# HG changeset patch
# User Stefan Teleman <stefan.teleman@oracle.com>
# Date 1431708116 25200
# Node ID 427b52500a3aa4e06571a709dfb0ecc5e5db2494
# Parent  7f73ae50e3ad5368d221d6444b06a922ecf7b168
20831561 problem in LIBRARY/GD2

diff -r 7f73ae50e3ad -r 427b52500a3a components/gd2/patches/005-CVE-2014-9709.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/gd2/patches/005-CVE-2014-9709.patch	Fri May 15 09:41:56 2015 -0700
@@ -0,0 +1,33 @@
+# External patch:
+# https://bitbucket.org/libgd/gd-libgd/commits/47eb44b2e90ca88a08dca9f9a1aa9041e9587f43
+# Backported to GD2 Version 2.0.35
+--- gd_gif_in.c	2007-06-14 12:51:41.000000000 -0700
++++ gd_gif_in.c	2015-04-06 11:11:40.591453962 -0700
+@@ -70,8 +70,10 @@
+ 
+ #define STACK_SIZE ((1<<(MAX_LWZ_BITS))*2)
+ 
++#define CSD_BUF_SIZE 280
++
+ typedef struct {
+-	unsigned char    buf[280];
++	unsigned char    buf[CSD_BUF_SIZE];
+ 	int              curbit, lastbit, done, last_byte;
+ } CODE_STATIC_DATA;
+ 
+@@ -380,8 +382,14 @@
+        }
+ 
+        ret = 0;
+-       for (i = scd->curbit, j = 0; j < code_size; ++i, ++j)
++       for (i = scd->curbit, j = 0; j < code_size; ++i, ++j) {
++         if (i < CSD_BUF_SIZE * 8) {
+                ret |= ((scd->buf[ i / 8 ] & (1 << (i % 8))) != 0) << j;
++         } else {
++           ret = -1;
++           break;
++         }
++       }
+ 
+        scd->curbit += code_size;
+        return ret;