Backwards port png overflow fix from gd-2.x #69070.

4 files changed, 79 insertions, 8 deletions

diff --git a/media-libs/gd/ChangeLog b/media-libs/gd/ChangeLog
index 62752149c0b4..a6608fea3059 100644
--- a/media-libs/gd/ChangeLog
+++ b/media-libs/gd/ChangeLog
@@ -1,6 +1,10 @@
 # ChangeLog for media-libs/gd
 # Copyright 2002-2004 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/media-libs/gd/ChangeLog,v 1.12 2004/11/01 01:53:32 vapier Exp $
+# $Header: /var/cvsroot/gentoo-x86/media-libs/gd/ChangeLog,v 1.13 2004/11/01 02:39:08 vapier Exp $
+
+  31 Oct 2004; Mike Frysinger <vapier@gentoo.org>
+  +files/1.8.4-png-overflows.patch, gd-1.8.4-r2.ebuild:
+  Backwards port png overflow fix from gd-2.x #69070.
 
 *gd-2.0.31 (31 Oct 2004)
 
diff --git a/media-libs/gd/Manifest b/media-libs/gd/Manifest
index ec63dd57d7fb..394518cec7a8 100644
--- a/media-libs/gd/Manifest
+++ b/media-libs/gd/Manifest
@@ -1,21 +1,22 @@
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA1
 
-MD5 2d98a5160432efac9e9e4257ff1ddd6c ChangeLog 7640
+MD5 909ef07bfd733a99e1d889ad1c302126 ChangeLog 7801
 MD5 91fb60093026cec390b6df0ddd4a1d59 gd-2.0.28.ebuild 957
 MD5 312563b7288a2111976b24b0865d9df8 metadata.xml 1227
 MD5 a4afb55d39a96c93e9b99d8d2706c84c gd-2.0.31.ebuild 1013
-MD5 fb45f43372ca8e8c5a8ee203d52cb1dc gd-1.8.4-r2.ebuild 2225
+MD5 de07bc1eeb3a2a8dcf9c11ad63c8f9fb gd-1.8.4-r2.ebuild 2271
 MD5 09cc9995071652c954638c7ed2590dee files/1.8.4-jpeg-inc.patch 419
 MD5 7f1d011b6f09a5125c3c5151abbb2f56 files/digest-gd-2.0.28 133
 MD5 1b0c2bb216ba3a29f024514a934ca995 files/digest-gd-1.8.4-r2 60
 MD5 c700ef06f9532087e4f27487633179a9 files/1.8.4-dec-alpha-compiler.diff 725
 MD5 7b4c1fddfe76029cf9683586b0ea732c files/digest-gd-2.0.31 61
 MD5 38fb558a8071c00ce93e35aede13aaf6 files/2.0.31-png-check.patch 369
+MD5 b70b849b60f7bc6a409d6effcd8b2cfb files/1.8.4-png-overflows.patch 2410
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.9.10 (GNU/Linux)
 
-iD8DBQFBhZc8HTu7gpaalycRAhzGAKC+eW4BgGMRTyT2ylTTpicYZ8dUrgCfVrP+
-7sqNafTzT7ba+fNSm7ZtmvI=
-=uWVV
+iD8DBQFBhaHsHTu7gpaalycRAqs6AKDz93ZPAJ/DK32JSwf5tK1D+IkSeACgnN3d
+WVcbmMJ5cQ6e5+ojjcOiwrE=
+=BTRZ
 -----END PGP SIGNATURE-----
diff --git a/media-libs/gd/files/1.8.4-png-overflows.patch b/media-libs/gd/files/1.8.4-png-overflows.patch
new file mode 100644
index 000000000000..365d6a76a731
--- /dev/null
+++ b/media-libs/gd/files/1.8.4-png-overflows.patch
@@ -0,0 +1,65 @@
+--- gd-1.8.4/gd_png.c	2001-02-06 14:44:02.000000000 -0500
++++ gd-1.8.4/gd_png.c.new	2004-10-31 21:36:03.939822448 -0500
+@@ -11,6 +11,23 @@
+ 
+ #ifdef HAVE_LIBPNG
+ 
++#include <limits.h>
++
++int overflow2(int a, int b)
++{
++	if(a < 0 || b < 0) {
++		fprintf(stderr, "gd warning: one parameter to a memory allocation multiplication is negative, failing operation gracefully\n");
++		return 1;
++	}
++	if(b == 0)
++		return 0;
++	if(a > INT_MAX / b) {
++		fprintf(stderr, "gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully\n");
++		return 1;
++	}
++	return 0;
++}
++
+ /*---------------------------------------------------------------------------
+ 
+     gd_png.c                 Copyright 1999 Greg Roelofs and Thomas Boutell
+@@ -342,11 +359,20 @@
+ 
+     /* allocate space for the PNG image data */
+     rowbytes = png_get_rowbytes(png_ptr, info_ptr);
++    if (overflow2(rowbytes, height)) {
++        png_destroy_read_struct (&png_ptr, &info_ptr, NULL);
++        return NULL;
++    }
+     if ((image_data = (png_bytep)gdMalloc(rowbytes*height)) == NULL) {
+         fprintf(stderr, "gd-png error: cannot allocate image data\n");
+         png_destroy_read_struct(&png_ptr, &info_ptr, NULL);
+         return NULL;
+     }
++    if (overflow2(height, sizeof (png_bytep))) {
++        png_destroy_read_struct (&png_ptr, &info_ptr, NULL);
++        gdFree (image_data);
++        return NULL;
++    }
+     if ((row_pointers = (png_bytepp)gdMalloc(height*sizeof(png_bytep))) == NULL) {
+         fprintf(stderr, "gd-png error: cannot allocate row pointers\n");
+         png_destroy_read_struct(&png_ptr, &info_ptr, NULL);
+@@ -577,10 +603,17 @@
+      * interlaced images, but interlacing causes some serious complications. */
+     if (remap) {
+         png_bytep *row_pointers;
++        if (overflow2(sizeof (png_bytep), height)) {
++            return;
++        } 
+ 	row_pointers = gdMalloc(sizeof(png_bytep) * height);
+         if (row_pointers == NULL) {
+             fprintf(stderr, "gd-png error: unable to allocate row_pointers\n");
+         }
++        if (overflow2(width, height)) {
++            fprintf(stderr, "gd-png error: unable to allocate rows\n");
++            return;
++        }
+         for (j = 0;  j < height;  ++j) {
+             if ((row_pointers[j] = (png_bytep)gdMalloc(width)) == NULL) {
+                 fprintf(stderr, "gd-png error: unable to allocate rows\n");
diff --git a/media-libs/gd/gd-1.8.4-r2.ebuild b/media-libs/gd/gd-1.8.4-r2.ebuild
index 61f2628b9928..bcd63dcd6f7a 100644
--- a/media-libs/gd/gd-1.8.4-r2.ebuild
+++ b/media-libs/gd/gd-1.8.4-r2.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2004 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/media-libs/gd/gd-1.8.4-r2.ebuild,v 1.3 2004/10/31 11:07:35 hansmi Exp $
+# $Header: /var/cvsroot/gentoo-x86/media-libs/gd/gd-1.8.4-r2.ebuild,v 1.4 2004/11/01 02:39:08 vapier Exp $
 
 inherit eutils toolchain-funcs
 
@@ -10,7 +10,7 @@ SRC_URI="http://www.boutell.com/gd/http/${P}.tar.gz"
 
 LICENSE="|| ( as-is BSD )"
 SLOT="0"
-KEYWORDS="x86 ppc sparc hppa amd64 alpha ia64"
+KEYWORDS="alpha amd64 hppa ia64 ppc sparc x86"
 IUSE="X truetype freetype-version-1 jpeg"
 
 DEPEND="media-libs/libpng
@@ -24,6 +24,7 @@ DEPEND="media-libs/libpng
 src_unpack() {
 	unpack ${A}
 	cd ${S}
+	epatch ${FILESDIR}/${PV}-png-overflows.patch
 
 	local compopts
 	local libsopts