From a8ed54de298d4a6cfae8ee69373566f2fe7274f1 Mon Sep 17 00:00:00 2001
From: north <devnull@localhost>
Date: Thu, 15 Feb 2007 20:10:36 +0000
Subject: [PATCH] Fixed some known gd security holes, per Mark Espie, from
 Ubuntu,  http://secunia.com/advisories/20500/

---
 lib/gd/gd_gif_in.c | 13 +++++++++----
 lib/gd/gdft.c      |  2 +-
 2 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/lib/gd/gd_gif_in.c b/lib/gd/gd_gif_in.c
index 18c952674..e1f1bdbf6 100644
--- a/lib/gd/gd_gif_in.c
+++ b/lib/gd/gd_gif_in.c
@@ -122,6 +122,7 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromGifCtx(gdIOCtxPtr fd)
        char            version[4];
        /* 2.0.28: threadsafe storage */
        int ZeroDataBlock = FALSE;
+       int             maxcount = 1024;
 
        gdImagePtr im = 0;
        if (! ReadOK(fd,buf,6)) {
@@ -168,6 +169,8 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromGifCtx(gdIOCtxPtr fd)
                }
 
                if (c != ',') {         /* Not a valid start character */
+		       if (--maxcount < 0)
+			       goto terminated;  /* Looping */
                        continue;
                }
 
@@ -246,6 +249,7 @@ static int
 DoExtension(gdIOCtx *fd, int label, int *Transparent, int *ZeroDataBlockP)
 {
        static unsigned char     buf[256];
+       int                      maxcount = 1024;
 
        switch (label) {
        case 0xf9:              /* Graphic Control Extension */
@@ -258,13 +262,13 @@ DoExtension(gdIOCtx *fd, int label, int *Transparent, int *ZeroDataBlockP)
                if ((buf[0] & 0x1) != 0)
                        *Transparent = buf[3];
 
-               while (GetDataBlock(fd, (unsigned char*) buf, ZeroDataBlockP) != 0)
+               while (GetDataBlock(fd, (unsigned char*) buf, ZeroDataBlockP) != 0 && --maxcount >= 0)
                        ;
                return FALSE;
        default:
                break;
        }
-       while (GetDataBlock(fd, (unsigned char*) buf, ZeroDataBlockP) != 0)
+       while (GetDataBlock(fd, (unsigned char*) buf, ZeroDataBlockP) != 0 && --maxcount >= 0)
                ;
 
        return FALSE;
@@ -423,14 +427,15 @@ LWZReadByte_(gdIOCtx *fd, int flag, int input_code_size, int *ZeroDataBlockP)
                } else if (code == end_code) {
                        int             count;
                        unsigned char   buf[260];
+		       int             maxcount = 1024;
 
                        if (*ZeroDataBlockP)
                                return -2;
 
-                       while ((count = GetDataBlock(fd, buf, ZeroDataBlockP)) > 0)
+                       while ((count = GetDataBlock(fd, buf, ZeroDataBlockP)) > 0  && --maxcount >= 0)
                                ;
 
-                       if (count != 0)
+                       if (count != 0 || maxcount < 0)
                        return -2;
                }
 
diff --git a/lib/gd/gdft.c b/lib/gd/gdft.c
index 4c814db6e..922a53c2e 100644
--- a/lib/gd/gdft.c
+++ b/lib/gd/gdft.c
@@ -1180,7 +1180,7 @@ fprintf(stderr,"dpi=%d,%d metric_res=%d ptsize=%g\n",hdpi,vdpi,METRIC_RES,ptsize
 	       * ftp://ftp.ora.com/pub/examples/nutshell/ujip/doc/japan.inf-032092.sjs
 	       */
 	      ch = (*next) & 0xFF;	/* don't extend sign */
-	      next++;
+	      if (*next) next++;
 	      if (ch >= 161	/* first code of JIS-8 pair */
 		  && *next)
 		{		/* don't advance past '\0' */
-- 
2.40.0