (!_gdImageBmpCtx(im, out, compression))
+		rv = gdDPExtractData(out, size);
+	else
+		rv = NULL;
 	out->gd_free(out);
 	return rv;
 }
@@ -141,6 +145,11 @@ BGD_DECLARE(void) gdImageBmp(gdImagePtr im, FILE *outFile, int compression)
 		compression - whether to apply RLE or not.
 */
 BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
+{
+	_gdImageBmpCtx(im, out, compression);
+}
+
+static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
 {
 	int bitmap_size = 0, info_size, total_size, padding;
 	int i, row, xpos, pixel;
@@ -148,6 +157,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
 	unsigned char *uncompressed_row = NULL, *uncompressed_row_start = NULL;
 	FILE *tmpfile_for_compression = NULL;
 	gdIOCtxPtr out_original = NULL;
+	int ret = 1;
 
 	/* No compression if its true colour or we don't support seek */
 	if (im->trueColor) {
@@ -325,6 +335,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
 		out_original = NULL;
 	}
 
+	ret = 0;
 cleanup:
 	if (tmpfile_for_compression) {
 #ifdef _WIN32
@@ -338,7 +349,7 @@ cleanup:
 	if (out_original) {
 		out_original->gd_free(out_original);
 	}
-	return;
+	return ret;
 }
 
 static int compress_row(unsigned char *row, int length)
-- 
2.19.1
Commit	Line	Data
f510b224 AM	1	From: Mike Frysinger <vapier@gentoo.org>
	2	Date: Sat, 14 Jul 2018 13:54:08 -0400
	3	Subject: bmp: check return value in gdImageBmpPtr
	4	Origin: https://github.com/libgd/libgd/commit/ac16bdf2d41724b5a65255d4c28fb0ec46bc42f5
	5	Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-1000222
	6	Bug-Debian: https://bugs.debian.org/906886
	7	Bug: https://github.com/libgd/libgd/issues/447
	8
	9	Closes #447.
	10	---
	11	src/gd_bmp.c \| 17 ++++++++++++++---
	12	1 file changed, 14 insertions(+), 3 deletions(-)
	13
	14	diff --git a/src/gd_bmp.c b/src/gd_bmp.c
	15	index bde0b9d3abbd..78f40d9a475e 100644
	16	--- a/src/gd_bmp.c
	17	+++ b/src/gd_bmp.c
	18	@@ -47,6 +47,8 @@ static int bmp_read_4bit(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info, bmp
	19	static int bmp_read_8bit(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t info, bmp_hdr_t header);
	20	static int bmp_read_rle(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info);
	21
	22	+static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression);
	23	+
	24	#define BMP_DEBUG(s)
	25
	26	static int gdBMPPutWord(gdIOCtx *out, int w)
	27	@@ -87,8 +89,10 @@ BGD_DECLARE(void ) gdImageBmpPtr(gdImagePtr im, int size, int compression)
	28	void *rv;
	29	gdIOCtx *out = gdNewDynamicCtx(2048, NULL);
	30	if (out == NULL) return NULL;
	31	- gdImageBmpCtx(im, out, compression);
	32	- rv = gdDPExtractData(out, size);
	33	+ if (!_gdImageBmpCtx(im, out, compression))
	34	+ rv = gdDPExtractData(out, size);
	35	+ else
	36	+ rv = NULL;
	37	out->gd_free(out);
	38	return rv;
	39	}
	40	@@ -141,6 +145,11 @@ BGD_DECLARE(void) gdImageBmp(gdImagePtr im, FILE *outFile, int compression)
	41	compression - whether to apply RLE or not.
	42	*/
	43	BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
	44	+{
	45	+ _gdImageBmpCtx(im, out, compression);
	46	+}
	47	+
	48	+static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
	49	{
	50	int bitmap_size = 0, info_size, total_size, padding;
	51	int i, row, xpos, pixel;
	52	@@ -148,6 +157,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
	53	unsigned char uncompressed_row = NULL, uncompressed_row_start = NULL;
	54	FILE *tmpfile_for_compression = NULL;
	55	gdIOCtxPtr out_original = NULL;
	56	+ int ret = 1;
	57
	58	/* No compression if its true colour or we don't support seek */
	59	if (im->trueColor) {
	60	@@ -325,6 +335,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)
	61	out_original = NULL;
	62	}
	63
	64	+ ret = 0;
65	cleanup:
66	if (tmpfile_for_compression) {
67	#ifdef _WIN32
68	@@ -338,7 +349,7 @@ cleanup:
69	if (out_original) {
70	out_original->gd_free(out_original);
71	}
72	- return;
73	+ return ret;
74	}
75
76	static int compress_row(unsigned char *row, int length)
77	--
78	2.19.1
79