Fix integer overflow in gdImageWebpCtx and bump PORTREVISION.

PR:		213023
Submitted by:	Vladimir Krstulja <vlad-fbsd@acheronmedia.com>

6 files changed, 44 insertions, 7 deletions

diff --git a/graphics/php55-gd/Makefile b/graphics/php55-gd/Makefile
index 624b80b64de9..d3818487123a 100644
--- a/graphics/php55-gd/Makefile
+++ b/graphics/php55-gd/Makefile
@@ -1,7 +1,7 @@
 # Created by: Alex Dupre <ale@FreeBSD.org>
 # $FreeBSD$
 
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	graphics
 
 MASTERDIR=	${.CURDIR}/../../lang/php55
diff --git a/graphics/php55-gd/files/patch-config.m4 b/graphics/php55-gd/files/patch-config.m4
index 468b69287246..13612e4a1eb9 100644
--- a/graphics/php55-gd/files/patch-config.m4
+++ b/graphics/php55-gd/files/patch-config.m4
@@ -1,6 +1,6 @@
---- config.m4.orig	2013-12-11 00:31:06.000000000 +0100
-+++ config.m4	2013-12-24 21:11:19.000000000 +0100
-@@ -233,7 +233,7 @@
+--- config.m4.orig	2016-07-20 10:41:48.000000000 +0200
++++ config.m4	2016-09-28 10:06:48.173731000 +0200
+@@ -228,7 +228,7 @@ AC_DEFUN([PHP_GD_T1LIB],[
      ],[
        AC_MSG_ERROR([Problem with libt1.(a|so). Please check config.log for more information.])
      ],[
diff --git a/graphics/php55-gd/files/patch-libgd_gd_webp.c b/graphics/php55-gd/files/patch-libgd_gd_webp.c
new file mode 100644
index 000000000000..b0c1419e022b
--- /dev/null
+++ b/graphics/php55-gd/files/patch-libgd_gd_webp.c
@@ -0,0 +1,18 @@
+--- libgd/gd_webp.c.orig	2016-09-28 10:07:06.092196000 +0200
++++ libgd/gd_webp.c	2016-09-28 10:08:12.429030000 +0200
+@@ -180,6 +180,15 @@ void gdImageWebpCtx (gdImagePtr im, gdIO
+ 	/* Conversion to Y,U,V buffer */
+     yuv_width = (width + 1) >> 1;
+     yuv_height = (height + 1) >> 1;
++
++    if (overflow2(width, height)) {
++        return;
++    }
++    /* simplification possible, because WebP must not be larger than 16384**2 */
++    if (overflow2(width * height, 2 * sizeof(unsigned char))) {
++        return;
++    }
++
+     yuv_nbytes = width * height + 2 * yuv_width * yuv_height;
+ 
+     if ((Y = (unsigned char *)gdCalloc(yuv_nbytes, sizeof(unsigned char))) == NULL) {
diff --git a/graphics/php56-gd/Makefile b/graphics/php56-gd/Makefile
index 4746215748f7..4979a92bb137 100644
--- a/graphics/php56-gd/Makefile
+++ b/graphics/php56-gd/Makefile
@@ -1,6 +1,7 @@
 # Created by: Alex Dupre <ale@FreeBSD.org>
 # $FreeBSD$
 
+PORTREVISION=	1
 CATEGORIES=	graphics
 
 MASTERDIR=	${.CURDIR}/../../lang/php56
diff --git a/graphics/php56-gd/files/patch-config.m4 b/graphics/php56-gd/files/patch-config.m4
index 468b69287246..232e1e91a9f6 100644
--- a/graphics/php56-gd/files/patch-config.m4
+++ b/graphics/php56-gd/files/patch-config.m4
@@ -1,6 +1,6 @@
---- config.m4.orig	2013-12-11 00:31:06.000000000 +0100
-+++ config.m4	2013-12-24 21:11:19.000000000 +0100
-@@ -233,7 +233,7 @@
+--- config.m4.orig	2016-09-15 23:02:50.000000000 +0200
++++ config.m4	2016-09-28 10:10:26.335642000 +0200
+@@ -228,7 +228,7 @@ AC_DEFUN([PHP_GD_T1LIB],[
      ],[
        AC_MSG_ERROR([Problem with libt1.(a|so). Please check config.log for more information.])
      ],[
diff --git a/graphics/php56-gd/files/patch-libgd_gd_webp.c b/graphics/php56-gd/files/patch-libgd_gd_webp.c
new file mode 100644
index 000000000000..b0c1419e022b
--- /dev/null
+++ b/graphics/php56-gd/files/patch-libgd_gd_webp.c
@@ -0,0 +1,18 @@
+--- libgd/gd_webp.c.orig	2016-09-28 10:07:06.092196000 +0200
++++ libgd/gd_webp.c	2016-09-28 10:08:12.429030000 +0200
+@@ -180,6 +180,15 @@ void gdImageWebpCtx (gdImagePtr im, gdIO
+ 	/* Conversion to Y,U,V buffer */
+     yuv_width = (width + 1) >> 1;
+     yuv_height = (height + 1) >> 1;
++
++    if (overflow2(width, height)) {
++        return;
++    }
++    /* simplification possible, because WebP must not be larger than 16384**2 */
++    if (overflow2(width * height, 2 * sizeof(unsigned char))) {
++        return;
++    }
++
+     yuv_nbytes = width * height + 2 * yuv_width * yuv_height;
+ 
+     if ((Y = (unsigned char *)gdCalloc(yuv_nbytes, sizeof(unsigned char))) == NULL) {