File gd-CVE-2016-6911.patch of Package gd.6411

Index: libgd-2.1.0/src/gd_io_dp.c
===================================================================
--- libgd-2.1.0.orig/src/gd_io_dp.c	2016-10-20 11:27:09.030571666 +0200
+++ libgd-2.1.0/src/gd_io_dp.c	2016-10-20 11:27:09.038571786 +0200
@@ -262,21 +262,25 @@ static int dynamicGetbuf(gdIOCtxPtr ctx,
 	dctx = (dpIOCtxPtr) ctx;
 	dp = dctx->dp;
 
+	if (dp->pos < 0 || dp->pos >= dp->realSize) {
+		return 0;
+	}
+
 	remain = dp->logicalSize - dp->pos;
 	if(remain >= len) {
 		rlen = len;
 	} else {
 		if(remain <= 0) {
-			/* 2.0.34: EOF is incorrect. We use 0 for
-			 * errors and EOF, just like fileGetbuf,
-			 * which is a simple fread() wrapper.
-			 * TBB. Original bug report: Daniel Cowgill. */
-			return 0; /* NOT EOF */
+			return 0;
 		}
 
 		rlen = remain;
 	}
 
+	if (dp->pos + rlen > dp->realSize) {
+		rlen = dp->realSize - dp->pos;
+	}
+
 	memcpy(buf, (void *) ((char *)dp->data + dp->pos), rlen);
 	dp->pos += rlen;
 
Index: libgd-2.1.0/src/gd_tiff.c
===================================================================
--- libgd-2.1.0.orig/src/gd_tiff.c	2013-06-25 11:58:23.000000000 +0200
+++ libgd-2.1.0/src/gd_tiff.c	2016-10-20 11:27:09.038571786 +0200
@@ -727,6 +727,7 @@ static int createFromTiffRgba(TIFF * tif
 	int height = im->sy;
 	uint32 *buffer;
 	uint32 rgba;
+	int success;
 
 	/* switch off colour merging on target gd image just while we write out
 	 * content - we want to preserve the alpha data until the user chooses
@@ -739,18 +740,20 @@ static int createFromTiffRgba(TIFF * tif
 		return GD_FAILURE;
 	}
 
-	TIFFReadRGBAImage(tif, width, height, buffer, 0);
+	success = TIFFReadRGBAImage(tif, width, height, buffer, 1);
 
-	for(y = 0; y < height; y++) {
-		for(x = 0; x < width; x++) {
-			/* if it doesn't already exist, allocate a new colour,
-			 * else use existing one */
-			rgba = buffer[(y * width + x)];
-			a = (0xff - TIFFGetA(rgba)) / 2;
-			color = gdTrueColorAlpha(TIFFGetR(rgba), TIFFGetG(rgba), TIFFGetB(rgba), a);
-
-			/* set pixel colour to this colour */
-			gdImageSetPixel(im, x, height - y - 1, color);
+	if (success) {
+		for(y = 0; y < height; y++) {
+			for(x = 0; x < width; x++) {
+				/* if it doesn't already exist, allocate a new colour,
+				 * else use existing one */
+				rgba = buffer[(y * width + x)];
+				a = (0xff - TIFFGetA(rgba)) / 2;
+				color = gdTrueColorAlpha(TIFFGetR(rgba), TIFFGetG(rgba), TIFFGetB(rgba), a);
+	
+				/* set pixel colour to this colour */
+				gdImageSetPixel(im, x, height - y - 1, color);
+			}
 		}
 	}
 
@@ -758,7 +761,7 @@ static int createFromTiffRgba(TIFF * tif
 
 	/* now reset colour merge for alpha blending routines */
 	gdImageAlphaBlending(im, alphaBlendingFlag);
-	return GD_SUCCESS;
+	return success;
 }
 
 /* gdImageCreateFromTiffCtx