1 files changed, 94 insertions, 0 deletions

diff --git a/media-gfx/gifsicle/files/gifsicle-1.94-CVE-2023-46009.patch b/media-gfx/gifsicle/files/gifsicle-1.94-CVE-2023-46009.patch
new file mode 100644
index 000000000000..6b82c8ecdd0c
--- /dev/null
+++ b/media-gfx/gifsicle/files/gifsicle-1.94-CVE-2023-46009.patch
@@ -0,0 +1,94 @@
+diff -Naurp a/src/giffunc.c b/src/giffunc.c
+--- a/src/giffunc.c	2021-09-20 13:19:00.000000000 +0200
++++ b/src/giffunc.c	2024-02-04 14:05:47.811880522 +0100
+@@ -466,8 +466,10 @@ Gif_CopyImage(Gif_Image *src)
+ void Gif_MakeImageEmpty(Gif_Image* gfi) {
+     Gif_ReleaseUncompressedImage(gfi);
+     Gif_ReleaseCompressedImage(gfi);
+-    gfi->left = gfi->top = 0;
+-    gfi->width = gfi->height = 1;
++    gfi->left = gfi->left < 0xFFFE ? gfi->left : 0xFFFE;
++    gfi->top = gfi->top < 0xFFFE ? gfi->top : 0xFFFE;
++    gfi->width = 1;
++    gfi->height = 1;
+     gfi->transparent = 0;
+     Gif_CreateUncompressedImage(gfi, 0);
+     gfi->img[0][0] = 0;
+diff -Naurp a/src/support.c b/src/support.c
+--- a/src/support.c	2023-06-14 17:47:12.000000000 +0200
++++ b/src/support.c	2024-02-04 14:05:51.307885109 +0100
+@@ -1421,9 +1421,9 @@ analyze_crop(int nmerger, Gt_Crop* crop,
+         }
+       }
+ 
+-    if (t > b)
++    if (t > b) {
+       crop->w = crop->h = 0;
+-    else {
++    } else {
+       crop->x = l;
+       crop->y = t;
+       crop->w = r - l;
+@@ -1618,7 +1618,8 @@ merge_frame_interval(Gt_Frameset *fset,
+       desti->comment = 0;
+     }
+     if (fr->comment) {
+-      if (!desti->comment) desti->comment = Gif_NewComment();
++      if (!desti->comment)
++        desti->comment = Gif_NewComment();
+       merge_comments(desti->comment, fr->comment);
+       /* delete the comment early to help with memory; set field to 0 so we
+          don't re-free it later */
+@@ -1628,10 +1629,22 @@ merge_frame_interval(Gt_Frameset *fset,
+ 
+     if (fr->interlacing >= 0)
+       desti->interlace = fr->interlacing;
+-    if (fr->left >= 0)
+-      desti->left = fr->left + (fr->position_is_offset ? desti->left : 0);
+-    if (fr->top >= 0)
+-      desti->top = fr->top + (fr->position_is_offset ? desti->top : 0);
++    if (fr->left >= 0) {
++      int left = fr->left + (fr->position_is_offset ? desti->left : 0);
++      if (left + desti->width > 65535) {
++        error(1, "left position %d out of range", left);
++        return 0;
++      }
++      desti->left = left;
++    }
++    if (fr->top >= 0) {
++      int top = fr->top + (fr->position_is_offset ? desti->top : 0);
++      if (top + desti->height > 65535) {
++        error(1, "top position %d out of range", top);
++        return 0;
++      }
++      desti->top = top;
++    }
+ 
+     if (fr->delay >= 0)
+       desti->delay = fr->delay;
+diff -Naurp a/src/xform.c b/src/xform.c
+--- a/src/xform.c	2023-06-14 17:48:05.000000000 +0200
++++ b/src/xform.c	2024-02-04 14:05:47.812880524 +0100
+@@ -262,18 +262,18 @@ crop_image(Gif_Image* gfi, Gt_Frame* fr,
+             gfi->img[j] = old_img[c.y + j] + c.x;
+         gfi->img[c.h] = 0;
+         Gif_DeleteArray(old_img);
++        gfi->left += c.x - fr->left_offset;
++        gfi->top += c.y - fr->top_offset;
+         gfi->width = c.w;
+         gfi->height = c.h;
+-    } else if (preserve_total_crop)
++    } else if (preserve_total_crop) {
+         Gif_MakeImageEmpty(gfi);
+-    else {
++    } else {
+         Gif_DeleteArray(gfi->img);
+         gfi->img = 0;
+         gfi->width = gfi->height = 0;
+     }
+ 
+-    gfi->left += c.x - fr->left_offset;
+-    gfi->top += c.y - fr->top_offset;
+     return gfi->img != 0;
+ }
+