From unknown Thu Jun 19 12:38:38 2025
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailer: MIME-tools 5.509 (Entity 5.509)
Content-Type: text/plain; charset=utf-8
From: bug#34491 <34491@debbugs.gnu.org>
To: bug#34491 <34491@debbugs.gnu.org>
Subject: Status: [PATCH] gnu: libgd: Fix CVE-2019-{6977,6978}.
Reply-To: bug#34491 <34491@debbugs.gnu.org>
Date: Thu, 19 Jun 2025 19:38:38 +0000

retitle 34491 [PATCH] gnu: libgd: Fix CVE-2019-{6977,6978}.
reassign 34491 guix-patches
submitter 34491 Leo Famulari <leo@famulari.name>
severity 34491 normal
tag 34491 patch

thanks


From debbugs-submit-bounces@debbugs.gnu.org Fri Feb 15 12:23:56 2019
Received: (at submit) by debbugs.gnu.org; 15 Feb 2019 17:23:56 +0000
Received: from localhost ([127.0.0.1]:49766 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1guhDI-0007wQ-G7
	for submit@debbugs.gnu.org; Fri, 15 Feb 2019 12:23:56 -0500
Received: from eggs.gnu.org ([209.51.188.92]:53006)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@famulari.name>) id 1guhDB-0007w6-9M
 for submit@debbugs.gnu.org; Fri, 15 Feb 2019 12:23:46 -0500
Received: from lists.gnu.org ([209.51.188.17]:49058)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <leo@famulari.name>) id 1guhD6-0003NC-2q
 for submit@debbugs.gnu.org; Fri, 15 Feb 2019 12:23:36 -0500
Received: from eggs.gnu.org ([209.51.188.92]:39132)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <leo@famulari.name>) id 1guhD3-0002cZ-WF
 for guix-patches@gnu.org; Fri, 15 Feb 2019 12:23:35 -0500
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.1 required=5.0 tests=BAYES_50,RCVD_IN_DNSWL_LOW,
 URIBL_BLOCKED autolearn=disabled version=3.3.2
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <leo@famulari.name>) id 1guhD2-0003KL-6G
 for guix-patches@gnu.org; Fri, 15 Feb 2019 12:23:33 -0500
Received: from out2-smtp.messagingengine.com ([66.111.4.26]:52105)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <leo@famulari.name>) id 1guhD1-0003Io-Se
 for guix-patches@gnu.org; Fri, 15 Feb 2019 12:23:32 -0500
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
 by mailout.nyi.internal (Postfix) with ESMTP id 0207D21DC1;
 Fri, 15 Feb 2019 12:23:30 -0500 (EST)
Received: from mailfrontend1 ([10.202.2.162])
 by compute4.internal (MEProxy); Fri, 15 Feb 2019 12:23:30 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=from:to:subject:date:message-id:mime-version
 :content-transfer-encoding; s=mesmtp; bh=iC3a+6615+9HXjBTWJ/6pVh
 b8FUrEGZBBuY/uLNIA6c=; b=mFRqHB7ltIUkFnMnq0Zcijrrus88cJTCxAv8ea/
 P/NFLDZRvBgRjZuIKC1ITfrgPbSp9M4TK/LlqQBsL/xdivI4uG5KNJJnfg9MOlw1
 M7W9AdiQxJ+krXDMutpEtCRQc/jvutIkbn/2uPs7R2iBQd5BFqHbwqJ8Hlxxduha
 AVD8=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=content-transfer-encoding:date:from
 :message-id:mime-version:subject:to:x-me-proxy:x-me-proxy
 :x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=iC3a+6615+9HXjBTW
 J/6pVhb8FUrEGZBBuY/uLNIA6c=; b=37KD6c8OLbu+Azd5mqtkMJc9HAM/x8ZOl
 TmJnFnWytI9eoMhPzB9Nrfb4i9JYmDI0amx1iPCr3JKha7Io+Ks1Qv8/twt50/Wc
 7fcZGiq+gnI/Aa1qKtLnHps6jkzKcM/podca7UIOkvI8TTW+ip5mPL+OjjbhqSH7
 sqkDBef/BI6owTLWvFm86IEjEdI8j2wTm69u4jOkQKi1wQ57fx7gqvzvwLluzGZ0
 7GOTtXJ2AvWce4JYaHAxG/c5+ZT8D6YXKt1scx4NIbV0PcJDRHM5Y1UebrSDYDOE
 DPWRt1qBlGx/6I0lZPc5bHMTZiM9uOiN4JrMcY2/IatiYSD+/fy2g==
X-ME-Sender: <xms:kfVmXK-lxtUKGrN7Gp0AkXlvzJb9wQ-LqoAdeIeUhsHkDYysJTnYQg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedtledruddtjedguddttdcutefuodetggdotefrod
 ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfhuthenuceurghilhhouhhtmecu
 fedttdenucenucfjughrpefhvffufffkofgggfestdekredtredttdenucfhrhhomhepnf
 gvohcuhfgrmhhulhgrrhhiuceolhgvohesfhgrmhhulhgrrhhirdhnrghmvgeqnecuffho
 mhgrihhnpehfihgvlhgurdhgugdpmhhithhrvgdrohhrghdplhhisghgugdrohhrghdpgh
 hithhhuhgsrdgtohhmpdhphhhprdhnvghtpdguvggsihgrnhdrohhrghenucfkphepjeei
 rdduvdegrddvtddvrddufeejnecurfgrrhgrmhepmhgrihhlfhhrohhmpehlvghosehfrg
 hmuhhlrghrihdrnhgrmhgvnecuvehluhhsthgvrhfuihiivgeptd
X-ME-Proxy: <xmx:kfVmXOl_wQn3CMFCHABdaDnuYMGZRdxUOKGHFEHbbvncesoElT1DCw>
 <xmx:kfVmXNvm70toF1Oj3FFNbYFJgjsn7mcVe3VzNfitWazZvaEkCrnMyA>
 <xmx:kfVmXLd3h2c06JAXQdX6CyQxsrypaxqHeNCbVhCIc2-UVjSC-lru4g>
 <xmx:kfVmXBbGoC8vkVJn8BLMh60AoI6fN9_VTTlfY4xgll9_dyWR9s0vWQ>
Received: from jasmine.lan (c-76-124-202-137.hsd1.pa.comcast.net
 [76.124.202.137])
 by mail.messagingengine.com (Postfix) with ESMTPA id A0671E409E
 for <guix-patches@gnu.org>; Fri, 15 Feb 2019 12:23:28 -0500 (EST)
From: Leo Famulari <leo@famulari.name>
To: guix-patches@gnu.org
Subject: [PATCH] gnu: libgd: Fix CVE-2019-{6977,6978}.
Date: Fri, 15 Feb 2019 12:23:24 -0500
Message-Id: <e1d6dd3e125842370436714fd592256d23c66403.1550251404.git.leo@famulari.name>
X-Mailer: git-send-email 2.20.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 66.111.4.26
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Spam-Score: 0.9 (/)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.1 (/)

* gnu/packages/gd.scm (gd)[replacement]: New field.
(gd/fixed): New variable.
* gnu/packages/patches/gd-CVE-2019-6977.patch,
gnu/packages/patches/gd-CVE-2019-6978.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
---
 gnu/local.mk                                |   2 +
 gnu/packages/gd.scm                         |  11 +
 gnu/packages/patches/gd-CVE-2019-6977.patch |  36 +++
 gnu/packages/patches/gd-CVE-2019-6978.patch | 301 ++++++++++++++++++++
 4 files changed, 350 insertions(+)
 create mode 100644 gnu/packages/patches/gd-CVE-2019-6977.patch
 create mode 100644 gnu/packages/patches/gd-CVE-2019-6978.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 0484b3e085..32edd2286d 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -792,6 +792,8 @@ dist_patch_DATA =						\
   %D%/packages/patches/gcr-fix-collection-tests-to-work-with-gpg-21.patch	\
   %D%/packages/patches/gd-CVE-2018-5711.patch			\
   %D%/packages/patches/gd-CVE-2018-1000222.patch		\
+  %D%/packages/patches/gd-CVE-2019-6977.patch			\
+  %D%/packages/patches/gd-CVE-2019-6978.patch			\
   %D%/packages/patches/gd-fix-tests-on-i686.patch		\
   %D%/packages/patches/gd-freetype-test-failure.patch		\
   %D%/packages/patches/gdm-CVE-2018-14424.patch			\
diff --git a/gnu/packages/gd.scm b/gnu/packages/gd.scm
index a53a4f2c2f..c08c1f6758 100644
--- a/gnu/packages/gd.scm
+++ b/gnu/packages/gd.scm
@@ -39,6 +39,7 @@
 (define-public gd
   (package
     (name "gd")
+    (replacement gd/fixed)
     ;; Note: With libgd.org now pointing to github.com, genuine old
     ;; tarballs are no longer available.  Notably, versions 2.0.x are
     ;; missing.
@@ -94,6 +95,16 @@ most common applications of GD involve website development.")
                            "See COPYING file in the distribution."))
     (properties '((cpe-name . "libgd")))))
 
+(define-public gd/fixed
+  (hidden-package
+    (package
+      (inherit gd)
+      (source (origin
+                (inherit (package-source gd))
+                (patches (append (origin-patches (package-source gd))
+                                 (search-patches "gd-CVE-2019-6977.patch"
+                                                 "gd-CVE-2019-6978.patch"))))))))
+
 (define-public perl-gd
   (package
     (name "perl-gd")
diff --git a/gnu/packages/patches/gd-CVE-2019-6977.patch b/gnu/packages/patches/gd-CVE-2019-6977.patch
new file mode 100644
index 0000000000..b21a8ac619
--- /dev/null
+++ b/gnu/packages/patches/gd-CVE-2019-6977.patch
@@ -0,0 +1,36 @@
+Fix CVE-2019-6977:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6977
+
+Patch copied from Debian:
+
+https://salsa.debian.org/debian/libgd2/commit/2d7d3b68bb79843e5271a05543e996fd5a3a8cd1
+
+Description: Heap-based buffer overflow in gdImageColorMatch
+Origin: other, https://gist.github.com/cmb69/1f36d285eb297ed326f5c821d7aafced
+Bug-PHP: https://bugs.php.net/bug.php?id=77270
+Bug-Debian: https://bugs.debian.org/920645
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-6977
+Forwarded: no
+Author: "Christoph M. Becker" <cmbecker69@gmx.de>
+Last-Update: 2019-02-01
+
+At least some of the image reading functions may return images which
+use color indexes greater than or equal to im->colorsTotal.  We cater
+to this by always using a buffer size which is sufficient for
+`gdMaxColors` in `gdImageColorMatch()`.
+---
+
+--- a/src/gd_color_match.c
++++ b/src/gd_color_match.c
+@@ -31,8 +31,8 @@ BGD_DECLARE(int) gdImageColorMatch (gdIm
+ 		return -4; /* At least 1 color must be allocated */
+ 	}
+ 
+-	buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * im2->colorsTotal);
+-	memset (buf, 0, sizeof(unsigned long) * 5 * im2->colorsTotal );
++	buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * gdMaxColors);
++	memset (buf, 0, sizeof(unsigned long) * 5 * gdMaxColors );
+ 
+ 	for (x=0; x < im1->sx; x++) {
+ 		for( y=0; y<im1->sy; y++ ) {
diff --git a/gnu/packages/patches/gd-CVE-2019-6978.patch b/gnu/packages/patches/gd-CVE-2019-6978.patch
new file mode 100644
index 0000000000..69fc5056fc
--- /dev/null
+++ b/gnu/packages/patches/gd-CVE-2019-6978.patch
@@ -0,0 +1,301 @@
+Fix CVE-2019-6978:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6978
+
+Patch copied from upstream source repository:
+
+https://github.com/libgd/libgd/commit/553702980ae89c83f2d6e254d62cf82e204956d0
+
+From 553702980ae89c83f2d6e254d62cf82e204956d0 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Thu, 17 Jan 2019 11:54:55 +0100
+Subject: [PATCH] Fix #492: Potential double-free in gdImage*Ptr()
+
+Whenever `gdImage*Ptr()` calls `gdImage*Ctx()` and the latter fails, we
+must not call `gdDPExtractData()`; otherwise a double-free would
+happen.  Since `gdImage*Ctx()` are void functions, and we can't change
+that for BC reasons, we're introducing static helpers which are used
+internally.
+
+We're adding a regression test for `gdImageJpegPtr()`, but not for
+`gdImageGifPtr()` and `gdImageWbmpPtr()` since we don't know how to
+trigger failure of the respective `gdImage*Ctx()` calls.
+
+This potential security issue has been reported by Solmaz Salimi (aka.
+Rooney).
+---
+ src/gd_gif_out.c                  | 18 +++++++++++++++---
+ src/gd_jpeg.c                     | 20 ++++++++++++++++----
+ src/gd_wbmp.c                     | 21 ++++++++++++++++++---
+ tests/jpeg/.gitignore             |  1 +
+ tests/jpeg/CMakeLists.txt         |  1 +
+ tests/jpeg/Makemodule.am          |  3 ++-
+ tests/jpeg/jpeg_ptr_double_free.c | 31 +++++++++++++++++++++++++++++++
+ 7 files changed, 84 insertions(+), 11 deletions(-)
+ create mode 100644 tests/jpeg/jpeg_ptr_double_free.c
+
+diff --git a/src/gd_gif_out.c b/src/gd_gif_out.c
+index 298a581..d5a9534 100644
+--- a/src/gd_gif_out.c
++++ b/src/gd_gif_out.c
+@@ -99,6 +99,7 @@ static void char_init(GifCtx *ctx);
+ static void char_out(int c, GifCtx *ctx);
+ static void flush_char(GifCtx *ctx);
+ 
++static int _gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out);
+ 
+ 
+ 
+@@ -131,8 +132,11 @@ BGD_DECLARE(void *) gdImageGifPtr(gdImagePtr im, int *size)
+ 	void *rv;
+ 	gdIOCtx *out = gdNewDynamicCtx(2048, NULL);
+ 	if (out == NULL) return NULL;
+-	gdImageGifCtx(im, out);
+-	rv = gdDPExtractData(out, size);
++	if (!_gdImageGifCtx(im, out)) {
++		rv = gdDPExtractData(out, size);
++	} else {
++		rv = NULL;
++	}
+ 	out->gd_free(out);
+ 	return rv;
+ }
+@@ -220,6 +224,12 @@ BGD_DECLARE(void) gdImageGif(gdImagePtr im, FILE *outFile)
+ 
+ */
+ BGD_DECLARE(void) gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out)
++{
++	_gdImageGifCtx(im, out);
++}
++
++/* returns 0 on success, 1 on failure */
++static int _gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out)
+ {
+ 	gdImagePtr pim = 0, tim = im;
+ 	int interlace, BitsPerPixel;
+@@ -231,7 +241,7 @@ BGD_DECLARE(void) gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out)
+ 		based temporary image. */
+ 		pim = gdImageCreatePaletteFromTrueColor(im, 1, 256);
+ 		if(!pim) {
+-			return;
++			return 1;
+ 		}
+ 		tim = pim;
+ 	}
+@@ -247,6 +257,8 @@ BGD_DECLARE(void) gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out)
+ 		/* Destroy palette based temporary image. */
+ 		gdImageDestroy(	pim);
+ 	}
++
++	return 0;
+ }
+ 
+ 
+diff --git a/src/gd_jpeg.c b/src/gd_jpeg.c
+index fc05842..96ef430 100644
+--- a/src/gd_jpeg.c
++++ b/src/gd_jpeg.c
+@@ -117,6 +117,8 @@ static void fatal_jpeg_error(j_common_ptr cinfo)
+ 	exit(99);
+ }
+ 
++static int _gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality);
++
+ /*
+  * Write IM to OUTFILE as a JFIF-formatted JPEG image, using quality
+  * QUALITY.  If QUALITY is in the range 0-100, increasing values
+@@ -231,8 +233,11 @@ BGD_DECLARE(void *) gdImageJpegPtr(gdImagePtr im, int *size, int quality)
+ 	void *rv;
+ 	gdIOCtx *out = gdNewDynamicCtx(2048, NULL);
+ 	if (out == NULL) return NULL;
+-	gdImageJpegCtx(im, out, quality);
+-	rv = gdDPExtractData(out, size);
++	if (!_gdImageJpegCtx(im, out, quality)) {
++		rv = gdDPExtractData(out, size);
++	} else {
++		rv = NULL;
++	}
+ 	out->gd_free(out);
+ 	return rv;
+ }
+@@ -253,6 +258,12 @@ void jpeg_gdIOCtx_dest(j_compress_ptr cinfo, gdIOCtx *outfile);
+ 
+ */
+ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality)
++{
++	_gdImageJpegCtx(im, outfile, quality);
++}
++
++/* returns 0 on success, 1 on failure */
++static int _gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality)
+ {
+ 	struct jpeg_compress_struct cinfo;
+ 	struct jpeg_error_mgr jerr;
+@@ -287,7 +298,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality)
+ 		if(row) {
+ 			gdFree(row);
+ 		}
+-		return;
++		return 1;
+ 	}
+ 
+ 	cinfo.err->emit_message = jpeg_emit_message;
+@@ -328,7 +339,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality)
+ 	if(row == 0) {
+ 		gd_error("gd-jpeg: error: unable to allocate JPEG row structure: gdCalloc returns NULL\n");
+ 		jpeg_destroy_compress(&cinfo);
+-		return;
++		return 1;
+ 	}
+ 
+ 	rowptr[0] = row;
+@@ -405,6 +416,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality)
+ 	jpeg_finish_compress(&cinfo);
+ 	jpeg_destroy_compress(&cinfo);
+ 	gdFree(row);
++	return 0;
+ }
+ 
+ 
+diff --git a/src/gd_wbmp.c b/src/gd_wbmp.c
+index f19a1c9..a49bdbe 100644
+--- a/src/gd_wbmp.c
++++ b/src/gd_wbmp.c
+@@ -88,6 +88,8 @@ int gd_getin(void *in)
+ 	return (gdGetC((gdIOCtx *)in));
+ }
+ 
++static int _gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out);
++
+ /*
+ 	Function: gdImageWBMPCtx
+ 
+@@ -100,6 +102,12 @@ int gd_getin(void *in)
+ 		out   - the stream where to write
+ */
+ BGD_DECLARE(void) gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out)
++{
++	_gdImageWBMPCtx(image, fg, out);
++}
++
++/* returns 0 on success, 1 on failure */
++static int _gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out)
+ {
+ 	int x, y, pos;
+ 	Wbmp *wbmp;
+@@ -107,7 +115,7 @@ BGD_DECLARE(void) gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out)
+ 	/* create the WBMP */
+ 	if((wbmp = createwbmp(gdImageSX(image), gdImageSY(image), WBMP_WHITE)) == NULL) {
+ 		gd_error("Could not create WBMP\n");
+-		return;
++		return 1;
+ 	}
+ 
+ 	/* fill up the WBMP structure */
+@@ -123,11 +131,15 @@ BGD_DECLARE(void) gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out)
+ 
+ 	/* write the WBMP to a gd file descriptor */
+ 	if(writewbmp(wbmp, &gd_putout, out)) {
++		freewbmp(wbmp);
+ 		gd_error("Could not save WBMP\n");
++		return 1;
+ 	}
+ 
+ 	/* des submitted this bugfix: gdFree the memory. */
+ 	freewbmp(wbmp);
++
++	return 0;
+ }
+ 
+ /*
+@@ -271,8 +283,11 @@ BGD_DECLARE(void *) gdImageWBMPPtr(gdImagePtr im, int *size, int fg)
+ 	void *rv;
+ 	gdIOCtx *out = gdNewDynamicCtx(2048, NULL);
+ 	if (out == NULL) return NULL;
+-	gdImageWBMPCtx(im, fg, out);
+-	rv = gdDPExtractData(out, size);
++	if (!_gdImageWBMPCtx(im, fg, out)) {
++		rv = gdDPExtractData(out, size);
++	} else {
++		rv = NULL;
++	}
+ 	out->gd_free(out);
+ 	return rv;
+ }
+#diff --git a/tests/jpeg/.gitignore b/tests/jpeg/.gitignore
+#index c28aa87..13bcf04 100644
+#--- a/tests/jpeg/.gitignore
+#+++ b/tests/jpeg/.gitignore
+#@@ -3,5 +3,6 @@
+# /jpeg_empty_file
+# /jpeg_im2im
+# /jpeg_null
+#+/jpeg_ptr_double_free
+# /jpeg_read
+# /jpeg_resolution
+diff --git a/tests/jpeg/CMakeLists.txt b/tests/jpeg/CMakeLists.txt
+index 19964b0..a8d8162 100644
+--- a/tests/jpeg/CMakeLists.txt
++++ b/tests/jpeg/CMakeLists.txt
+@@ -2,6 +2,7 @@ IF(JPEG_FOUND)
+ LIST(APPEND TESTS_FILES
+ 	jpeg_empty_file
+ 	jpeg_im2im
++	jpeg_ptr_double_free
+ 	jpeg_null
+ )
+ 
+diff --git a/tests/jpeg/Makemodule.am b/tests/jpeg/Makemodule.am
+index 7e5d317..b89e169 100644
+--- a/tests/jpeg/Makemodule.am
++++ b/tests/jpeg/Makemodule.am
+@@ -2,7 +2,8 @@ if HAVE_LIBJPEG
+ libgd_test_programs += \
+ 	jpeg/jpeg_empty_file \
+ 	jpeg/jpeg_im2im \
+-	jpeg/jpeg_null
++	jpeg/jpeg_null \
++	jpeg/jpeg_ptr_double_free
+ 
+ if HAVE_LIBPNG
+ libgd_test_programs += \
+diff --git a/tests/jpeg/jpeg_ptr_double_free.c b/tests/jpeg/jpeg_ptr_double_free.c
+new file mode 100644
+index 0000000..df5a510
+--- /dev/null
++++ b/tests/jpeg/jpeg_ptr_double_free.c
+@@ -0,0 +1,31 @@
++/**
++ * Test that failure to convert to JPEG returns NULL
++ *
++ * We are creating an image, set its width to zero, and pass this image to
++ * `gdImageJpegPtr()` which is supposed to fail, and as such should return NULL.
++ *
++ * See also <https://github.com/libgd/libgd/issues/381>
++ */
++
++
++#include "gd.h"
++#include "gdtest.h"
++
++
++int main()
++{
++    gdImagePtr src, dst;
++    int size;
++
++    src = gdImageCreateTrueColor(1, 10);
++    gdTestAssert(src != NULL);
++
++    src->sx = 0; /* this hack forces gdImageJpegPtr() to fail */
++
++    dst = gdImageJpegPtr(src, &size, 0);
++    gdTestAssert(dst == NULL);
++
++    gdImageDestroy(src);
++
++    return gdNumFailures();
++}
+-- 
+2.20.1
+
-- 
2.20.1





From debbugs-submit-bounces@debbugs.gnu.org Tue Feb 19 15:48:08 2019
Received: (at 34491-done) by debbugs.gnu.org; 19 Feb 2019 20:48:08 +0000
Received: from localhost ([127.0.0.1]:55623 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1gwCJE-0001gH-3L
	for submit@debbugs.gnu.org; Tue, 19 Feb 2019 15:48:08 -0500
Received: from out2-smtp.messagingengine.com ([66.111.4.26]:54033)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@famulari.name>) id 1gwCJC-0001fn-2P
 for 34491-done@debbugs.gnu.org; Tue, 19 Feb 2019 15:48:06 -0500
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
 by mailout.nyi.internal (Postfix) with ESMTP id 9E9B922022;
 Tue, 19 Feb 2019 15:48:00 -0500 (EST)
Received: from mailfrontend2 ([10.202.2.163])
 by compute4.internal (MEProxy); Tue, 19 Feb 2019 15:48:00 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=date:from:to:subject:message-id:mime-version:content-type; s=
 mesmtp; bh=wZvGaGHvJeChDUx3i3EMvVz0UOvNC4lqWp+xfKQjaj0=; b=Rdrz3
 ZlmgGRw7ztBdRQzaG55PeyWfJQ4fSOEpxdxWmTZpbLMx3FlkrBircbop1WtfECdE
 mbrXUUJwTDmFar0wKStWNJ+hB+5Zup7E7QKLJvTvDpDBwsN1Xq+0dyY3VfNZDTjP
 OM6cpx4gNTSCRp560pFmh2Y7KCXWyrTdwKxEM8=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=content-type:date:from:message-id
 :mime-version:subject:to:x-me-proxy:x-me-proxy:x-me-sender
 :x-me-sender:x-sasl-enc; s=fm2; bh=wZvGaGHvJeChDUx3i3EMvVz0UOvNC
 4lqWp+xfKQjaj0=; b=r9v2omk87e4cjOdU6gyICjhs1FnvwGGAO9fOBD0eELNPe
 W8O0SLYsDVyJYLM3DK9UYt59Pg6rlx1Np2t0EOumxJeOKluOWYQaUT62Foc5DBXk
 iAk7ieiY7qErJ5P8ePZEGMjZ8e7zTC7BJkWt6MfI+7iSZaBGYLMJX0StqeDP+2G2
 jvyCfbfJxoCFoYXIVhKjYYz0NrHlNiUSkBJ80u76NHlSfXOc1+3jN81pEqKL4fqA
 YVa0rSxHyB59Vy1pKNBpWfDU9AqqfYEQioQz6UXXP+eOJeLJNLvhvmP3I+Yy9R3A
 iRdzAJF7kiI/PQNDtF32W/QK1qsp3aLcvtYKU5SBw==
X-ME-Sender: <xms:fmtsXL6jR1hMCscS4nqhRSV_hznJH621rvNxO4h3jx4K9-U-5EaGxg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedutddrtdeggddugedtucdltddurdegtdelrddttd
 dmucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfquhht
 necuuegrihhlohhuthemuceftddtnecunecujfgurhepfffhvffukfggtggufgesghdtre
 ertdervdenucfhrhhomhepnfgvohcuhfgrmhhulhgrrhhiuceolhgvohesfhgrmhhulhgr
 rhhirdhnrghmvgeqnecukfhppeejiedruddvgedrvddtvddrudefjeenucfrrghrrghmpe
 hmrghilhhfrhhomheplhgvohesfhgrmhhulhgrrhhirdhnrghmvgenucevlhhushhtvghr
 ufhiiigvpedt
X-ME-Proxy: <xmx:fmtsXEYhneBxAJbNAsCxccO7-OvULIa8IV1KbOh8WPrmh6dxoDkN2A>
 <xmx:fmtsXJPpo32MdMc1crSBdI4O0rDnF9K5Z_UizbyykVsV9IuiQHyQ_g>
 <xmx:fmtsXKaC62PkInIv_XGevFkCbAo_sAmJFM_k5eRkywLwMZjMG1OniQ>
 <xmx:gGtsXEtjMwBhPs5qm18avqKxBvQLXU5rKM7wsBCYtyrYpFv84xvGsw>
Received: from localhost (c-76-124-202-137.hsd1.pa.comcast.net
 [76.124.202.137])
 by mail.messagingengine.com (Postfix) with ESMTPA id F30C910314
 for <34491-done@debbugs.gnu.org>; Tue, 19 Feb 2019 15:47:57 -0500 (EST)
Date: Tue, 19 Feb 2019 15:47:56 -0500
From: Leo Famulari <leo@famulari.name>
To: 34491-done@debbugs.gnu.org
Subject: Re: [PATCH] gnu: libgd: Fix CVE-2019-{6977,6978}.
Message-ID: <20190219204756.GA1966@jasmine.lan>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="CE+1k2dSO48ffgeK"
Content-Disposition: inline
User-Agent: Mutt/1.11.2 (2019-01-07)
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 34491-done
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.7 (-)


--CE+1k2dSO48ffgeK
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Pushed as c12b23469576fb1c3920120ef06b696daa30b855

--CE+1k2dSO48ffgeK
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlxsa3wACgkQJkb6MLrK
fwgyyw//Sv+i9NuCThwMoUk3P8vE+9KgerRsFzmfmN5s/lgGSIYn0iL+4TC7CA3J
zi201GFMQ59LSd9D8ExNcB708iOJ7/rCpLnOs8Npvt/o6pbsPGVxtE5nDcmyeMuo
Qs3TPV9xW+s9ox+8l92lN+TC4umeRaKdMj6jzbfClcZOUzUzbhUsmAmrTN9qI4ki
Muglx/0n+GO0KTrWNl5mTSkUaJAREbsipC81MUZA0GKo6w4h9oVbjt+0Ctd7LE/X
NjUxSkr+lU6bNpqkQtiFh0Z2b5fNz3CkiYcmk5HSFHi11aX2OSKGK9Ah0jqAtptf
m7Rk1nG9fEXQz5gicki4QmPGEFYlGf4si9pB/qgCuWEVph/j16gng8gQZCHSCYvr
Qzu/F1MLaTkMeZ7+zzfOt5yjo8zjxhwiw8wHYdnzHCmGgkG5tVkSd+vl8ql/lVF5
yi6F66e1rqkHFYOJtFKu1FXG5tEii3/Iz/V2IQIE4gyI6kqocHBk7pGcQwUY9inD
W0vLD6amVB59A8HarbPQAE3F/4u5H8durmlRD+k/nhg8t4RSR3CStQTS7ktMREGu
5AtA96VVd73G1X+f9SBSIYIY9yw3y2BRG8O/ngAZ06rc7Uamivto06wMD++1bfym
VBCZRyQHbAatzEKhkOlOyIQ8DFYN2hQjML9ctdG/ldVLiq7PzAs=
=KDwd
-----END PGP SIGNATURE-----

--CE+1k2dSO48ffgeK--




From unknown Thu Jun 19 12:38:38 2025
Received: (at fakecontrol) by fakecontrolmessage;
To: internal_control@debbugs.gnu.org
From: Debbugs Internal Request <help-debbugs@gnu.org>
Subject: Internal Control
Message-Id: bug archived.
Date: Wed, 20 Mar 2019 11:24:07 +0000
User-Agent: Fakemail v42.6.9

# This is a fake control message.
#
# The action:
# bug archived.
thanks
# This fakemail brought to you by your local debbugs
# administrator