Pullup ticket 1702 - requested by salo

security fix for gd

Revisions pulled up:
- pkgsrc/graphics/gd/Makefile		1.68, 1.69, 1.70
- pkgsrc/graphics/gd/distinfo		1.23
- pkgsrc/graphics/gd/patches/patch-ac	1.3

   Module Name:	pkgsrc
   Committed By:	minskim
   Date:		Sun May 14 18:19:08 UTC 2006

   Modified Files:
	pkgsrc/graphics/gd: Makefile

   Log Message:
   Fix a pkglint warning.
---
   Module Name:	pkgsrc
   Committed By:	minskim
   Date:		Sun May 14 18:22:38 UTC 2006

   Modified Files:
	pkgsrc/graphics/gd: Makefile

   Log Message:
   This package installs a perl script.  Add a dependency on perl using
   USE_TOOLS.

   Bump PKGREVISION.
---
   Module Name:	pkgsrc
   Committed By:	salo
   Date:		Wed Jun 14 21:42:33 UTC 2006

   Modified Files:
	pkgsrc/graphics/gd: Makefile distinfo
   Added Files:
	pkgsrc/graphics/gd/patches: patch-ac

   Log Message:
   Security fix for CVE-2006-2906:

   "The LZW decoding in the gdImageCreateFromGifPtr function in the Thomas
    Boutell graphics draw (GD) library (aka libgd) 2.0.33 allows remote
    attackers to cause a denial of service (CPU consumption) via malformed
    GIF data that causes an infinite loop."

   Patch from Xavier Roche via Ubuntu.

3 files changed, 71 insertions, 4 deletions

diff --git a/graphics/gd/Makefile b/graphics/gd/Makefile
index a618b0ec00c..ad549a4ffb6 100644
--- a/graphics/gd/Makefile
+++ b/graphics/gd/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.66 2006/02/05 23:09:30 joerg Exp $
+# $NetBSD: Makefile,v 1.66.2.1 2006/06/15 12:56:54 ghen Exp $
 
 DISTNAME=	gd-2.0.33
-PKGREVISION=	2
+PKGREVISION=	5
 CATEGORIES=	graphics
 MASTER_SITES=	http://www.boutell.com/gd/http/
 
@@ -12,8 +12,9 @@ COMMENT=	Graphics library for the dynamic creation of images
 PKG_INSTALLATION_TYPES=	overwrite pkgviews
 
 USE_LIBTOOL=		YES
+USE_TOOLS+=		perl:run
 GNU_CONFIGURE=		YES
-REPLACE_PERL=		bdftogd
+REPLACE_PERL+=		bdftogd
 PTHREAD_AUTO_VARS=	yes
 
 .include "../../devel/zlib/buildlink3.mk"
diff --git a/graphics/gd/distinfo b/graphics/gd/distinfo
index 5a556cee191..9085d8152b2 100644
--- a/graphics/gd/distinfo
+++ b/graphics/gd/distinfo
@@ -1,7 +1,8 @@
-$NetBSD: distinfo,v 1.22 2005/06/06 18:38:08 minskim Exp $
+$NetBSD: distinfo,v 1.22.8.1 2006/06/15 12:56:54 ghen Exp $
 
 SHA1 (gd-2.0.33.tar.gz) = 89548efb01116a740c796a8df80de16d19856811
 RMD160 (gd-2.0.33.tar.gz) = 6c573638387bb36044f3d4d480b10229445b9a6b
 Size (gd-2.0.33.tar.gz) = 587617 bytes
 SHA1 (patch-aa) = 38f0aa7043dba517405312d4eef59347e3c0185a
 SHA1 (patch-ab) = 082f5baa2c147fb62381c21ecb3ce11a1891a2aa
+SHA1 (patch-ac) = 154abdaff73099617a1b57f4d2f19358aaf2a043
diff --git a/graphics/gd/patches/patch-ac b/graphics/gd/patches/patch-ac
new file mode 100644
index 00000000000..2f4bfd8bf9c
--- /dev/null
+++ b/graphics/gd/patches/patch-ac
@@ -0,0 +1,65 @@
+$NetBSD: patch-ac,v 1.2.20.1 2006/06/15 12:56:54 ghen Exp $
+
+Security fix for CVE-2006-2906, from Xavier Roche via Ubuntu.
+
+--- gd_gif_in.c.orig	2004-11-01 19:28:56.000000000 +0100
++++ gd_gif_in.c	2006-06-14 23:30:38.000000000 +0200
+@@ -118,6 +118,7 @@
+        char            version[4];
+        /* 2.0.28: threadsafe storage */
+        int ZeroDataBlock = FALSE;
++       int             maxcount = 1024;
+ 
+        gdImagePtr im = 0;
+        if (! ReadOK(fd,buf,6)) {
+@@ -164,6 +165,8 @@
+                }
+ 
+                if (c != ',') {         /* Not a valid start character */
++		       if (--maxcount < 0)
++			       goto terminated;  /* Looping */
+                        continue;
+                }
+ 
+@@ -242,6 +245,7 @@
+ DoExtension(gdIOCtx *fd, int label, int *Transparent, int *ZeroDataBlockP)
+ {
+        static unsigned char     buf[256];
++       int                      maxcount = 1024;
+ 
+        switch (label) {
+        case 0xf9:              /* Graphic Control Extension */
+@@ -254,13 +258,13 @@
+                if ((buf[0] & 0x1) != 0)
+                        *Transparent = buf[3];
+ 
+-               while (GetDataBlock(fd, (unsigned char*) buf, ZeroDataBlockP) != 0)
++               while (GetDataBlock(fd, (unsigned char*) buf, ZeroDataBlockP) != 0 && --maxcount >= 0)
+                        ;
+                return FALSE;
+        default:
+                break;
+        }
+-       while (GetDataBlock(fd, (unsigned char*) buf, ZeroDataBlockP) != 0)
++       while (GetDataBlock(fd, (unsigned char*) buf, ZeroDataBlockP) != 0 && --maxcount >= 0)
+                ;
+ 
+        return FALSE;
+@@ -419,14 +423,15 @@
+                } else if (code == end_code) {
+                        int             count;
+                        unsigned char   buf[260];
++		       int             maxcount = 1024;
+ 
+                        if (*ZeroDataBlockP)
+                                return -2;
+ 
+-                       while ((count = GetDataBlock(fd, buf, ZeroDataBlockP)) > 0)
++                       while ((count = GetDataBlock(fd, buf, ZeroDataBlockP)) > 0  && --maxcount >= 0)
+                                ;
+ 
+-                       if (count != 0)
++                       if (count != 0 || maxcount < 0)
+                        return -2;
+                }
+