diff mbox

libgd security update / i686 issues

Message ID 20160728163027.GA10649@jasmine
State New
Headers show

Commit Message

Leo Famulari July 28, 2016, 4:30 p.m. UTC
On Thu, Jul 28, 2016 at 10:40:49AM +0200, Andreas Enge wrote:
> Well, the bug report states that the result is correct on armv7. Apparently
> i686 is not IEEE compliant by default, while armv7 is. So it should be okay
> to apply the flags only on i686. We assume that SSE, but not SSE2 or later
> are supported, see our Qt package.

Thanks for the advice. What do you think about the attached patch?

Comments

Mark H Weaver July 28, 2016, 5:22 p.m. UTC | #1
Leo Famulari <leo@famulari.name> writes:

> On Thu, Jul 28, 2016 at 10:40:49AM +0200, Andreas Enge wrote:
>> Well, the bug report states that the result is correct on armv7. Apparently
>> i686 is not IEEE compliant by default, while armv7 is. So it should be okay
>> to apply the flags only on i686. We assume that SSE, but not SSE2 or later
>> are supported, see our Qt package.
>
> Thanks for the advice. What do you think about the attached patch?

Not all i686 systems have support for SSE.  I don't think we should
apply the upstream suggested workaround, which effectively amounts to
dropping support for older systems.  If we want to add a requirement for
SSE for i686 systems in Guix, that should be a separate discussion, and
not rushed in as part of a security update.

I will adapt my patch to the new version.

     Mark
Leo Famulari July 28, 2016, 6:38 p.m. UTC | #2
On Thu, Jul 28, 2016 at 01:22:40PM -0400, Mark H Weaver wrote:
> Not all i686 systems have support for SSE.  I don't think we should
> apply the upstream suggested workaround, which effectively amounts to
> dropping support for older systems.  If we want to add a requirement for
> SSE for i686 systems in Guix, that should be a separate discussion, and
> not rushed in as part of a security update.
> 
> I will adapt my patch to the new version.

Okay, thanks Mark!
Leo Famulari July 28, 2016, 6:56 p.m. UTC | #3
On Thu, Jul 28, 2016 at 01:22:40PM -0400, Mark H Weaver wrote:
> I will adapt my patch to the new version.

Unfortunately, this new patch makes libgd fail to build from source on
x86_64, like this:

gdimagecopyresampled/basic_alpha.c: In function ‘main’:
gdimagecopyresampled/basic_alpha.c:37:23: error: value computed is not used [-Werror=unused-value]
  FLT_EVAL_METHOD != 2 && gdAssertImageEqualsToFile("gdimagecopyresampled/basic_alpha_exp.png", copy);
                       ^
cc1: all warnings being treated as errors
Makefile:3120: recipe for target 'gdimagecopyresampled/basic_alpha.o' failed
make[2]: *** [gdimagecopyresampled/basic_alpha.o] Error 1
make[2]: *** Waiting for unfinished jobs....
gdimagecopyresampled/bug00201.c: In function ‘main’:
gdimagecopyresampled/bug00201.c:69:26: error: value computed is not used [-Werror=unused-value]
     FLT_EVAL_METHOD != 2 && gdAssertImageEqualsToFile("gdimagecopyresampled/bug00201_exp.png", img);
                          ^
cc1: all warnings being treated as errors
Makefile:3120: recipe for target 'gdimagecopyresampled/bug00201.o' failed
make[2]: *** [gdimagecopyresampled/bug00201.o] Error 1
make[2]: Leaving directory '/tmp/guix-build-gd-2.2.3.drv-0/libgd-2.2.3/tests'
Makefile:4318: recipe for target 'check-am' failed
make[1]: *** [check-am] Error 2
make[1]: Leaving directory '/tmp/guix-build-gd-2.2.3.drv-0/libgd-2.2.3/tests'
Makefile:408: recipe for target 'check-recursive' failed
make: *** [check-recursive] Error 1
phase `check' failed after 2.0 seconds
Leo Famulari July 28, 2016, 8:47 p.m. UTC | #4
On Thu, Jul 28, 2016 at 02:56:06PM -0400, Leo Famulari wrote:
> On Thu, Jul 28, 2016 at 01:22:40PM -0400, Mark H Weaver wrote:
> > I will adapt my patch to the new version.
> 
> Unfortunately, this new patch makes libgd fail to build from source on
> x86_64, like this:

I reverted the commit on master and merged master into core-updates.
Mark H Weaver July 29, 2016, 5:59 p.m. UTC | #5
Leo Famulari <leo@famulari.name> writes:

> On Thu, Jul 28, 2016 at 01:22:40PM -0400, Mark H Weaver wrote:
>> I will adapt my patch to the new version.
>
> Unfortunately, this new patch makes libgd fail to build from source on
> x86_64, like this:
>
> gdimagecopyresampled/basic_alpha.c: In function ‘main’:
> gdimagecopyresampled/basic_alpha.c:37:23: error: value computed is not used [-Werror=unused-value]
>   FLT_EVAL_METHOD != 2 && gdAssertImageEqualsToFile("gdimagecopyresampled/basic_alpha_exp.png", copy);
>                        ^
> cc1: all warnings being treated as errors
> Makefile:3120: recipe for target 'gdimagecopyresampled/basic_alpha.o' failed
> make[2]: *** [gdimagecopyresampled/basic_alpha.o] Error 1
> make[2]: *** Waiting for unfinished jobs....
> gdimagecopyresampled/bug00201.c: In function ‘main’:
> gdimagecopyresampled/bug00201.c:69:26: error: value computed is not used [-Werror=unused-value]
>      FLT_EVAL_METHOD != 2 && gdAssertImageEqualsToFile("gdimagecopyresampled/bug00201_exp.png", img);
>                           ^
> cc1: all warnings being treated as errors
> Makefile:3120: recipe for target 'gdimagecopyresampled/bug00201.o' failed

Bah, sorry about that.  I just pushed an updated patch that builds
successfully on x86_64 and i686, and hopefully on the others as well.

      Mark
Leo Famulari July 29, 2016, 6:52 p.m. UTC | #6
On Fri, Jul 29, 2016 at 01:59:15PM -0400, Mark H Weaver wrote:
> Bah, sorry about that.  I just pushed an updated patch that builds
> successfully on x86_64 and i686, and hopefully on the others as well.

Thank you!
Mark H Weaver July 29, 2016, 8:33 p.m. UTC | #7
Mark H Weaver <mhw@netris.org> writes:

> Leo Famulari <leo@famulari.name> writes:
>
>> On Thu, Jul 28, 2016 at 01:22:40PM -0400, Mark H Weaver wrote:
>>> I will adapt my patch to the new version.
>>
>> Unfortunately, this new patch makes libgd fail to build from source on
>> x86_64, like this:
>>
>> gdimagecopyresampled/basic_alpha.c: In function ‘main’:
>> gdimagecopyresampled/basic_alpha.c:37:23: error: value computed is not used [-Werror=unused-value]
>>   FLT_EVAL_METHOD != 2 && gdAssertImageEqualsToFile("gdimagecopyresampled/basic_alpha_exp.png", copy);
>>                        ^
>> cc1: all warnings being treated as errors
>> Makefile:3120: recipe for target 'gdimagecopyresampled/basic_alpha.o' failed
>> make[2]: *** [gdimagecopyresampled/basic_alpha.o] Error 1
>> make[2]: *** Waiting for unfinished jobs....
>> gdimagecopyresampled/bug00201.c: In function ‘main’:
>> gdimagecopyresampled/bug00201.c:69:26: error: value computed is not used [-Werror=unused-value]
>>      FLT_EVAL_METHOD != 2 && gdAssertImageEqualsToFile("gdimagecopyresampled/bug00201_exp.png", img);
>>                           ^
>> cc1: all warnings being treated as errors
>> Makefile:3120: recipe for target 'gdimagecopyresampled/bug00201.o' failed
>
> Bah, sorry about that.  I just pushed an updated patch that builds
> successfully on x86_64 and i686, and hopefully on the others as well.

The build failed on armhf and mips64el, due to another warning->error
that's unrelated to my patch.  I pushed a possible fix to the
'wip-gd-fix' branch and asked hydra to build it.

      Mark
diff mbox

Patch

From b29dacff62fc7483ea6812a4a09cd68c5578ee90 Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Thu, 28 Jul 2016 02:46:23 -0400
Subject: [PATCH] gnu: gd: Update to 2.2.3.

Fixes CVE-2016-6207.

* gnu/packages/gd.scm (gd): Update to 2.2.3.
[arguments]: Add "-msse -mfpmath=sse" to CFLAGS on i686.
* gnu/packages/patches/gd-CVE-2016-5766.patch,
gnu/packages/patches/gd-CVE-2016-6128.patch,
gnu/packages/patches/gd-CVE-2016-6132.patch,
gnu/packages/patches/gd-CVE-2016-6214.patch,
gnu/packages/patches/gd-fix-test-on-i686.patch: Delete files.
* gnu/local.mk (dist_patch_DATA): Remove them.
---
 gnu/local.mk                                   |   5 -
 gnu/packages/gd.scm                            |  17 +-
 gnu/packages/patches/gd-CVE-2016-5766.patch    |  81 --------
 gnu/packages/patches/gd-CVE-2016-6128.patch    | 253 -------------------------
 gnu/packages/patches/gd-CVE-2016-6132.patch    |  55 ------
 gnu/packages/patches/gd-CVE-2016-6214.patch    |  66 -------
 gnu/packages/patches/gd-fix-test-on-i686.patch |  34 ----
 7 files changed, 10 insertions(+), 501 deletions(-)
 delete mode 100644 gnu/packages/patches/gd-CVE-2016-5766.patch
 delete mode 100644 gnu/packages/patches/gd-CVE-2016-6128.patch
 delete mode 100644 gnu/packages/patches/gd-CVE-2016-6132.patch
 delete mode 100644 gnu/packages/patches/gd-CVE-2016-6214.patch
 delete mode 100644 gnu/packages/patches/gd-fix-test-on-i686.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index c143dd7..2f4dda1 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -512,11 +512,6 @@  dist_patch_DATA =						\
   %D%/packages/patches/gcc-cross-environment-variables.patch	\
   %D%/packages/patches/gcc-libvtv-runpath.patch			\
   %D%/packages/patches/gcc-5.0-libvtv-runpath.patch		\
-  %D%/packages/patches/gd-CVE-2016-5766.patch			\
-  %D%/packages/patches/gd-CVE-2016-6128.patch			\
-  %D%/packages/patches/gd-CVE-2016-6132.patch			\
-  %D%/packages/patches/gd-CVE-2016-6214.patch			\
-  %D%/packages/patches/gd-fix-test-on-i686.patch		\
   %D%/packages/patches/gegl-CVE-2012-4433.patch			\
   %D%/packages/patches/geoclue-config.patch			\
   %D%/packages/patches/ghostscript-CVE-2015-3228.patch		\
diff --git a/gnu/packages/gd.scm b/gnu/packages/gd.scm
index 3313ee6..3614d51 100644
--- a/gnu/packages/gd.scm
+++ b/gnu/packages/gd.scm
@@ -24,6 +24,7 @@ 
   #:use-module (guix build-system gnu)
   #:use-module (guix build-system perl)
   #:use-module (guix download)
+  #:use-module (guix utils)
   #:use-module (gnu packages)
   #:use-module (gnu packages perl)
   #:use-module (gnu packages image)
@@ -40,22 +41,24 @@ 
     ;; Note: With libgd.org now pointing to github.com, genuine old
     ;; tarballs are no longer available.  Notably, versions 2.0.x are
     ;; missing.
-    (version "2.2.2")
+    (version "2.2.3")
 
     (source (origin
              (method url-fetch)
              (uri (string-append
                    "https://github.com/libgd/libgd/releases/download/gd-"
                    version "/libgd-" version ".tar.xz"))
-             (patches (search-patches "gd-fix-test-on-i686.patch"
-                                      "gd-CVE-2016-5766.patch"
-                                      "gd-CVE-2016-6128.patch"
-                                      "gd-CVE-2016-6132.patch"
-                                      "gd-CVE-2016-6214.patch"))
              (sha256
               (base32
-               "1311g5mva2xlzqv3rjqjc4jjkn5lzls4skvr395h633zw1n7b7s8"))))
+               "0g3xz8jpz1pl2zzmssglrpa9nxiaa7rmcmvgpbrjz8k9cyynqsvl"))))
     (build-system gnu-build-system)
+    (arguments
+     `(#:configure-flags 
+       (list ,@(let ((system (or (%current-target-system)
+                                 (%current-system))))
+                 (if (string-prefix? "i686" system)
+                   '("CFLAGS=-msse -mfpmath=sse")
+                   '())))))
     (native-inputs
      `(("pkg-config" ,pkg-config)))
     (inputs
diff --git a/gnu/packages/patches/gd-CVE-2016-5766.patch b/gnu/packages/patches/gd-CVE-2016-5766.patch
deleted file mode 100644
index 400cb0a..0000000
--- a/gnu/packages/patches/gd-CVE-2016-5766.patch
+++ /dev/null
@@ -1,81 +0,0 @@ 
-Fix CVE-2016-5766 (Integer Overflow in _gd2GetHeader() resulting in heap
-overflow).
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5766
-
-Adapted from upstream commits:
-https://github.com/libgd/libgd/commit/aba3db8ba159465ecec1089027a24835a6da9cc0
-https://github.com/libgd/libgd/commit/a6a0e7feabb2a9738086a5dc96348f233c87fa79
-
-Since `patch` cannot apply Git binary diffs, we omit the addition of
-'tests/gd2/php_bug_72339.c' and its associated binary data.
-
-From aba3db8ba159465ecec1089027a24835a6da9cc0 Mon Sep 17 00:00:00 2001
-From: Pierre Joye <pierre.php@gmail.com>
-Date: Tue, 28 Jun 2016 16:23:42 +0700
-Subject: [PATCH] fix php bug 72339 (CVE-2016-5766), Integer Overflow in
- _gd2GetHeader() resulting in heap overflow
-
----
- src/gd_gd2.c                    |   5 ++++-
- tests/gd2/CMakeLists.txt        |   1 +
- tests/gd2/Makemodule.am         |   6 ++++--
- tests/gd2/php_bug_72339.c       |  21 +++++++++++++++++++++
- tests/gd2/php_bug_72339_exp.gd2 | Bin 0 -> 67108882 bytes
- 5 files changed, 30 insertions(+), 3 deletions(-)
- create mode 100644 tests/gd2/php_bug_72339.c
- create mode 100644 tests/gd2/php_bug_72339_exp.gd2
-
-diff --git a/src/gd_gd2.c b/src/gd_gd2.c
-index fd1e0c9..bdbbecf 100644
---- a/src/gd_gd2.c
-+++ b/src/gd_gd2.c
-@@ -154,8 +154,11 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy,
- 		nc = (*ncx) * (*ncy);
- 		GD2_DBG (printf ("Reading %d chunk index entries\n", nc));
- 		sidx = sizeof (t_chunk_info) * nc;
-+		if (overflow2(sidx, nc)) {
-+			goto fail1;
-+		}
- 		cidx = gdCalloc (sidx, 1);
--		if (!cidx) {
-+		if (cidx == NULL) {
- 			goto fail1;
- 		}
- 		for (i = 0; i < nc; i++) {
-From a6a0e7feabb2a9738086a5dc96348f233c87fa79 Mon Sep 17 00:00:00 2001
-From: Pierre Joye <pierre.php@gmail.com>
-Date: Wed, 29 Jun 2016 09:36:26 +0700
-Subject: [PATCH] fix php bug 72339 (CVE-2016-5766), Integer Overflow in
- _gd2GetHeader() resulting in heap overflow. Sync with php's sync
-
----
- src/gd_gd2.c              | 7 ++++++-
- tests/gd2/php_bug_72339.c | 2 +-
- 2 files changed, 7 insertions(+), 2 deletions(-)
-
-diff --git a/src/gd_gd2.c b/src/gd_gd2.c
-index bdbbecf..2837456 100644
---- a/src/gd_gd2.c
-+++ b/src/gd_gd2.c
-@@ -152,11 +152,16 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy,
- 
- 	if (gd2_compressed (*fmt)) {
- 		nc = (*ncx) * (*ncy);
-+
- 		GD2_DBG (printf ("Reading %d chunk index entries\n", nc));
-+		if (overflow2(sizeof(t_chunk_info), nc)) {
-+			goto fail1;
-+		}
- 		sidx = sizeof (t_chunk_info) * nc;
--		if (overflow2(sidx, nc)) {
-+		if (sidx <= 0) {
- 			goto fail1;
- 		}
-+
- 		cidx = gdCalloc (sidx, 1);
- 		if (cidx == NULL) {
- 			goto fail1;
--- 
-2.9.1
-
diff --git a/gnu/packages/patches/gd-CVE-2016-6128.patch b/gnu/packages/patches/gd-CVE-2016-6128.patch
deleted file mode 100644
index 45ee6b0..0000000
--- a/gnu/packages/patches/gd-CVE-2016-6128.patch
+++ /dev/null
@@ -1,253 +0,0 @@ 
-Fix CVE-2016-6128 (invalid color index is not properly handled leading
-to denial of service).
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-6128
-
-Copied from upstream commits:
-https://github.com/libgd/libgd/compare/3fe0a7128bac5000fdcfab888bd2a75ec0c9447d...fd623025505e87bba7ec8555eeb72dae4fb0afd
-
-From 1ccfe21e14c4d18336f9da8515cd17db88c3de61 Mon Sep 17 00:00:00 2001
-From: Pierre Joye <pierre.php@gmail.com>
-Date: Mon, 27 Jun 2016 11:17:39 +0700
-Subject: [PATCH 1/8] fix php 72494, invalid color index not handled, can lead
- to crash
-
----
- src/gd_crop.c        | 4 ++++
- tests/CMakeLists.txt | 1 +
- tests/Makefile.am    | 1 +
- 3 files changed, 6 insertions(+)
-
-diff --git a/src/gd_crop.c b/src/gd_crop.c
-index 0296633..532b49b 100644
---- a/src/gd_crop.c
-+++ b/src/gd_crop.c
-@@ -136,6 +136,10 @@ BGD_DECLARE(gdImagePtr) gdImageCropThreshold(gdImagePtr im, const unsigned int c
- 		return NULL;
- 	}
- 
-+	if (color < 0 || (!gdImageTrueColor(im) && color >= gdImageColorsTotal(im))) {
-+		return NULL;
-+	}
-+
- 	/* TODO: Add gdImageGetRowPtr and works with ptr at the row level
- 	 * for the true color and palette images
- 	 * new formats will simply work with ptr
-diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
-index 6f5c786..5093d52 100644
---- a/tests/CMakeLists.txt
-+++ b/tests/CMakeLists.txt
-@@ -31,6 +31,7 @@ if (BUILD_TEST)
- 		gdimagecolortransparent
- 		gdimagecopy
- 		gdimagecopyrotated
-+        gdimagecrop
- 		gdimagefile
- 		gdimagefill
- 		gdimagefilledellipse
-diff --git a/tests/Makefile.am b/tests/Makefile.am
-index 4f6e756..5a0ebe8 100644
---- a/tests/Makefile.am
-+++ b/tests/Makefile.am
-@@ -25,6 +25,7 @@ include gdimagecolorresolve/Makemodule.am
- include gdimagecolortransparent/Makemodule.am
- include gdimagecopy/Makemodule.am
- include gdimagecopyrotated/Makemodule.am
-+include gdimagecrop/Makemodule.am
- include gdimagefile/Makemodule.am
- include gdimagefill/Makemodule.am
- include gdimagefilledellipse/Makemodule.am
--- 
-2.9.1
-
-From 8c9f39c7cb1f62ea00bc7a48aff64d3811c2d6d0 Mon Sep 17 00:00:00 2001
-From: Pierre Joye <pierre.php@gmail.com>
-Date: Mon, 27 Jun 2016 11:20:07 +0700
-Subject: [PATCH 2/8] fix php 72494, invalid color index not handled, can lead
- to crash
-
----
- tests/gdimagecrop/.gitignore | 1 +
- 1 file changed, 1 insertion(+)
- create mode 100644 tests/gdimagecrop/.gitignore
-
-diff --git a/tests/gdimagecrop/.gitignore b/tests/gdimagecrop/.gitignore
-new file mode 100644
-index 0000000..8e8c9c3
---- /dev/null
-+++ b/tests/gdimagecrop/.gitignore
-@@ -0,0 +1 @@
-+/php_bug_72494
--- 
-2.9.1
-
-From 8de370b7b6263a02268037a7cd13ddd991b43ea9 Mon Sep 17 00:00:00 2001
-From: Pierre Joye <pierre.php@gmail.com>
-Date: Mon, 27 Jun 2016 11:24:50 +0700
-Subject: [PATCH 3/8] fix php 72494, invalid color index not handled, can lead
- to crash
-
----
- tests/gdimagecrop/CMakeLists.txt | 5 +++++
- 1 file changed, 5 insertions(+)
- create mode 100644 tests/gdimagecrop/CMakeLists.txt
-
-diff --git a/tests/gdimagecrop/CMakeLists.txt b/tests/gdimagecrop/CMakeLists.txt
-new file mode 100644
-index 0000000..f7e4c7e
---- /dev/null
-+++ b/tests/gdimagecrop/CMakeLists.txt
-@@ -0,0 +1,5 @@
-+SET(TESTS_FILES
-+	php_bug_72494
-+)
-+
-+ADD_GD_TESTS()
--- 
-2.9.1
-
-From bca12e4e11ecda8a0ea719472700ad5c2b36a0d6 Mon Sep 17 00:00:00 2001
-From: Pierre Joye <pierre.php@gmail.com>
-Date: Mon, 27 Jun 2016 11:25:12 +0700
-Subject: [PATCH 4/8] fix php 72494, invalid color index not handled, can lead
- to crash
-
----
- tests/gdimagecrop/Makemodule.am | 5 +++++
- 1 file changed, 5 insertions(+)
- create mode 100644 tests/gdimagecrop/Makemodule.am
-
-diff --git a/tests/gdimagecrop/Makemodule.am b/tests/gdimagecrop/Makemodule.am
-new file mode 100644
-index 0000000..210888b
---- /dev/null
-+++ b/tests/gdimagecrop/Makemodule.am
-@@ -0,0 +1,5 @@
-+libgd_test_programs += \
-+	gdimagecrop/php_bug_72494
-+
-+EXTRA_DIST += \
-+	gdimagecrop/CMakeLists.txt
--- 
-2.9.1
-
-From 6ff72ae40c7c20ece939afb362d98cc37f4a1c96 Mon Sep 17 00:00:00 2001
-From: Pierre Joye <pierre.php@gmail.com>
-Date: Mon, 27 Jun 2016 11:25:40 +0700
-Subject: [PATCH 5/8] fix php 72494, invalid color index not handled, can lead
- to crash
-
----
- tests/gdimagecrop/php_bug_72494.c | 23 +++++++++++++++++++++++
- 1 file changed, 23 insertions(+)
- create mode 100644 tests/gdimagecrop/php_bug_72494.c
-
-diff --git a/tests/gdimagecrop/php_bug_72494.c b/tests/gdimagecrop/php_bug_72494.c
-new file mode 100644
-index 0000000..adaa379
---- /dev/null
-+++ b/tests/gdimagecrop/php_bug_72494.c
-@@ -0,0 +1,23 @@
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include "gd.h"
-+
-+#include "gdtest.h"
-+
-+int main()
-+{
-+	gdImagePtr im, exp;
-+	int error = 0;
-+
-+	im = gdImageCreate(50, 50);
-+
-+	if (!im) {
-+		gdTestErrorMsg("gdImageCreate failed.\n");
-+		return 1;
-+	}
-+
-+	gdImageCropThreshold(im, 1337, 0);
-+	gdImageDestroy(im);
-+	/* this bug tests a crash, it never reaches this point if the bug exists*/
-+	return 0;
-+}
--- 
-2.9.1
-
-From a0f9f8f7bd0d3a6c6afd6d180b8e75d93aadddfa Mon Sep 17 00:00:00 2001
-From: Pierre Joye <pierre.php@gmail.com>
-Date: Mon, 27 Jun 2016 11:38:07 +0700
-Subject: [PATCH 6/8] fix php 72494, CID 149753, color is unsigned int, remove
- useless <0 comparison
-
----
- src/gd_crop.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/gd_crop.c b/src/gd_crop.c
-index 532b49b..d51ad67 100644
---- a/src/gd_crop.c
-+++ b/src/gd_crop.c
-@@ -136,7 +136,7 @@ BGD_DECLARE(gdImagePtr) gdImageCropThreshold(gdImagePtr im, const unsigned int c
- 		return NULL;
- 	}
- 
--	if (color < 0 || (!gdImageTrueColor(im) && color >= gdImageColorsTotal(im))) {
-+	if (!gdImageTrueColor(im) && color >= gdImageColorsTotal(im)) {
- 		return NULL;
- 	}
- 
--- 
-2.9.1
-
-From 907115fbb980862934d0de91af4977a216745039 Mon Sep 17 00:00:00 2001
-From: Pierre Joye <pierre.php@gmail.com>
-Date: Mon, 27 Jun 2016 11:51:40 +0700
-Subject: [PATCH 7/8] fix php 72494, CID 149753, color is unsigned int, remove
- useless <0 comparison
-
----
- tests/gdimagecrop/php_bug_72494.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/tests/gdimagecrop/php_bug_72494.c b/tests/gdimagecrop/php_bug_72494.c
-index adaa379..5cb589b 100644
---- a/tests/gdimagecrop/php_bug_72494.c
-+++ b/tests/gdimagecrop/php_bug_72494.c
-@@ -6,7 +6,7 @@
- 
- int main()
- {
--	gdImagePtr im, exp;
-+	gdImagePtr im;
- 	int error = 0;
- 
- 	im = gdImageCreate(50, 50);
--- 
-2.9.1
-
-From fd623025505e87bba7ec8555eeb72dae4fb0afdc Mon Sep 17 00:00:00 2001
-From: Pierre Joye <pierre.php@gmail.com>
-Date: Mon, 27 Jun 2016 12:04:25 +0700
-Subject: [PATCH 8/8] fix php 72494, CID 149753, color is unsigned int, remove
- useless <0 comparison
-
----
- tests/gdimagecrop/php_bug_72494.c | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/tests/gdimagecrop/php_bug_72494.c b/tests/gdimagecrop/php_bug_72494.c
-index 5cb589b..3bd19be 100644
---- a/tests/gdimagecrop/php_bug_72494.c
-+++ b/tests/gdimagecrop/php_bug_72494.c
-@@ -7,7 +7,6 @@
- int main()
- {
- 	gdImagePtr im;
--	int error = 0;
- 
- 	im = gdImageCreate(50, 50);
- 
--- 
-2.9.1
-
diff --git a/gnu/packages/patches/gd-CVE-2016-6132.patch b/gnu/packages/patches/gd-CVE-2016-6132.patch
deleted file mode 100644
index 4c475b7..0000000
--- a/gnu/packages/patches/gd-CVE-2016-6132.patch
+++ /dev/null
@@ -1,55 +0,0 @@ 
-Fix CVE-2016-6132 (read out-of-bounds when parsing TGA files).
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-6132
-
-Copied from upstream commit:
-https://github.com/libgd/libgd/commit/ead349e99868303b37f5e6e9d9d680c9dc71ff8d
-
-From ead349e99868303b37f5e6e9d9d680c9dc71ff8d Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
-Date: Tue, 12 Jul 2016 11:24:09 +0200
-Subject: [PATCH] Fix #247, A read out-of-bands was found in the parsing of TGA
- files (CVE-2016-6132)
-
----
- src/gd_tga.c | 13 +++++++++++--
- 1 file changed, 11 insertions(+), 2 deletions(-)
-
-diff --git a/src/gd_tga.c b/src/gd_tga.c
-index ef20f86..20fe2d2 100644
---- a/src/gd_tga.c
-+++ b/src/gd_tga.c
-@@ -237,7 +237,11 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga )
- 			return -1;
- 		}
- 
--		gdGetBuf(conversion_buffer, image_block_size, ctx);
-+		if (gdGetBuf(conversion_buffer, image_block_size, ctx) != image_block_size) {
-+			gd_error("gd-tga: premature end of image data\n");
-+			gdFree(conversion_buffer);
-+			return -1;
-+		}
- 
- 		while (buffer_caret < image_block_size) {
- 			tga->bitmap[buffer_caret] = (int) conversion_buffer[buffer_caret];
-@@ -257,11 +261,16 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga )
- 		}
- 		conversion_buffer = (unsigned char *) gdMalloc(image_block_size * sizeof(unsigned char));
- 		if (conversion_buffer == NULL) {
-+			gd_error("gd-tga: premature end of image data\n");
- 			gdFree( decompression_buffer );
- 			return -1;
- 		}
- 
--		gdGetBuf( conversion_buffer, image_block_size, ctx );
-+		if (gdGetBuf(conversion_buffer, image_block_size, ctx) != image_block_size) {
-+			gdFree(conversion_buffer);
-+			gdFree(decompression_buffer);
-+			return -1;
-+		}
- 
- 		buffer_caret = 0;
- 
--- 
-2.9.1
-
diff --git a/gnu/packages/patches/gd-CVE-2016-6214.patch b/gnu/packages/patches/gd-CVE-2016-6214.patch
deleted file mode 100644
index 7894a32..0000000
--- a/gnu/packages/patches/gd-CVE-2016-6214.patch
+++ /dev/null
@@ -1,66 +0,0 @@ 
-Fix CVE-2016-6214 (read out-of-bounds when parsing TGA files).
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6214
-
-Adapted from upstream commit:
-https://github.com/libgd/libgd/commit/341aa68843ceceae9ba6e083431f14a07bd92308
-
-Since `patch` cannot apply Git binary diffs, we omit the addition of
-'tests/tga/bug00247a.c' and its associated binary data.
-
-From 341aa68843ceceae9ba6e083431f14a07bd92308 Mon Sep 17 00:00:00 2001
-From: "Christoph M. Becker" <cmbecker69@gmx.de>
-Date: Tue, 12 Jul 2016 19:23:13 +0200
-Subject: [PATCH] Unsupported TGA bpp/alphabit combinations should error
- gracefully
-
-Currently, only 24bpp without alphabits and 32bpp with 8 alphabits are
-really supported. All other combinations will be rejected with a warning.
-
-(cherry picked from commit cb1a0b7e54e9aa118270c23a4a6fe560e4590dc9)
----
- src/gd_tga.c             |  16 ++++++----------
- tests/tga/.gitignore     |   1 +
- tests/tga/CMakeLists.txt |   1 +
- tests/tga/Makemodule.am  |   4 +++-
- tests/tga/bug00247a.c    |  19 +++++++++++++++++++
- tests/tga/bug00247a.tga  | Bin 0 -> 36 bytes
- 6 files changed, 30 insertions(+), 11 deletions(-)
- create mode 100644 tests/tga/bug00247a.c
- create mode 100644 tests/tga/bug00247a.tga
-
-diff --git a/src/gd_tga.c b/src/gd_tga.c
-index 20fe2d2..b4f8fa6 100644
---- a/src/gd_tga.c
-+++ b/src/gd_tga.c
-@@ -99,7 +99,7 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromTgaCtx(gdIOCtx* ctx)
- 			if (tga->bits == TGA_BPP_24) {
- 				*tpix = gdTrueColor(tga->bitmap[bitmap_caret + 2], tga->bitmap[bitmap_caret + 1], tga->bitmap[bitmap_caret]);
- 				bitmap_caret += 3;
--			} else if (tga->bits == TGA_BPP_32 || tga->alphabits) {
-+			} else if (tga->bits == TGA_BPP_32 && tga->alphabits) {
- 				register int a = tga->bitmap[bitmap_caret + 3];
- 
- 				*tpix = gdTrueColorAlpha(tga->bitmap[bitmap_caret + 2], tga->bitmap[bitmap_caret + 1], tga->bitmap[bitmap_caret], gdAlphaMax - (a >> 1));
-@@ -159,16 +159,12 @@ int read_header_tga(gdIOCtx *ctx, oTga *tga)
- 	printf("wxh: %i %i\n", tga->width, tga->height);
- #endif
- 
--	switch(tga->bits) {
--	case 8:
--	case 16:
--	case 24:
--	case 32:
--		break;
--	default:
--		gd_error("bps %i not supported", tga->bits);
-+	if (!((tga->bits == TGA_BPP_24 && tga->alphabits == 0)
-+		|| (tga->bits == TGA_BPP_32 && tga->alphabits == 8)))
-+	{
-+		gd_error_ex(GD_WARNING, "gd-tga: %u bits per pixel with %u alpha bits not supported\n",
-+			tga->bits, tga->alphabits);
- 		return -1;
--		break;
- 	}
- 
- 	tga->ident = NULL;
diff --git a/gnu/packages/patches/gd-fix-test-on-i686.patch b/gnu/packages/patches/gd-fix-test-on-i686.patch
deleted file mode 100644
index 6dd2e0f..0000000
--- a/gnu/packages/patches/gd-fix-test-on-i686.patch
+++ /dev/null
@@ -1,34 +0,0 @@ 
-Disable part of the gdimagerotate test on architectures such as i686
-where intermediate floating-point operations are done with 80-bit long
-doubles, and typically later rounded to 64-bit doubles.  This double
-rounding causes small differences in the resulting pixel values
-compared with other architectures, causing the image comparison to
-fail.
-
-Patch by Mark H Weaver <mhw@netris.org>.
-
---- libgd-2.2.2/tests/gdimagerotate/bug00067.c	1969-12-31 19:00:00.000000000 -0500
-+++ libgd-2.2.2/tests/gdimagerotate/bug00067.c	2016-07-18 12:19:19.885423132 -0400
-@@ -1,5 +1,6 @@
- #include <stdio.h>
- #include <stdlib.h>
-+#include <float.h>
- #include "gd.h"
- 
- #include "gdtest.h"
-@@ -41,6 +42,7 @@
- 			return 1;
- 		}
- 
-+#if FLT_EVAL_METHOD != 2
- 		sprintf(filename, "bug00067_%03d_exp.png", angle);
- 		path = gdTestFilePath2("gdimagerotate", filename);
- 		if (!gdAssertImageEqualsToFile(path, exp)) {
-@@ -48,6 +50,7 @@
- 			error += 1;
- 		}
- 		free(path);
-+#endif
- 
- 		gdImageDestroy(exp);
- 	}
-- 
2.9.2