new file mode 100644

@@ -0,0 +1,73 @@

+From ac16bdf2d41724b5a65255d4c28fb0ec46bc42f5 Mon Sep 17 00:00:00 2001

+From: Mike Frysinger <vapier@gentoo.org>

+Date: Sat, 14 Jul 2018 13:54:08 -0400

+Subject: [PATCH] bmp: check return value in gdImageBmpPtr

+

+Closes #447.

+---

+ src/gd_bmp.c | 17 ++++++++++++++---

+ 1 file changed, 14 insertions(+), 3 deletions(-)

+

+diff --git a/src/gd_bmp.c b/src/gd_bmp.c

+index bde0b9d3..78f40d9a 100644

+--- a/src/gd_bmp.c

+@@ -47,6 +47,8 @@ static int bmp_read_4bit(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info, bmp

+ static int bmp_read_8bit(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info, bmp_hdr_t *header);

+ static int bmp_read_rle(gdImagePtr im, gdIOCtxPtr infile, bmp_info_t *info);

+ 

++static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression);

++

+ #define BMP_DEBUG(s)

+ 

+ static int gdBMPPutWord(gdIOCtx *out, int w)

+@@ -87,8 +89,10 @@ BGD_DECLARE(void *) gdImageBmpPtr(gdImagePtr im, int *size, int compression)

+ 	void *rv;

+ 	gdIOCtx *out = gdNewDynamicCtx(2048, NULL);

+ 	if (out == NULL) return NULL;

+-	gdImageBmpCtx(im, out, compression);

+-	rv = gdDPExtractData(out, size);

++	if (!_gdImageBmpCtx(im, out, compression))

++		rv = gdDPExtractData(out, size);

++	else

++		rv = NULL;

+ 	out->gd_free(out);

+ 	return rv;

+ }

+@@ -141,6 +145,11 @@ BGD_DECLARE(void) gdImageBmp(gdImagePtr im, FILE *outFile, int compression)

+ 		compression - whether to apply RLE or not.

+ */

+ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)

++{

++	_gdImageBmpCtx(im, out, compression);

++}

++

++static int _gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)

+ {

+ 	int bitmap_size = 0, info_size, total_size, padding;

+ 	int i, row, xpos, pixel;

+@@ -148,6 +157,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)

+ 	unsigned char *uncompressed_row = NULL, *uncompressed_row_start = NULL;

+ 	FILE *tmpfile_for_compression = NULL;

+ 	gdIOCtxPtr out_original = NULL;

++	int ret = 1;

+ 

+ 	/* No compression if its true colour or we don't support seek */

+ 	if (im->trueColor) {

+@@ -325,6 +335,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)

+ 		out_original = NULL;

+ 	}

+ 

++	ret = 0;

+ cleanup:

+ 	if (tmpfile_for_compression) {

+ #ifdef _WIN32

+@@ -338,7 +349,7 @@ BGD_DECLARE(void) gdImageBmpCtx(gdImagePtr im, gdIOCtxPtr out, int compression)

+ 	if (out_original) {

+ 		out_original->gd_free(out_original);

+ 	}

+-	return;

++	return ret;

+ }

+ 

+ static int compress_row(unsigned char *row, int length)

@@ -1,7 +1,7 @@

 Summary:        GD is an open source code library for the dynamic creation of images by programmers.

 Name:           libgd

 Version:        2.2.5

-Release:        1%{?dist}

+Release:        2%{?dist}

 License:        MIT

 URL:            https://libgd.github.io/

 Group:          System/Libraries

@@ -9,6 +9,7 @@ Vendor:         VMware, Inc.

 Distribution:   Photon

 Source0:        https://github.com/libgd/libgd/releases/download/gd-%{version}/%{name}-%{version}.tar.xz

 %define sha1    libgd=b777b005c401b6fa310ccf09eeb29f6c6e17ab2c

+Patch0:          CVE-2018-1000222.patch

 BuildRequires:  libjpeg-turbo-devel 

 BuildRequires:  libpng-devel

 BuildRequires:  libwebp-devel

@@ -29,6 +30,7 @@ Requires:   %{name} = %{version}

 Header & Development files 

 %prep

 %setup  -q

+%patch0 -p1

 %build

 ./configure --prefix=%{_prefix} --with-webp --with-tiff --with-jpeg --with-png --disable-werror --disable-static

@@ -51,6 +53,8 @@ make %{?_smp_mflags} -k check

 %{_libdir}/pkgconfig/*

 %changelog

+*   Fri Nov 02 2018 Ankit Jain <ankitja@vmware.com>  2.2.5-2

+-   Fix for CVE-2018-1000222

 *   Tue Oct 10 2017 Alexey Makhalov <amakhalov@vmware.com> 2.2.5-1

 -   Updated to version 2.2.5 to address CVE-2017-6362

 *   Tue Jan 31 2017 Xiaolin Li <xiaolinl@vmware.com> 2.2.4-1