# HG changeset patch
# User Stefan Teleman <stefan.teleman@oracle.com>
# Date 1431019916 25200
# Node ID 03635257972bc05c4fed7d654496fbdb30c84146
# Parent  e6c70ecb57e7eb337d566c5815973a26636a8190
20831561 problem in LIBRARY/GD2

diff -r e6c70ecb57e7 -r 03635257972b components/gd2/patches/005-CVE-2014-9709.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/gd2/patches/005-CVE-2014-9709.patch	Thu May 07 10:31:56 2015 -0700
@@ -0,0 +1,33 @@
+# External patch:
+# https://bitbucket.org/libgd/gd-libgd/commits/47eb44b2e90ca88a08dca9f9a1aa9041e9587f43
+# Backported to GD2 Version 2.0.35
+--- gd_gif_in.c	2007-06-14 12:51:41.000000000 -0700
++++ gd_gif_in.c	2015-04-06 11:11:40.591453962 -0700
+@@ -70,8 +70,10 @@
+ 
+ #define STACK_SIZE ((1<<(MAX_LWZ_BITS))*2)
+ 
++#define CSD_BUF_SIZE 280
++
+ typedef struct {
+-	unsigned char    buf[280];
++	unsigned char    buf[CSD_BUF_SIZE];
+ 	int              curbit, lastbit, done, last_byte;
+ } CODE_STATIC_DATA;
+ 
+@@ -380,8 +382,14 @@
+        }
+ 
+        ret = 0;
+-       for (i = scd->curbit, j = 0; j < code_size; ++i, ++j)
++       for (i = scd->curbit, j = 0; j < code_size; ++i, ++j) {
++         if (i < CSD_BUF_SIZE * 8) {
+                ret |= ((scd->buf[ i / 8 ] & (1 << (i % 8))) != 0) << j;
++         } else {
++           ret = -1;
++           break;
++         }
++       }
+ 
+        scd->curbit += code_size;
+        return ret;