commit: 6f62811e7f813c38a3e576f1ceee8f27a5f5da6a Author: Michael Mair-Keimberger <m.mairkeimberger <AT> gmail <DOT> com> AuthorDate: Fri Jun 26 06:50:51 2020 +0000 Commit: Aaron Bauman <bman <AT> gentoo <DOT> org> CommitDate: Sat Jun 27 20:49:26 2020 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6f62811e
media-libs/gd: remove unused patches Package-Manager: Portage-2.3.101, Repoman-2.3.22 Signed-off-by: Michael Mair-Keimberger <m.mairkeimberger <AT> gmail.com> Closes: https://github.com/gentoo/gentoo/pull/16425 Signed-off-by: Aaron Bauman <bman <AT> gentoo.org> .../gd/files/gd-2.2.5-CVE-2018-1000222.patch | 73 ------ media-libs/gd/files/gd-2.2.5-CVE-2018-5711.patch | 124 --------- media-libs/gd/files/gd-2.2.5-CVE-2019-6977.patch | 28 --- media-libs/gd/files/gd-2.2.5-CVE-2019-6978.patch | 278 --------------------- media-libs/gd/files/gd-2.2.5-ossfuzz5700.patch | 103 -------- 5 files changed, 606 deletions(-) diff --git a/media-libs/gd/files/gd-2.2.5-CVE-2018-1000222.patch b/media-libs/gd/files/gd-2.2.5-CVE-2018-1000222.patch deleted file mode 100644 index 80f9712bf8e..00000000000 --- a/media-libs/gd/files/gd-2.2.5-CVE-2018-1000222.patch +++ /dev/null @@ -1,73 +0,0 @@ -From ac16bdf2d41724b5a65255d4c28fb0ec46bc42f5 Mon Sep 17 00:00:00 2001 -From: Mike Frysinger <vap...@gentoo.org> -Date: Sat, 14 Jul 2018 13:54:08 -0400 -Subject: [PATCH] bmp: check return value in gdImageBmpPtr - -Closes #447. ---- - src/gd_bmp.c | 17 ++++++++++++++--- - 1 file changed, 14 insertions(+), 3 deletions(-) - -diff --git a/src/gd_bmp.c b/src/gd_bmp.c -index bde0b9d3..78f40d9a 100644 ---- a/src/gd_bmp.c -+++ b/src/gd_bmp.c -@@ -47,6 +47,8 @@ static int bmp_read_4bit(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info, bmp - static int bmp_read_8bit(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info, bmp_hdr_t *header); - static int bmp_read_rle(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info); - -+static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression); -+ - #define BMP_DEBUG(s) - - static int gdBMPPutWord(gdIOCtx *out, int w) -@@ -87,8 +89,10 @@ BGD_DECLARE(void *) gdImageBmpPtr(gdImagePtr im, int *size, int compression) - void *rv; - gdIOCtx *out = gdNewDynamicCtx(2048, NULL); - if (out == NULL) return NULL; -- gdImageBmpCtx(im, out, compression); -- rv = gdDPExtractData(out, size); -+ if (!_gdImageBmpCtx(im, out, compression)) -+ rv = gdDPExtractData(out, size); -+ else -+ rv = NULL; - out->gd_free(out); - return rv; - } -@@ -141,6 +145,11 @@ BGD_DECLARE(void) gdImageBmp(gdImagePtr im, FILE *outFile, int compression) - compression - whether to apply RLE or not. - */ - BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression) -+{ -+ _gdImageBmpCtx(im, out, compression); -+} -+ -+static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression) - { - int bitmap_size = 0, info_size, total_size, padding; - int i, row, xpos, pixel; -@@ -148,6 +157,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression) - unsigned char *uncompressed_row = NULL, *uncompressed_row_start = NULL; - FILE *tmpfile_for_compression = NULL; - gdIOCtxPtr out_original = NULL; -+ int ret = 1; - - /* No compression if its true colour or we don't support seek */ - if (im->trueColor) { -@@ -325,6 +335,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression) - out_original = NULL; - } - -+ ret = 0; - cleanup: - if (tmpfile_for_compression) { - #ifdef _WIN32 -@@ -338,7 +349,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression) - if (out_original) { - out_original->gd_free(out_original); - } -- return; -+ return ret; - } - - static int compress_row(unsigned char *row, int length) diff --git a/media-libs/gd/files/gd-2.2.5-CVE-2018-5711.patch b/media-libs/gd/files/gd-2.2.5-CVE-2018-5711.patch deleted file mode 100644 index 6d9de06998a..00000000000 --- a/media-libs/gd/files/gd-2.2.5-CVE-2018-5711.patch +++ /dev/null @@ -1,124 +0,0 @@ -From a11f47475e6443b7f32d21f2271f28f417e2ac04 Mon Sep 17 00:00:00 2001 -From: "Christoph M. Becker" <cmbecke...@gmx.de> -Date: Wed, 29 Nov 2017 19:37:38 +0100 -Subject: [PATCH] Fix #420: Potential infinite loop in gdImageCreateFromGifCtx - -Due to a signedness confusion in `GetCode_` a corrupt GIF file can -trigger an infinite loop. Furthermore we make sure that a GIF without -any palette entries is treated as invalid *after* open palette entries -have been removed. - -CVE-2018-5711 - -See also https://bugs.php.net/bug.php?id=75571. ---- - src/gd_gif_in.c | 12 ++++++------ - tests/gif/CMakeLists.txt | 1 + - tests/gif/Makemodule.am | 2 ++ - tests/gif/php_bug_75571.c | 28 ++++++++++++++++++++++++++++ - tests/gif/php_bug_75571.gif | Bin 0 -> 1731 bytes - 6 files changed, 38 insertions(+), 6 deletions(-) - create mode 100644 tests/gif/php_bug_75571.c - -diff --git a/src/gd_gif_in.c b/src/gd_gif_in.c -index daf26e79..0a8bd717 100644 ---- a/src/gd_gif_in.c -+++ b/src/gd_gif_in.c -@@ -335,11 +335,6 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromGifCtx(gdIOCtxPtr fd) - return 0; - } - -- if(!im->colorsTotal) { -- gdImageDestroy(im); -- return 0; -- } -- - /* Check for open colors at the end, so - * we can reduce colorsTotal and ultimately - * BitsPerPixel */ -@@ -351,6 +346,11 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromGifCtx(gdIOCtxPtr fd) - } - } - -+ if(!im->colorsTotal) { -+ gdImageDestroy(im); -+ return 0; -+ } -+ - return im; - } - -@@ -447,7 +447,7 @@ static int - GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_size, int flag, int *ZeroDataBlockP) - { - int i, j, ret; -- unsigned char count; -+ int count; - - if(flag) { - scd->curbit = 0; -diff --git a/tests/gif/CMakeLists.txt b/tests/gif/CMakeLists.txt -index 2b73749e..e58e6b09 100644 ---- a/tests/gif/CMakeLists.txt -+++ b/tests/gif/CMakeLists.txt -@@ -4,6 +4,7 @@ LIST(APPEND TESTS_FILES - bug00227 - gif_null - ossfuzz5700 -+ php_bug_75571 - uninitialized_memory_read - ) - -diff --git a/tests/gif/Makemodule.am b/tests/gif/Makemodule.am -index 3199438f..5dbeac53 100644 ---- a/tests/gif/Makemodule.am -+++ b/tests/gif/Makemodule.am -@@ -4,6 +4,7 @@ libgd_test_programs += \ - gif/bug00227 \ - gif/gif_null \ - gif/ossfuzz5700 \ -+ gif/php_bug_75571 \ - gif/uninitialized_memory_read - - if HAVE_LIBPNG -@@ -26,4 +27,5 @@ EXTRA_DIST += \ - gif/bug00066.gif \ - gif/bug00066_exp.png \ - gif/ossfuzz5700.gif \ -+ gif/php_bug_75571.gif \ - gif/unitialized_memory_read.gif -diff --git a/tests/gif/php_bug_75571.c b/tests/gif/php_bug_75571.c -new file mode 100644 -index 00000000..d4fae3ae ---- /dev/null -+++ b/tests/gif/php_bug_75571.c -@@ -0,0 +1,28 @@ -+/** -+ * Test that GIF reading does not loop infinitely -+ * -+ * We are reading a crafted GIF image which has been truncated. This would -+ * trigger an infinite loop formerly, but know bails out early, returning -+ * NULL from gdImageCreateFromGif(). -+ * -+ * See also https://bugs.php.net/bug.php?id=75571. -+ */ -+ -+ -+#include "gd.h" -+#include "gdtest.h" -+ -+ -+int main() -+{ -+ gdImagePtr im; -+ FILE *fp; -+ -+ fp = gdTestFileOpen2("gif", "php_bug_75571.gif"); -+ gdTestAssert(fp != NULL); -+ im = gdImageCreateFromGif(fp); -+ gdTestAssert(im == NULL); -+ fclose(fp); -+ -+ return gdNumFailures(); -+} - diff --git a/media-libs/gd/files/gd-2.2.5-CVE-2019-6977.patch b/media-libs/gd/files/gd-2.2.5-CVE-2019-6977.patch deleted file mode 100644 index 0b67a596c6b..00000000000 --- a/media-libs/gd/files/gd-2.2.5-CVE-2019-6977.patch +++ /dev/null @@ -1,28 +0,0 @@ -Description: Heap-based buffer overflow in gdImageColorMatch -Origin: other, https://gist.github.com/cmb69/1f36d285eb297ed326f5c821d7aafced -Bug-PHP: https://bugs.php.net/bug.php?id=77270 -Bug-Debian: https://bugs.debian.org/920645 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-6977 -Forwarded: no -Author: "Christoph M. Becker" <cmbecke...@gmx.de> -Last-Update: 2019-02-01 - -At least some of the image reading functions may return images which -use color indexes greater than or equal to im->colorsTotal. We cater -to this by always using a buffer size which is sufficient for -`gdMaxColors` in `gdImageColorMatch()`. ---- - ---- a/src/gd_color_match.c -+++ b/src/gd_color_match.c -@@ -31,8 +31,8 @@ BGD_DECLARE(int) gdImageColorMatch (gdIm - return -4; /* At least 1 color must be allocated */ - } - -- buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * im2->colorsTotal); -- memset (buf, 0, sizeof(unsigned long) * 5 * im2->colorsTotal ); -+ buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * gdMaxColors); -+ memset (buf, 0, sizeof(unsigned long) * 5 * gdMaxColors ); - - for (x=0; x < im1->sx; x++) { - for( y=0; y<im1->sy; y++ ) { diff --git a/media-libs/gd/files/gd-2.2.5-CVE-2019-6978.patch b/media-libs/gd/files/gd-2.2.5-CVE-2019-6978.patch deleted file mode 100644 index 2eb9369a0ba..00000000000 --- a/media-libs/gd/files/gd-2.2.5-CVE-2019-6978.patch +++ /dev/null @@ -1,278 +0,0 @@ -From 553702980ae89c83f2d6e254d62cf82e204956d0 Mon Sep 17 00:00:00 2001 -From: "Christoph M. Becker" <cmbecke...@gmx.de> -Date: Thu, 17 Jan 2019 11:54:55 +0100 -Subject: [PATCH] Fix #492: Potential double-free in gdImage*Ptr() - -Whenever `gdImage*Ptr()` calls `gdImage*Ctx()` and the latter fails, we -must not call `gdDPExtractData()`; otherwise a double-free would -happen. Since `gdImage*Ctx()` are void functions, and we can't change -that for BC reasons, we're introducing static helpers which are used -internally. - -We're adding a regression test for `gdImageJpegPtr()`, but not for -`gdImageGifPtr()` and `gdImageWbmpPtr()` since we don't know how to -trigger failure of the respective `gdImage*Ctx()` calls. - -This potential security issue has been reported by Solmaz Salimi (aka. -Rooney). ---- - src/gd_gif_out.c | 18 +++++++++++++++--- - src/gd_jpeg.c | 20 ++++++++++++++++---- - src/gd_wbmp.c | 21 ++++++++++++++++++--- - tests/jpeg/CMakeLists.txt | 1 + - tests/jpeg/Makemodule.am | 3 ++- - tests/jpeg/jpeg_ptr_double_free.c | 31 +++++++++++++++++++++++++++++++ - 7 files changed, 84 insertions(+), 11 deletions(-) - create mode 100644 tests/jpeg/jpeg_ptr_double_free.c - -diff --git a/src/gd_gif_out.c b/src/gd_gif_out.c -index 298a5812..d5a95346 100644 ---- a/src/gd_gif_out.c -+++ b/src/gd_gif_out.c -@@ -99,6 +99,7 @@ static void char_init(GifCtx *ctx); - static void char_out(int c, GifCtx *ctx); - static void flush_char(GifCtx *ctx); - -+static int _gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out); - - - -@@ -131,8 +132,11 @@ BGD_DECLARE(void *) gdImageGifPtr(gdImagePtr im, int *size) - void *rv; - gdIOCtx *out = gdNewDynamicCtx(2048, NULL); - if (out == NULL) return NULL; -- gdImageGifCtx(im, out); -- rv = gdDPExtractData(out, size); -+ if (!_gdImageGifCtx(im, out)) { -+ rv = gdDPExtractData(out, size); -+ } else { -+ rv = NULL; -+ } - out->gd_free(out); - return rv; - } -@@ -220,6 +224,12 @@ BGD_DECLARE(void) gdImageGif(gdImagePtr im, FILE *outFile) - - */ - BGD_DECLARE(void) gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out) -+{ -+ _gdImageGifCtx(im, out); -+} -+ -+/* returns 0 on success, 1 on failure */ -+static int _gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out) - { - gdImagePtr pim = 0, tim = im; - int interlace, BitsPerPixel; -@@ -231,7 +241,7 @@ BGD_DECLARE(void) gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out) - based temporary image. */ - pim = gdImageCreatePaletteFromTrueColor(im, 1, 256); - if(!pim) { -- return; -+ return 1; - } - tim = pim; - } -@@ -247,6 +257,8 @@ BGD_DECLARE(void) gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out) - /* Destroy palette based temporary image. */ - gdImageDestroy( pim); - } -+ -+ return 0; - } - - -diff --git a/src/gd_jpeg.c b/src/gd_jpeg.c -index fc058420..96ef4302 100644 ---- a/src/gd_jpeg.c -+++ b/src/gd_jpeg.c -@@ -117,6 +117,8 @@ static void fatal_jpeg_error(j_common_ptr cinfo) - exit(99); - } - -+static int _gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality); -+ - /* - * Write IM to OUTFILE as a JFIF-formatted JPEG image, using quality - * QUALITY. If QUALITY is in the range 0-100, increasing values -@@ -231,8 +233,11 @@ BGD_DECLARE(void *) gdImageJpegPtr(gdImagePtr im, int *size, int quality) - void *rv; - gdIOCtx *out = gdNewDynamicCtx(2048, NULL); - if (out == NULL) return NULL; -- gdImageJpegCtx(im, out, quality); -- rv = gdDPExtractData(out, size); -+ if (!_gdImageJpegCtx(im, out, quality)) { -+ rv = gdDPExtractData(out, size); -+ } else { -+ rv = NULL; -+ } - out->gd_free(out); - return rv; - } -@@ -253,6 +258,12 @@ void jpeg_gdIOCtx_dest(j_compress_ptr cinfo, gdIOCtx *outfile); - - */ - BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality) -+{ -+ _gdImageJpegCtx(im, outfile, quality); -+} -+ -+/* returns 0 on success, 1 on failure */ -+static int _gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality) - { - struct jpeg_compress_struct cinfo; - struct jpeg_error_mgr jerr; -@@ -287,7 +298,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality) - if(row) { - gdFree(row); - } -- return; -+ return 1; - } - - cinfo.err->emit_message = jpeg_emit_message; -@@ -328,7 +339,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality) - if(row == 0) { - gd_error("gd-jpeg: error: unable to allocate JPEG row structure: gdCalloc returns NULL\n"); - jpeg_destroy_compress(&cinfo); -- return; -+ return 1; - } - - rowptr[0] = row; -@@ -405,6 +416,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality) - jpeg_finish_compress(&cinfo); - jpeg_destroy_compress(&cinfo); - gdFree(row); -+ return 0; - } - - -diff --git a/src/gd_wbmp.c b/src/gd_wbmp.c -index f19a1c96..a49bdbec 100644 ---- a/src/gd_wbmp.c -+++ b/src/gd_wbmp.c -@@ -88,6 +88,8 @@ int gd_getin(void *in) - return (gdGetC((gdIOCtx *)in)); - } - -+static int _gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out); -+ - /* - Function: gdImageWBMPCtx - -@@ -100,6 +102,12 @@ int gd_getin(void *in) - out - the stream where to write - */ - BGD_DECLARE(void) gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out) -+{ -+ _gdImageWBMPCtx(image, fg, out); -+} -+ -+/* returns 0 on success, 1 on failure */ -+static int _gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out) - { - int x, y, pos; - Wbmp *wbmp; -@@ -107,7 +115,7 @@ BGD_DECLARE(void) gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out) - /* create the WBMP */ - if((wbmp = createwbmp(gdImageSX(image), gdImageSY(image), WBMP_WHITE)) == NULL) { - gd_error("Could not create WBMP\n"); -- return; -+ return 1; - } - - /* fill up the WBMP structure */ -@@ -123,11 +131,15 @@ BGD_DECLARE(void) gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out) - - /* write the WBMP to a gd file descriptor */ - if(writewbmp(wbmp, &gd_putout, out)) { -+ freewbmp(wbmp); - gd_error("Could not save WBMP\n"); -+ return 1; - } - - /* des submitted this bugfix: gdFree the memory. */ - freewbmp(wbmp); -+ -+ return 0; - } - - /* -@@ -271,8 +283,11 @@ BGD_DECLARE(void *) gdImageWBMPPtr(gdImagePtr im, int *size, int fg) - void *rv; - gdIOCtx *out = gdNewDynamicCtx(2048, NULL); - if (out == NULL) return NULL; -- gdImageWBMPCtx(im, fg, out); -- rv = gdDPExtractData(out, size); -+ if (!_gdImageWBMPCtx(im, fg, out)) { -+ rv = gdDPExtractData(out, size); -+ } else { -+ rv = NULL; -+ } - out->gd_free(out); - return rv; - } -diff --git a/tests/jpeg/CMakeLists.txt b/tests/jpeg/CMakeLists.txt -index 19964b0c..a8d8162f 100644 ---- a/tests/jpeg/CMakeLists.txt -+++ b/tests/jpeg/CMakeLists.txt -@@ -2,6 +2,7 @@ IF(JPEG_FOUND) - LIST(APPEND TESTS_FILES - jpeg_empty_file - jpeg_im2im -+ jpeg_ptr_double_free - jpeg_null - ) - -diff --git a/tests/jpeg/Makemodule.am b/tests/jpeg/Makemodule.am -index 7e5d317b..b89e1695 100644 ---- a/tests/jpeg/Makemodule.am -+++ b/tests/jpeg/Makemodule.am -@@ -2,7 +2,8 @@ if HAVE_LIBJPEG - libgd_test_programs += \ - jpeg/jpeg_empty_file \ - jpeg/jpeg_im2im \ -- jpeg/jpeg_null -+ jpeg/jpeg_null \ -+ jpeg/jpeg_ptr_double_free - - if HAVE_LIBPNG - libgd_test_programs += \ -diff --git a/tests/jpeg/jpeg_ptr_double_free.c b/tests/jpeg/jpeg_ptr_double_free.c -new file mode 100644 -index 00000000..df5a510b ---- /dev/null -+++ b/tests/jpeg/jpeg_ptr_double_free.c -@@ -0,0 +1,31 @@ -+/** -+ * Test that failure to convert to JPEG returns NULL -+ * -+ * We are creating an image, set its width to zero, and pass this image to -+ * `gdImageJpegPtr()` which is supposed to fail, and as such should return NULL. -+ * -+ * See also <https://github.com/libgd/libgd/issues/381> -+ */ -+ -+ -+#include "gd.h" -+#include "gdtest.h" -+ -+ -+int main() -+{ -+ gdImagePtr src, dst; -+ int size; -+ -+ src = gdImageCreateTrueColor(1, 10); -+ gdTestAssert(src != NULL); -+ -+ src->sx = 0; /* this hack forces gdImageJpegPtr() to fail */ -+ -+ dst = gdImageJpegPtr(src, &size, 0); -+ gdTestAssert(dst == NULL); -+ -+ gdImageDestroy(src); -+ -+ return gdNumFailures(); -+} diff --git a/media-libs/gd/files/gd-2.2.5-ossfuzz5700.patch b/media-libs/gd/files/gd-2.2.5-ossfuzz5700.patch deleted file mode 100644 index 891c232115e..00000000000 --- a/media-libs/gd/files/gd-2.2.5-ossfuzz5700.patch +++ /dev/null @@ -1,103 +0,0 @@ -From 9fa3abd2e61da18ed2b889704e4e252f0f5a95fe Mon Sep 17 00:00:00 2001 -From: Mike Frysinger <vap...@gentoo.org> -Date: Fri, 26 Jan 2018 01:57:52 -0500 -Subject: [PATCH] gif: fix out-of-bounds read w/corrupted lzw data - -oss-fuzz pointed out: -gd_gif_in.c:605:16: runtime error: index 5595 out of bounds for type 'int [4096]' - -Add some bounds checking on each code that we read from the file. ---- - src/gd_gif_in.c | 8 ++++++++ - tests/gif/CMakeLists.txt | 3 ++- - tests/gif/Makemodule.am | 2 ++ - tests/gif/ossfuzz5700.c | 13 +++++++++++++ - tests/gif/ossfuzz5700.gif | Bin 0 -> 30 bytes - 6 files changed, 26 insertions(+), 1 deletion(-) - create mode 100644 tests/gif/ossfuzz5700.c - -diff --git a/src/gd_gif_in.c b/src/gd_gif_in.c -index afc08bf7..daf26e79 100644 ---- a/src/gd_gif_in.c -+++ b/src/gd_gif_in.c -@@ -601,6 +601,10 @@ LWZReadByte_(gdIOCtx *fd, LZW_STATIC_DATA *sd, char flag, int input_code_size, i - /* Bad compressed data stream */ - return -1; - } -+ if(code >= (1 << MAX_LWZ_BITS)) { -+ /* Corrupted code */ -+ return -1; -+ } - - *sd->sp++ = sd->table[1][code]; - -@@ -610,6 +614,10 @@ LWZReadByte_(gdIOCtx *fd, LZW_STATIC_DATA *sd, char flag, int input_code_size, i - - code = sd->table[0][code]; - } -+ if(code >= (1 << MAX_LWZ_BITS)) { -+ /* Corrupted code */ -+ return -1; -+ } - - *sd->sp++ = sd->firstcode = sd->table[1][code]; - -diff --git a/tests/gif/CMakeLists.txt b/tests/gif/CMakeLists.txt -index 7d40cddc..2b73749e 100644 ---- a/tests/gif/CMakeLists.txt -+++ b/tests/gif/CMakeLists.txt -@@ -3,6 +3,8 @@ LIST(APPEND TESTS_FILES - bug00181 - bug00227 - gif_null -+ ossfuzz5700 -+ uninitialized_memory_read - ) - - IF(PNG_FOUND) -@@ -12,7 +14,6 @@ LIST(APPEND TESTS_FILES - bug00060 - bug00066 - gif_im2im -- uninitialized_memory_read - ) - ENDIF(PNG_FOUND) - -diff --git a/tests/gif/Makemodule.am b/tests/gif/Makemodule.am -index 0bdeab7e..3199438f 100644 ---- a/tests/gif/Makemodule.am -+++ b/tests/gif/Makemodule.am -@@ -3,6 +3,7 @@ libgd_test_programs += \ - gif/bug00181 \ - gif/bug00227 \ - gif/gif_null \ -+ gif/ossfuzz5700 \ - gif/uninitialized_memory_read - - if HAVE_LIBPNG -@@ -24,4 +25,5 @@ EXTRA_DIST += \ - gif/bug00060.gif \ - gif/bug00066.gif \ - gif/bug00066_exp.png \ -+ gif/ossfuzz5700.gif \ - gif/unitialized_memory_read.gif -diff --git a/tests/gif/ossfuzz5700.c b/tests/gif/ossfuzz5700.c -new file mode 100644 -index 00000000..8fc9f88c ---- /dev/null -+++ b/tests/gif/ossfuzz5700.c -@@ -0,0 +1,13 @@ -+#include <stdio.h> -+#include "gd.h" -+#include "gdtest.h" -+ -+int main() -+{ -+ gdImagePtr im; -+ FILE *fp = gdTestFileOpen("gif/ossfuzz5700.gif"); -+ im = gdImageCreateFromGif(fp); -+ fclose(fp); -+ gdImageDestroy(im); -+ return 0; -+} -
