src/gd_gif_in.c | 11 9 + 2 - 0 !
1 file changed, 9 insertions(+), 2 deletions(-)

 fix possible buffer read overflow detected by -fsanitize=address,
 thanks to Jan Bee

config/gdlib-config.in | 41 18 + 23 - 0 !
1 file changed, 18 insertions(+), 23 deletions(-)

 gdlib-config-uses-pkgconfig

configure.ac | 13 8 + 5 - 0 !
src/gd.h.in | 10 5 + 5 - 0 !
2 files changed, 13 insertions(+), 10 deletions(-)

 fix-compiled-in-version

configure.ac | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 subdir-objects

src/gdxpm.c | 10 10 + 0 - 0 !
1 file changed, 10 insertions(+)

 cve-2014-2497, null pointer dereference, fix #126

src/gd_gd2.c | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 gd2-handle-corrupt-images-better-cve-2016-3074

src/gd.c | 11 11 + 0 - 0 !
1 file changed, 11 insertions(+)

 cve-2015-8874

src/gd_interpolation.c | 25 4 + 21 - 0 !
1 file changed, 4 insertions(+), 21 deletions(-)

 gdimagescaletwopass memory leak fix

Fixing memory leak in gdImageScaleTwoPass, as reported by @cmb69 and
confirmed by @vapier.  This bug actually bit me in production and I'm
very thankful that it was reported with an easy fix.

Fixes #173.

src/gd_interpolation.c | 6 3 + 3 - 0 !
1 file changed, 3 insertions(+), 3 deletions(-)

 fixed memory overrun bug in gdimagescaletwopass

_gdContributionsCalc would compute a window size and then adjust
the left and right positions of the window to make a window within
that size.  However, it was storing the values in the struct *before*
it made the adjustment.  This change fixes that.

src/gd_interpolation.c | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 fix #86: gdimagescale segfaults with most interpolation types

Code fails to propagate the interpolation type to an intermediate
temp image.  This change fixes that.

src/gd_gd2.c | 5 4 + 1 - 0 !
1 file changed, 4 insertions(+), 1 deletion(-)

 fix php bug 72339 (cve-2016-5766),
 Integer Overflow in _gd2GetHeader() resulting in heap overflow

src/gd_crop.c | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 fix php 72494, invalid color index not handled, can lead to crash

src/gd_gif_out.c | 12 11 + 1 - 0 !
1 file changed, 11 insertions(+), 1 deletion(-)

 gif: avoid out-of-bound reads of masks array #209

When given invalid inputs, we might be fed the EOF marker before it is
actually the EOF.  The gif logic assumes once it sees the EOF marker,
there won't be any more data, so it leaves the cur_bits index possibly
negative.  So when we get more data, we underflow the masks array.

Flag it so we don't try to output anything more.  The image is invalid,
so we shouldn't be truncating any valid inputs.

This fixes #209.

src/gd_tga.c | 11 9 + 2 - 0 !
1 file changed, 9 insertions(+), 2 deletions(-)

 fix #247, a read out-of-bands was found in the parsing of tga files

src/gd_tga.c | 29 18 + 11 - 0 !
1 file changed, 18 insertions(+), 11 deletions(-)

 bug #248, fix out-of-bounds read in read_image_tga

src/gd_tga.c | 16 6 + 10 - 0 !
1 file changed, 6 insertions(+), 10 deletions(-)

 unsupported tga bpp/alphabit combinations should error gracefully

Currently, only 24bpp without alphabits and 32bpp with 8 alphabits are
really supported. All other combinations will be rejected with a warning.

(cherry picked from commit cb1a0b7e54e9aa118270c23a4a6fe560e4590dc9)

src/gd_xbm.c | 34 27 + 7 - 0 !
1 file changed, 27 insertions(+), 7 deletions(-)

 xbm: avoid stack overflow (read) with large names #211

We use the name passed in to printf into a local stack buffer which is
limited to 4000 bytes.  So given a large enough value, lots of stack
data is leaked.  Rewrite the code to do simple memory copies with most
of the strings to avoid that issue, and only use stack buffer for small
numbers of constant size.

This closes #211.

src/gd.c | 2 1 + 1 - 0 !
src/gd_interpolation.c | 52 44 + 8 - 0 !
2 files changed, 45 insertions(+), 9 deletions(-)

 cve-2016-6207

src/gd_io_dp.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 patch for security bug https://bugs.php.net/bug.php?id=73280

src/gd_io_dp.c | 15 10 + 5 - 0 !
src/gd_tiff.c | 27 15 + 12 - 0 !
tests/tiff/CMakeLists.txt | 1 1 + 0 - 0 !
tests/tiff/tiff_invalid_read.c | 61 61 + 0 - 0 !
tests/tiff/tiff_invalid_read_1.tiff | 3 3 + 0 - 0 !
tests/tiff/tiff_invalid_read_2.tiff | 3 3 + 0 - 0 !
tests/tiff/tiff_invalid_read_3.tiff | 3 3 + 0 - 0 !
7 files changed, 96 insertions(+), 17 deletions(-)

 fix invalid read in gdimagecreatefromtiffptr()

tiff_invalid_read.tiff is corrupt, and causes an invalid read in
gdImageCreateFromTiffPtr(), but not in gdImageCreateFromTiff(). The culprit
is dynamicGetbuf(), which doesn't check for out-of-bound reads. In this case,
dynamicGetbuf() is called with a negative dp->pos, but also positive buffer
overflows have to be handled, in which case 0 has to be returned (cf. commit
75e29a9).

Fixing dynamicGetbuf() exhibits that the corrupt TIFF would still create
the image, because the return value of TIFFReadRGBAImage() is not checked.
We do that, and let createFromTiffRgba() fail if TIFFReadRGBAImage() fails.

This issue had been reported by Ibrahim El-Sayed to security@libgd.org.

src/gd_webp.c | 12 12 + 0 - 0 !
1 file changed, 12 insertions(+)

 fix integer overflow in gdimagewebpctx

Integer overflow can be happened in expression gdImageSX(im) * 4 *
gdImageSY(im). It could lead to heap buffer overflow in the following
code. This issue has been reported to the PHP Bug Tracking System. The
proof-of-concept file will be supplied some days later. This issue was
discovered by Ke Liu of Tencent's Xuanwu LAB.

src/gd.c | 8 7 + 1 - 0 !
1 file changed, 7 insertions(+), 1 deletion(-)

 fix #215 gdimagefilltoborder stack-overflow when invalid color is
 used

src/gd_tga.c | 6 4 + 2 - 0 !
1 file changed, 4 insertions(+), 2 deletions(-)

 fix oob reads of the tga decompression buffer

It is possible to craft TGA files which will overflow the decompression
buffer, but not the image's bitmap. Therefore we augment the check for the
bitmap's overflow with a check for the buffer's overflow.

This issue had been reported by Ibrahim El-Sayed to security@libgd.org.

src/gd_webp.c | 143 84 + 59 - 0 !
1 file changed, 84 insertions(+), 59 deletions(-)

 fix double-free in gdimagewebptr()

The issue is that gdImageWebpCtx() (which is called by gdImageWebpPtr() and
the other WebP output functions to do the real work) does not return whether
it succeeded or failed, so this is not checked in gdImageWebpPtr() and the
function wrongly assumes everything is okay, which is not, in this case,
because there is a size limitation for WebP, namely that the width and
height must by less than 16383.

We can't change the signature of gdImageWebpCtx() for API compatibility
reasons, so we introduce the static helper _gdImageWebpCtx() which returns
success respective failure, so gdImageWebpPtr() and gdImageWebpPtrEx() can
check the return value. We leave it solely to libwebp for now to report
warnings regarding the failing write.

This issue had been reported by Ibrahim El-Sayed to security@libgd.org.

CVE-2016-6912

src/gd_interpolation.c | 19 10 + 9 - 0 !
1 file changed, 10 insertions(+), 9 deletions(-)

 fix potential unsigned underflow

No need to decrease `u`, so we don't do it. While we're at it, we also factor
out the overflow check of the loop, what improves performance and readability.

This issue has been reported by Stefan Esser to security@libgd.org.

src/gd_gd2.c | 14 6 + 8 - 0 !
1 file changed, 6 insertions(+), 8 deletions(-)

 fix dos vulnerability in gdimagecreatefromgd2ctx()

We must not pretend that there are image data if there are none. Instead
we fail reading the image file gracefully.

Conflicts:
	tests/gd2/CMakeLists.txt

src/gd_tga.c | 90 36 + 54 - 0 !
1 file changed, 36 insertions(+), 54 deletions(-)

 fix oob reads of the tga decompression buffer

It is possible to craft TGA files which will overflow the decompression
buffer, but not the image's bitmap. Therefore we also have to check for
potential decompression buffer overflows.

This issue had been reported by Ibrahim El-Sayed to security@libgd.org;
a modified case exposing an off-by-one error of the first patch had been
provided by Konrad Beckmann.

This commit is an amendment to commit fb0e0cce, so we use CVE-2016-6906
as well.

src/gd.c | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 fix #340: system frozen

gdImageCreate() doesn't check for oversized images and as such is prone
to DoS vulnerabilities. We fix that by applying the same overflow check
that is already in place for gdImageCreateTrueColor().

CVE-2016-9317

Conflicts:
	src/gd.c

src/gd_gd2.c | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 fix #354: signed integer overflow gd_io.c

GD2 stores the number of horizontal and vertical chunks as words (i.e. 2
byte unsigned). These values are multiplied and assigned to an int when
reading the image, what can cause integer overflows. We have to avoid
that, and also make sure that either chunk count is actually greater
than zero. If illegal chunk counts are detected, we bail out from
reading the image.

src/gd_gif_in.c | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

 close #339: fix unitialized memory read vulnerability in gif reading

src/gd_png.c | 40 31 + 9 - 0 !
1 file changed, 31 insertions(+), 9 deletions(-)

 fix #381: libgd double-free vulnerability