gd: apply patch for CVE-2016-3074 from upstream

Source:
https://github.com/libgd/libgd/commit/2bb97f407c1145c850416a3bfbcc8cf124e68a19.patch

The original patch contains binary data, however, which is not supported
by `patch`; we could use `git apply` here, of course, but it was simpler
to just copy-paste only the fix into a separate file and include it in
the repo.

2 files changed, 18 insertions, 1 deletions

diff --git a/pkgs/development/libraries/gd/CVE-2016-3074.patch b/pkgs/development/libraries/gd/CVE-2016-3074.patch
new file mode 100644
index 00000000000..76994697729
--- /dev/null
+++ b/pkgs/development/libraries/gd/CVE-2016-3074.patch
@@ -0,0 +1,13 @@
+diff --git a/src/gd_gd2.c b/src/gd_gd2.c
+index 6f28461..a50b33d 100644
+--- a/src/gd_gd2.c
++++ b/src/gd_gd2.c
+@@ -165,6 +165,8 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy,
+ 			if (gdGetInt (&cidx[i].size, in) != 1) {
+ 				goto fail2;
+ 			};
++			if (cidx[i].offset < 0 || cidx[i].size < 0)
++				goto fail2;
+ 		};
+ 		*chunkIdx = cidx;
+ 	};
diff --git a/pkgs/development/libraries/gd/default.nix b/pkgs/development/libraries/gd/default.nix
index c58bd11bc64..bf3b63db399 100644
--- a/pkgs/development/libraries/gd/default.nix
+++ b/pkgs/development/libraries/gd/default.nix
@@ -12,12 +12,16 @@
 stdenv.mkDerivation rec {
   name = "gd-${version}";
   version = "2.1.1";
-  
+
   src = fetchurl {
     url = "https://github.com/libgd/libgd/releases/download/${name}/libgd-${version}.tar.xz";
     sha256 = "11djy9flzxczphigqgp7fbbblbq35gqwwhn9xfcckawlapa1xnls";
   };
 
+  patches = [
+    ./CVE-2016-3074.patch
+  ];
+
   nativeBuildInputs = [ pkgconfig ];
   buildInputs = [ zlib fontconfig freetype libjpeg libpng libtiff libXpm ];