media-libs/gd: rev bump to add some security patches

ossfuzz5700 fix
CVE-2018-5711
CVE-2019-6977
CVE-2019-6978

Package-Manager: Portage-2.3.62, Repoman-2.3.12
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

6 files changed, 617 insertions, 0 deletions

diff --git a/media-libs/gd/Manifest b/media-libs/gd/Manifest
index 9957e0f8f60d..986a6d405243 100644
--- a/media-libs/gd/Manifest
+++ b/media-libs/gd/Manifest
@@ -1 +1,3 @@
+DIST libgd-2.2.5-ossfuzz5700.dat 30 BLAKE2B 5ddd3d2be2adf05e1e2eb1852cc689be57d4d77c57b471e8b6021877f2fb137d15b4c73445fbb23a9ed585974a96dd154759a48712c1e7b5bdc5750d534aee4a SHA512 2394e92ff7a42c818e13a1ac9ad15bc81aa401adc917366ec8c440bb7f27a63777ab059aa03c501dafef0ac16b462dd23c7fb9f8086ce558203384a98a235fff
+DIST libgd-2.2.5-php_bug_75571.dat 1731 BLAKE2B 4b5d3f258b73e8089ede1b2c9f538855f410965a9e01e1f3f151ae52f072036172b184bd1a4d07b8355bb974bf088bebb0e812175a277bb67926274272bd80a0 SHA512 b3048640ce7828cca7901fadc989e867cfc6d31b44c0f5a1bda54d7428f317c8c8fc6403fef301e193869a95eb46eb7195d47710ec7f8c507ba049cb6cdcb281
 DIST libgd-2.2.5.tar.xz 2594092 BLAKE2B 222a7e012fbf9924ac391ee96c7cd3dec96afd78c6d43dfb680b33e7143e7df87fe6be75bbfe8fb93e916302d7daf08271214c84da28712e93a36465566cb2bd SHA512 e4598e17a277a75e02255402182cab139cb3f2cffcd68ec05cc10bbeaf6bc7aa39162c3445cd4a7efc1a26b72b9152bbedb187351e3ed099ea51767319997a6b
diff --git a/media-libs/gd/files/gd-2.2.5-CVE-2018-5711.patch b/media-libs/gd/files/gd-2.2.5-CVE-2018-5711.patch
new file mode 100644
index 000000000000..6d9de06998a4
--- /dev/null
+++ b/media-libs/gd/files/gd-2.2.5-CVE-2018-5711.patch
@@ -0,0 +1,124 @@
+From a11f47475e6443b7f32d21f2271f28f417e2ac04 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Wed, 29 Nov 2017 19:37:38 +0100
+Subject: [PATCH] Fix #420: Potential infinite loop in gdImageCreateFromGifCtx
+
+Due to a signedness confusion in `GetCode_` a corrupt GIF file can
+trigger an infinite loop.  Furthermore we make sure that a GIF without
+any palette entries is treated as invalid *after* open palette entries
+have been removed.
+
+CVE-2018-5711
+
+See also https://bugs.php.net/bug.php?id=75571.
+---
+ src/gd_gif_in.c             |  12 ++++++------
+ tests/gif/CMakeLists.txt    |   1 +
+ tests/gif/Makemodule.am     |   2 ++
+ tests/gif/php_bug_75571.c   |  28 ++++++++++++++++++++++++++++
+ tests/gif/php_bug_75571.gif | Bin 0 -> 1731 bytes
+ 6 files changed, 38 insertions(+), 6 deletions(-)
+ create mode 100644 tests/gif/php_bug_75571.c
+
+diff --git a/src/gd_gif_in.c b/src/gd_gif_in.c
+index daf26e79..0a8bd717 100644
+--- a/src/gd_gif_in.c
++++ b/src/gd_gif_in.c
+@@ -335,11 +335,6 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromGifCtx(gdIOCtxPtr fd)
+ 		return 0;
+ 	}
+ 
+-	if(!im->colorsTotal) {
+-		gdImageDestroy(im);
+-		return 0;
+-	}
+-
+ 	/* Check for open colors at the end, so
+ 	 * we can reduce colorsTotal and ultimately
+ 	 * BitsPerPixel */
+@@ -351,6 +346,11 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromGifCtx(gdIOCtxPtr fd)
+ 		}
+ 	}
+ 
++	if(!im->colorsTotal) {
++		gdImageDestroy(im);
++		return 0;
++	}
++
+ 	return im;
+ }
+ 
+@@ -447,7 +447,7 @@ static int
+ GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_size, int flag, int *ZeroDataBlockP)
+ {
+ 	int i, j, ret;
+-	unsigned char count;
++	int count;
+ 
+ 	if(flag) {
+ 		scd->curbit = 0;
+diff --git a/tests/gif/CMakeLists.txt b/tests/gif/CMakeLists.txt
+index 2b73749e..e58e6b09 100644
+--- a/tests/gif/CMakeLists.txt
++++ b/tests/gif/CMakeLists.txt
+@@ -4,6 +4,7 @@ LIST(APPEND TESTS_FILES
+ 	bug00227
+ 	gif_null
+ 	ossfuzz5700
++	php_bug_75571
+ 	uninitialized_memory_read
+ )
+ 
+diff --git a/tests/gif/Makemodule.am b/tests/gif/Makemodule.am
+index 3199438f..5dbeac53 100644
+--- a/tests/gif/Makemodule.am
++++ b/tests/gif/Makemodule.am
+@@ -4,6 +4,7 @@ libgd_test_programs += \
+ 	gif/bug00227 \
+ 	gif/gif_null \
+ 	gif/ossfuzz5700 \
++	gif/php_bug_75571 \
+ 	gif/uninitialized_memory_read
+ 
+ if HAVE_LIBPNG
+@@ -26,4 +27,5 @@ EXTRA_DIST += \
+ 	gif/bug00066.gif \
+ 	gif/bug00066_exp.png \
+ 	gif/ossfuzz5700.gif \
++	gif/php_bug_75571.gif \
+ 	gif/unitialized_memory_read.gif
+diff --git a/tests/gif/php_bug_75571.c b/tests/gif/php_bug_75571.c
+new file mode 100644
+index 00000000..d4fae3ae
+--- /dev/null
++++ b/tests/gif/php_bug_75571.c
+@@ -0,0 +1,28 @@
++/**
++ * Test that GIF reading does not loop infinitely
++ * 
++ * We are reading a crafted GIF image which has been truncated.  This would
++ * trigger an infinite loop formerly, but know bails out early, returning
++ * NULL from gdImageCreateFromGif().
++ *
++ * See also https://bugs.php.net/bug.php?id=75571.
++ */
++
++
++#include "gd.h"
++#include "gdtest.h"
++
++
++int main()
++{
++    gdImagePtr im;
++    FILE *fp;
++
++    fp = gdTestFileOpen2("gif", "php_bug_75571.gif");
++    gdTestAssert(fp != NULL);
++    im = gdImageCreateFromGif(fp);
++    gdTestAssert(im == NULL);
++    fclose(fp);
++
++    return gdNumFailures();
++}
+
diff --git a/media-libs/gd/files/gd-2.2.5-CVE-2019-6977.patch b/media-libs/gd/files/gd-2.2.5-CVE-2019-6977.patch
new file mode 100644
index 000000000000..0b67a596c6bc
--- /dev/null
+++ b/media-libs/gd/files/gd-2.2.5-CVE-2019-6977.patch
@@ -0,0 +1,28 @@
+Description: Heap-based buffer overflow in gdImageColorMatch
+Origin: other, https://gist.github.com/cmb69/1f36d285eb297ed326f5c821d7aafced
+Bug-PHP: https://bugs.php.net/bug.php?id=77270
+Bug-Debian: https://bugs.debian.org/920645
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-6977
+Forwarded: no
+Author: "Christoph M. Becker" <cmbecker69@gmx.de>
+Last-Update: 2019-02-01
+
+At least some of the image reading functions may return images which
+use color indexes greater than or equal to im->colorsTotal.  We cater
+to this by always using a buffer size which is sufficient for
+`gdMaxColors` in `gdImageColorMatch()`.
+---
+
+--- a/src/gd_color_match.c
++++ b/src/gd_color_match.c
+@@ -31,8 +31,8 @@ BGD_DECLARE(int) gdImageColorMatch (gdIm
+ 		return -4; /* At least 1 color must be allocated */
+ 	}
+ 
+-	buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * im2->colorsTotal);
+-	memset (buf, 0, sizeof(unsigned long) * 5 * im2->colorsTotal );
++	buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * gdMaxColors);
++	memset (buf, 0, sizeof(unsigned long) * 5 * gdMaxColors );
+ 
+ 	for (x=0; x < im1->sx; x++) {
+ 		for( y=0; y<im1->sy; y++ ) {
diff --git a/media-libs/gd/files/gd-2.2.5-CVE-2019-6978.patch b/media-libs/gd/files/gd-2.2.5-CVE-2019-6978.patch
new file mode 100644
index 000000000000..2eb9369a0bad
--- /dev/null
+++ b/media-libs/gd/files/gd-2.2.5-CVE-2019-6978.patch
@@ -0,0 +1,278 @@
+From 553702980ae89c83f2d6e254d62cf82e204956d0 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Thu, 17 Jan 2019 11:54:55 +0100
+Subject: [PATCH] Fix #492: Potential double-free in gdImage*Ptr()
+
+Whenever `gdImage*Ptr()` calls `gdImage*Ctx()` and the latter fails, we
+must not call `gdDPExtractData()`; otherwise a double-free would
+happen.  Since `gdImage*Ctx()` are void functions, and we can't change
+that for BC reasons, we're introducing static helpers which are used
+internally.
+
+We're adding a regression test for `gdImageJpegPtr()`, but not for
+`gdImageGifPtr()` and `gdImageWbmpPtr()` since we don't know how to
+trigger failure of the respective `gdImage*Ctx()` calls.
+
+This potential security issue has been reported by Solmaz Salimi (aka.
+Rooney).
+---
+ src/gd_gif_out.c                  | 18 +++++++++++++++---
+ src/gd_jpeg.c                     | 20 ++++++++++++++++----
+ src/gd_wbmp.c                     | 21 ++++++++++++++++++---
+ tests/jpeg/CMakeLists.txt         |  1 +
+ tests/jpeg/Makemodule.am          |  3 ++-
+ tests/jpeg/jpeg_ptr_double_free.c | 31 +++++++++++++++++++++++++++++++
+ 7 files changed, 84 insertions(+), 11 deletions(-)
+ create mode 100644 tests/jpeg/jpeg_ptr_double_free.c
+
+diff --git a/src/gd_gif_out.c b/src/gd_gif_out.c
+index 298a5812..d5a95346 100644
+--- a/src/gd_gif_out.c
++++ b/src/gd_gif_out.c
+@@ -99,6 +99,7 @@ static void char_init(GifCtx *ctx);
+ static void char_out(int c, GifCtx *ctx);
+ static void flush_char(GifCtx *ctx);
+ 
++static int _gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out);
+ 
+ 
+ 
+@@ -131,8 +132,11 @@ BGD_DECLARE(void *) gdImageGifPtr(gdImagePtr im, int *size)
+ 	void *rv;
+ 	gdIOCtx *out = gdNewDynamicCtx(2048, NULL);
+ 	if (out == NULL) return NULL;
+-	gdImageGifCtx(im, out);
+-	rv = gdDPExtractData(out, size);
++	if (!_gdImageGifCtx(im, out)) {
++		rv = gdDPExtractData(out, size);
++	} else {
++		rv = NULL;
++	}
+ 	out->gd_free(out);
+ 	return rv;
+ }
+@@ -220,6 +224,12 @@ BGD_DECLARE(void) gdImageGif(gdImagePtr im, FILE *outFile)
+ 
+ */
+ BGD_DECLARE(void) gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out)
++{
++	_gdImageGifCtx(im, out);
++}
++
++/* returns 0 on success, 1 on failure */
++static int _gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out)
+ {
+ 	gdImagePtr pim = 0, tim = im;
+ 	int interlace, BitsPerPixel;
+@@ -231,7 +241,7 @@ BGD_DECLARE(void) gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out)
+ 		based temporary image. */
+ 		pim = gdImageCreatePaletteFromTrueColor(im, 1, 256);
+ 		if(!pim) {
+-			return;
++			return 1;
+ 		}
+ 		tim = pim;
+ 	}
+@@ -247,6 +257,8 @@ BGD_DECLARE(void) gdImageGifCtx(gdImagePtr im, gdIOCtxPtr out)
+ 		/* Destroy palette based temporary image. */
+ 		gdImageDestroy(	pim);
+ 	}
++
++	return 0;
+ }
+ 
+ 
+diff --git a/src/gd_jpeg.c b/src/gd_jpeg.c
+index fc058420..96ef4302 100644
+--- a/src/gd_jpeg.c
++++ b/src/gd_jpeg.c
+@@ -117,6 +117,8 @@ static void fatal_jpeg_error(j_common_ptr cinfo)
+ 	exit(99);
+ }
+ 
++static int _gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality);
++
+ /*
+  * Write IM to OUTFILE as a JFIF-formatted JPEG image, using quality
+  * QUALITY.  If QUALITY is in the range 0-100, increasing values
+@@ -231,8 +233,11 @@ BGD_DECLARE(void *) gdImageJpegPtr(gdImagePtr im, int *size, int quality)
+ 	void *rv;
+ 	gdIOCtx *out = gdNewDynamicCtx(2048, NULL);
+ 	if (out == NULL) return NULL;
+-	gdImageJpegCtx(im, out, quality);
+-	rv = gdDPExtractData(out, size);
++	if (!_gdImageJpegCtx(im, out, quality)) {
++		rv = gdDPExtractData(out, size);
++	} else {
++		rv = NULL;
++	}
+ 	out->gd_free(out);
+ 	return rv;
+ }
+@@ -253,6 +258,12 @@ void jpeg_gdIOCtx_dest(j_compress_ptr cinfo, gdIOCtx *outfile);
+ 
+ */
+ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality)
++{
++	_gdImageJpegCtx(im, outfile, quality);
++}
++
++/* returns 0 on success, 1 on failure */
++static int _gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality)
+ {
+ 	struct jpeg_compress_struct cinfo;
+ 	struct jpeg_error_mgr jerr;
+@@ -287,7 +298,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality)
+ 		if(row) {
+ 			gdFree(row);
+ 		}
+-		return;
++		return 1;
+ 	}
+ 
+ 	cinfo.err->emit_message = jpeg_emit_message;
+@@ -328,7 +339,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality)
+ 	if(row == 0) {
+ 		gd_error("gd-jpeg: error: unable to allocate JPEG row structure: gdCalloc returns NULL\n");
+ 		jpeg_destroy_compress(&cinfo);
+-		return;
++		return 1;
+ 	}
+ 
+ 	rowptr[0] = row;
+@@ -405,6 +416,7 @@ BGD_DECLARE(void) gdImageJpegCtx(gdImagePtr im, gdIOCtx *outfile, int quality)
+ 	jpeg_finish_compress(&cinfo);
+ 	jpeg_destroy_compress(&cinfo);
+ 	gdFree(row);
++	return 0;
+ }
+ 
+ 
+diff --git a/src/gd_wbmp.c b/src/gd_wbmp.c
+index f19a1c96..a49bdbec 100644
+--- a/src/gd_wbmp.c
++++ b/src/gd_wbmp.c
+@@ -88,6 +88,8 @@ int gd_getin(void *in)
+ 	return (gdGetC((gdIOCtx *)in));
+ }
+ 
++static int _gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out);
++
+ /*
+ 	Function: gdImageWBMPCtx
+ 
+@@ -100,6 +102,12 @@ int gd_getin(void *in)
+ 		out   - the stream where to write
+ */
+ BGD_DECLARE(void) gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out)
++{
++	_gdImageWBMPCtx(image, fg, out);
++}
++
++/* returns 0 on success, 1 on failure */
++static int _gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out)
+ {
+ 	int x, y, pos;
+ 	Wbmp *wbmp;
+@@ -107,7 +115,7 @@ BGD_DECLARE(void) gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out)
+ 	/* create the WBMP */
+ 	if((wbmp = createwbmp(gdImageSX(image), gdImageSY(image), WBMP_WHITE)) == NULL) {
+ 		gd_error("Could not create WBMP\n");
+-		return;
++		return 1;
+ 	}
+ 
+ 	/* fill up the WBMP structure */
+@@ -123,11 +131,15 @@ BGD_DECLARE(void) gdImageWBMPCtx(gdImagePtr image, int fg, gdIOCtx *out)
+ 
+ 	/* write the WBMP to a gd file descriptor */
+ 	if(writewbmp(wbmp, &gd_putout, out)) {
++		freewbmp(wbmp);
+ 		gd_error("Could not save WBMP\n");
++		return 1;
+ 	}
+ 
+ 	/* des submitted this bugfix: gdFree the memory. */
+ 	freewbmp(wbmp);
++
++	return 0;
+ }
+ 
+ /*
+@@ -271,8 +283,11 @@ BGD_DECLARE(void *) gdImageWBMPPtr(gdImagePtr im, int *size, int fg)
+ 	void *rv;
+ 	gdIOCtx *out = gdNewDynamicCtx(2048, NULL);
+ 	if (out == NULL) return NULL;
+-	gdImageWBMPCtx(im, fg, out);
+-	rv = gdDPExtractData(out, size);
++	if (!_gdImageWBMPCtx(im, fg, out)) {
++		rv = gdDPExtractData(out, size);
++	} else {
++		rv = NULL;
++	}
+ 	out->gd_free(out);
+ 	return rv;
+ }
+diff --git a/tests/jpeg/CMakeLists.txt b/tests/jpeg/CMakeLists.txt
+index 19964b0c..a8d8162f 100644
+--- a/tests/jpeg/CMakeLists.txt
++++ b/tests/jpeg/CMakeLists.txt
+@@ -2,6 +2,7 @@ IF(JPEG_FOUND)
+ LIST(APPEND TESTS_FILES
+ 	jpeg_empty_file
+ 	jpeg_im2im
++	jpeg_ptr_double_free
+ 	jpeg_null
+ )
+ 
+diff --git a/tests/jpeg/Makemodule.am b/tests/jpeg/Makemodule.am
+index 7e5d317b..b89e1695 100644
+--- a/tests/jpeg/Makemodule.am
++++ b/tests/jpeg/Makemodule.am
+@@ -2,7 +2,8 @@ if HAVE_LIBJPEG
+ libgd_test_programs += \
+ 	jpeg/jpeg_empty_file \
+ 	jpeg/jpeg_im2im \
+-	jpeg/jpeg_null
++	jpeg/jpeg_null \
++	jpeg/jpeg_ptr_double_free
+ 
+ if HAVE_LIBPNG
+ libgd_test_programs += \
+diff --git a/tests/jpeg/jpeg_ptr_double_free.c b/tests/jpeg/jpeg_ptr_double_free.c
+new file mode 100644
+index 00000000..df5a510b
+--- /dev/null
++++ b/tests/jpeg/jpeg_ptr_double_free.c
+@@ -0,0 +1,31 @@
++/**
++ * Test that failure to convert to JPEG returns NULL
++ *
++ * We are creating an image, set its width to zero, and pass this image to
++ * `gdImageJpegPtr()` which is supposed to fail, and as such should return NULL.
++ *
++ * See also <https://github.com/libgd/libgd/issues/381>
++ */
++
++
++#include "gd.h"
++#include "gdtest.h"
++
++
++int main()
++{
++    gdImagePtr src, dst;
++    int size;
++
++    src = gdImageCreateTrueColor(1, 10);
++    gdTestAssert(src != NULL);
++
++    src->sx = 0; /* this hack forces gdImageJpegPtr() to fail */
++
++    dst = gdImageJpegPtr(src, &size, 0);
++    gdTestAssert(dst == NULL);
++
++    gdImageDestroy(src);
++
++    return gdNumFailures();
++}
diff --git a/media-libs/gd/files/gd-2.2.5-ossfuzz5700.patch b/media-libs/gd/files/gd-2.2.5-ossfuzz5700.patch
new file mode 100644
index 000000000000..891c232115ec
--- /dev/null
+++ b/media-libs/gd/files/gd-2.2.5-ossfuzz5700.patch
@@ -0,0 +1,103 @@
+From 9fa3abd2e61da18ed2b889704e4e252f0f5a95fe Mon Sep 17 00:00:00 2001
+From: Mike Frysinger <vapier@gentoo.org>
+Date: Fri, 26 Jan 2018 01:57:52 -0500
+Subject: [PATCH] gif: fix out-of-bounds read w/corrupted lzw data
+
+oss-fuzz pointed out:
+gd_gif_in.c:605:16: runtime error: index 5595 out of bounds for type 'int [4096]'
+
+Add some bounds checking on each code that we read from the file.
+---
+ src/gd_gif_in.c           |   8 ++++++++
+ tests/gif/CMakeLists.txt  |   3 ++-
+ tests/gif/Makemodule.am   |   2 ++
+ tests/gif/ossfuzz5700.c   |  13 +++++++++++++
+ tests/gif/ossfuzz5700.gif | Bin 0 -> 30 bytes
+ 6 files changed, 26 insertions(+), 1 deletion(-)
+ create mode 100644 tests/gif/ossfuzz5700.c
+
+diff --git a/src/gd_gif_in.c b/src/gd_gif_in.c
+index afc08bf7..daf26e79 100644
+--- a/src/gd_gif_in.c
++++ b/src/gd_gif_in.c
+@@ -601,6 +601,10 @@ LWZReadByte_(gdIOCtx *fd, LZW_STATIC_DATA *sd, char flag, int input_code_size, i
+ 				/* Bad compressed data stream */
+ 				return -1;
+ 			}
++			if(code >= (1 << MAX_LWZ_BITS)) {
++				/* Corrupted code */
++				return -1;
++			}
+ 
+ 			*sd->sp++ = sd->table[1][code];
+ 
+@@ -610,6 +614,10 @@ LWZReadByte_(gdIOCtx *fd, LZW_STATIC_DATA *sd, char flag, int input_code_size, i
+ 
+ 			code = sd->table[0][code];
+ 		}
++		if(code >= (1 << MAX_LWZ_BITS)) {
++			/* Corrupted code */
++			return -1;
++		}
+ 
+ 		*sd->sp++ = sd->firstcode = sd->table[1][code];
+ 
+diff --git a/tests/gif/CMakeLists.txt b/tests/gif/CMakeLists.txt
+index 7d40cddc..2b73749e 100644
+--- a/tests/gif/CMakeLists.txt
++++ b/tests/gif/CMakeLists.txt
+@@ -3,6 +3,8 @@ LIST(APPEND TESTS_FILES
+ 	bug00181
+ 	bug00227
+ 	gif_null
++	ossfuzz5700
++	uninitialized_memory_read
+ )
+ 
+ IF(PNG_FOUND)
+@@ -12,7 +14,6 @@ LIST(APPEND TESTS_FILES
+ 	bug00060
+ 	bug00066
+ 	gif_im2im
+-	uninitialized_memory_read
+ )
+ ENDIF(PNG_FOUND)
+ 
+diff --git a/tests/gif/Makemodule.am b/tests/gif/Makemodule.am
+index 0bdeab7e..3199438f 100644
+--- a/tests/gif/Makemodule.am
++++ b/tests/gif/Makemodule.am
+@@ -3,6 +3,7 @@ libgd_test_programs += \
+ 	gif/bug00181 \
+ 	gif/bug00227 \
+ 	gif/gif_null \
++	gif/ossfuzz5700 \
+ 	gif/uninitialized_memory_read
+ 
+ if HAVE_LIBPNG
+@@ -24,4 +25,5 @@ EXTRA_DIST += \
+ 	gif/bug00060.gif \
+ 	gif/bug00066.gif \
+ 	gif/bug00066_exp.png \
++	gif/ossfuzz5700.gif \
+ 	gif/unitialized_memory_read.gif
+diff --git a/tests/gif/ossfuzz5700.c b/tests/gif/ossfuzz5700.c
+new file mode 100644
+index 00000000..8fc9f88c
+--- /dev/null
++++ b/tests/gif/ossfuzz5700.c
+@@ -0,0 +1,13 @@
++#include <stdio.h>
++#include "gd.h"
++#include "gdtest.h"
++
++int main()
++{
++	gdImagePtr im;
++	FILE *fp = gdTestFileOpen("gif/ossfuzz5700.gif");
++	im = gdImageCreateFromGif(fp);
++	fclose(fp);
++	gdImageDestroy(im);
++	return 0;
++}
+
diff --git a/media-libs/gd/gd-2.2.5-r2.ebuild b/media-libs/gd/gd-2.2.5-r2.ebuild
new file mode 100644
index 000000000000..7686c2013dad
--- /dev/null
+++ b/media-libs/gd/gd-2.2.5-r2.ebuild
@@ -0,0 +1,82 @@
+# Copyright 1999-2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="7"
+
+inherit autotools multilib-minimal
+
+DESCRIPTION="Graphics library for fast image creation"
+HOMEPAGE="https://libgd.org/ https://www.boutell.com/gd/"
+SRC_URI="https://github.com/libgd/libgd/releases/download/${P}/lib${P}.tar.xz
+	test? (
+		https://github.com/libgd/libgd/raw/e0cb1b76c305db68b251fe782faa12da5d357593/tests/gif/ossfuzz5700.gif -> lib$P-ossfuzz5700.dat
+		https://github.com/libgd/libgd/raw/e0cb1b76c305db68b251fe782faa12da5d357593/tests/gif/php_bug_75571.gif -> lib$P-php_bug_75571.dat
+	)"
+
+LICENSE="gd IJG HPND BSD"
+SLOT="2/3"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris"
+IUSE="fontconfig jpeg png static-libs test tiff truetype webp xpm zlib"
+
+# fontconfig has prefixed font paths, details see bug #518970
+REQUIRED_USE="prefix? ( fontconfig )"
+
+RDEPEND="fontconfig? ( >=media-libs/fontconfig-2.10.92[${MULTILIB_USEDEP}] )
+	jpeg? ( >=virtual/jpeg-0-r2:0=[${MULTILIB_USEDEP}] )
+	png? ( >=media-libs/libpng-1.6.10:0=[${MULTILIB_USEDEP}] )
+	tiff? ( media-libs/tiff:0[${MULTILIB_USEDEP}] )
+	truetype? ( >=media-libs/freetype-2.5.0.1[${MULTILIB_USEDEP}] )
+	webp? ( media-libs/libwebp:=[${MULTILIB_USEDEP}] )
+	xpm? ( >=x11-libs/libXpm-3.5.10-r1[${MULTILIB_USEDEP}] >=x11-libs/libXt-1.1.4[${MULTILIB_USEDEP}] )
+	zlib? ( >=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}] )"
+DEPEND="${RDEPEND}
+	>=virtual/pkgconfig-0-r1[${MULTILIB_USEDEP}]"
+
+S="${WORKDIR}/lib${P}"
+
+PATCHES=(
+	"${FILESDIR}/${P}-ossfuzz5700.patch"
+	"${FILESDIR}/${P}-CVE-2018-5711.patch"
+	"${FILESDIR}/${P}-CVE-2018-1000222.patch"
+	"${FILESDIR}/${P}-CVE-2019-6977.patch"
+	"${FILESDIR}/${P}-CVE-2019-6978.patch"
+)
+
+src_unpack() {
+	default
+
+	cp "${DISTDIR}"/lib${P}-ossfuzz5700.dat "${S}"/tests/gif/ossfuzz5700.gif || die
+	cp "${DISTDIR}"/lib${P}-php_bug_75571.dat "${S}"/tests/gif/php_bug_75571.gif || die
+}
+
+src_prepare() {
+	default
+
+	eautoreconf
+}
+
+multilib_src_configure() {
+	# we aren't actually {en,dis}abling X here ... the configure
+	# script uses it just to add explicit -I/-L paths which we
+	# don't care about on Gentoo systems.
+	local myeconfargs=(
+		--disable-werror
+		--without-x
+		--without-liq
+		$(use_enable static-libs static)
+		$(use_with fontconfig)
+		$(use_with png)
+		$(use_with tiff)
+		$(use_with truetype freetype)
+		$(use_with jpeg)
+		$(use_with webp)
+		$(use_with xpm)
+		$(use_with zlib)
+	)
+	ECONF_SOURCE="${S}" econf "${myeconfargs[@]}"
+}
+
+multilib_src_install_all() {
+	dodoc README.md
+	find "${D}" -name '*.la' -delete || die
+}