2.3.3:
The LibGD team is proud to announce the 2.3.3 release of libgd. This release brings a few fixes as well as improved compilations and builds on all platforms. On Windows, vcpkg to install libGd dependencies is now well supported.
Fixed
* update cmake to generate config.h in the build dir
* gdPutBuf return value check
* HEIF builds fail with latest distros
* segfault in heif tests due to missing label.heic
* Test failure avif/compare_avif_to_png with libavif-0.8.2
* imagecopyresampled() produce artifacts on transparent PNG
* Fixes to build v2.3.0 on Windows with MinGW-w64
* optimize option in gif animation causes segfault
* _gdContributionsCalc() always uses DEFAULT_BOX_RADIUS
* gdImageRotateInterpolated() converts the source image to truecolor
* CMake and Makefiles build broken on Windows
* gdImageScaleTwoPass() looses top row and left column
2.3.2:
Fixed
gif: allow decodin when both Global and Local Colormaps
Added
avif: Support for AVIF images via libavif
heif: Support for HEIF/AVIF images via libheif
webp: Drop ../deps/ search when building with cmake
Windows: Remove unused snprintf fallback
2.3.1:
Fixed
Fix potential integer overflow detected by oss-fuzz
Fix 615 using libraqm
Fix 303: gdlib.pc: use Requires instead of Libs
Fixed 472: Adjusting CMakeLists.txt
Fix 615: gdImageStringFT() fails for empty strings as of libgd 2.3.0
Fix typo but preserve BC
Compute average in gdGuessBackgroundColorFromCorners properly
CMakeLists.txt: zlib is enabled implicitly
src/config.h.cmake: replace #cmakedefine01 with #define in macro ENABLE_GD_FOORMATS
gdlib.pc: use prefixes for pkgconfig file
cmake: remove required host includes
Move initial declaration out of for loop
distribute getlib script
Make gd_nnquant.c less likely to introduce duplicate definitions
webp: support pkg-config file
gd_io: replace internal Putchar with gdPutC
gd_io: trim unused Putword function
Added
Add REQUIRED to FIND_PACKAGE(ZLIB)
README: add some libraries info
VMS/README.VMS: Add dropping support information
2.3.0:
Security
Potential double-free in gdImage*Ptr(). (CVE-2019-6978)
gdImageColorMatch() out of bounds write on heap. (CVE-2019-6977)
Uninitialized read in gdImageCreateFromXbm(). (CVE-2019-11038)
Double-free in gdImageBmp. (CVE-2018-1000222)
Potential NULL pointer dereference in gdImageClone(). (CVE-2018-14553)
Potential infinite loop in gdImageCreateFromGifCtx(). (CVE-2018-5711)
Fixed
Fix: add codecov support
Fix: gdTransformAffineCopy run error
Fix: Install dependencies move to .travis.yml
Fix: gdTransformAffineCopy() segfaults on palette images
Fix: gdTransformAffineCopy() changes interpolation method
Fix: gdImageSetInterpolationMethod(im, GD_DEFAULT) inconsistent
Fix: gdTransformAffineCopy() may use unitialized values
Fix: Remove cmake modules
Fix: Add RAQM support for cmake
Fix: gdImageGifAnimAddPtr: heap corruption with 2 identical images
Fix: gdImageCropAuto(…, GD_CROP_SIDES) crops left but not right
Fix: auto cropping has insufficient precision
Fix: Provide a suitable malloc function to liq
Fix: libtiff link returns 404 HTTP code
Fix: Failed to open 1 bit per pixel bitmap
Fix: new_width & new_height exception handling
Fix: gdImageCrop neglecting transparency
Fix: Potential infinite loop in gdImageCreateFromGifCtx
Fix: gd_gd.c format documentation appears to be incorrect
Fix: Fix new_a init error in gdImageConvolution()
Fix: gdImageFilledArc() doesn't properly draw pies
Fix: Fatal and normal libjpeg/libpng errors not distinguishable
Fix: Update var type to hold bigger w&h for ellipse
Fix: update doc files install directory in CMakeLists.txt
Correct some test depend errors
Update cmake min version to 3.7
Delete libimagequant source code download action in CMakeLists.txt
Improve msys support
Fix some logic error in CMakeLists.txt
Remove the following macro: HAVE_STDLIB_H, HAVE_STRING_H, HAVE_STDDEF_H, HAVE_LIMITS_H, HAVE_ERRNO_H, AC_C_CONST
Added
test cases for following API: gdImageCopyResized(), gdImageWebpEx(), gdImageCreateFromGd2PartPtr(), gdImageCloneMatch(), gdImageColorClosestHWB(), gdImageColorMatch(), gdImageStringUp(), gdImageStringUp16(), gdImageString(), gdImageString16(), gdImageCopyMergeGray(), gdImageCopyMerge()
Security
* Double-free in gdImagePngPtr(). (CVE-2017-6362)
* Buffer over-read into uninitialized memory. (CVE-2017-7890)
Fixed
* Fix 109: XBM reading fails with printed error
* Fix 338: Fatal and normal libjpeg/ibpng errors not distinguishable
* Fix 357: 2.2.4: Segfault in test suite
* Fix 386: gdImageGrayScale() may produce colors
* Fix 406: webpng -i removes the transparent color
* Fix Coverity 155475: Failure to restore alphaBlendingFlag
* Fix Coverity 155476: potential resource leak
* Fix several build issues and test failures
* Fix and reenable optimized support for reading 1 bps TIFFs
Added
* The native MSVC buildchain now supports libtiff and most executables
Upstream Changelog:
Security
gdImageCreate() doesn't check for oversized images and as such is prone to DoS vulnerabilities. (CVE-2016-9317)
double-free in gdImageWebPtr() (CVE-2016-6912)
potential unsigned underflow in gd_interpolation.c
DOS vulnerability in gdImageCreateFromGd2Ctx()
Fixed
Fix#354: Signed Integer Overflow gd_io.c
Fix#340: System frozen
Fix OOB reads of the TGA decompression buffer
Fix DOS vulnerability in gdImageCreateFromGd2Ctx()
Fix potential unsigned underflow
Fix double-free in gdImageWebPtr()
Fix invalid read in gdImageCreateFromTiffPtr()
Fix OOB reads of the TGA decompression buffer
Fix#68: gif: buffer underflow reported by AddressSanitizer
Avoid potentially dangerous signed to unsigned conversion
Fix#304: test suite failure in gif/bug00006 [2.2.3]
Fix#329: GD_BILINEAR_FIXED gdImageScale() can cause black border
Fix#330: Integer overflow in gdImageScaleBilinearPalette()
Fix 321: Null pointer dereferences in gdImageRotateInterpolated
Fix whitespace and add missing comment block
Fix#319: gdImageRotateInterpolated can have wrong background color
Fix color quantization documentation
Fix#309: gdImageGd2() writes wrong chunk sizes on boundaries
Fix#307: GD_QUANT_NEUQUANT fails to unset trueColor flag
Fix#300: gdImageClone() assigns res_y = res_x
Fix#299: Regression regarding gdImageRectangle() with gdImageSetThickness()
Replace GNU old-style field designators with C89 compatible initializers
Fix#297: gdImageCrop() converts palette image to truecolor image
Fix#290: TGA RLE decoding is broken
Fix unnecessary non NULL checks
Fix#289: Passing unrecognized formats to gdImageGd2 results in corrupted files
Fix#280: gdImageWebpEx() quantization parameter is a misnomer
Publish all gdImageCreateFromWebp*() functions and gdImageWebpCtx()
Fix issue #276: Sometimes pixels are missing when storing images as BMPs
Fix issue #275: gdImageBmpCtx() may segfault for non-seekable contexts
Fix copy&paste error in gdImageScaleBicubicFixed()
Added
More documentation
Documentation on GD and GD2 formats
More tests
Security related fixes: This flaw is caused by loading data from external sources (file, custom ctx, etc) and are hard to validate before calling libgd APIs:
* fix php bug 72339, Integer Overflow in _gd2GetHeader (CVE-2016-5766)
* bug 247, A read out-of-bands was found in the parsing of TGA files (CVE-2016-6132)
* also bug 247, Buffer over-read issue when parsing crafted TGA file (CVE-2016-6214)
* bug 248, fix Out-Of-Bounds Read in read_image_tga
Using application provided parameters, in these cases invalid data causes the issues:
* Integer overflow error within _gdContributionsAlloc() (CVE-2016-6207)
* fix php bug 72494, invalid color index not handled, can lead to crash ( CVE-2016-6128)
* improve color check for CropThreshold
Important update:
* gdImageCopyResampled has been improved. Better handling of images with alpha channel, also brings libgd in sync with php's bundled gd.
Problems found with existing digests:
Package fotoxx distfile fotoxx-14.03.1.tar.gz
ac2033f87de2c23941261f7c50160cddf872c110 [recorded]
118e98a8cc0414676b3c4d37b8df407c28a1407c [calculated]
Package ploticus-examples distfile ploticus-2.00/plnode200.tar.gz
34274a03d0c41fae5690633663e3d4114b9d7a6d [recorded]
da39a3ee5e6b4b0d3255bfef95601890afd80709 [calculated]
Problems found locating distfiles:
Package AfterShotPro: missing distfile AfterShotPro-1.1.0.30/AfterShotPro_i386.deb
Package pgraf: missing distfile pgraf-20010131.tar.gz
Package qvplay: missing distfile qvplay-0.95.tar.gz
Otherwise, existing SHA1 digests verified and found to be the same on
the machine holding the existing distfiles (morden). All existing
SHA1 digests retained for now as an audit trail.
Changelog:
GD team proudly announces that the 2.1.1 version of GD Graphics Library
has been released. We have fixed some reported bugs and improved the build
scripts (cmake and configure). See the Changelog files for a full list
with details or CVEs.
This is a recommended update.
Do it for all packages that
* mention perl, or
* have a directory name starting with p5-*, or
* depend on a package starting with p5-
like last time, for 5.18, where this didn't lead to complaints.
Let me know if you have any this time.
Technically this change should bump PKGREVISION (as it changes the
binary package ever so slightly for platforms where the ceill() didn't
cause a build failure) but I'm going to let it slide.
* gdColorMapLookup() answers the RGB values according to given color map
* Added support of variable resolution
* new filter gdImagePixelate()
* merged improvements that PHP GD team had made to GD Graphics Library
* bugfixes
