gd : CVE-2016-6906

The read_image_tga function in gd_tga.c in the GD Graphics Library (aka libgd)
before 2.2.4 allows remote attackers to cause a denial of service (out-of-bounds read)
via a crafted TGA file, related to the decompression buffer.

Reference:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6906

Upstream patches:
https://github.com/libgd/libgd/commit/fb0e0cce0b9f25389ab56604c3547351617e1415
https://github.com/libgd/libgd/commit/58b6dde319c301b0eae27d12e2a659e067d80558

Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>

5 files changed, 703 insertions, 1 deletions

diff --git a/meta-oe/recipes-support/gd/gd/.gitignore-the-new-test-case.patch b/meta-oe/recipes-support/gd/gd/.gitignore-the-new-test-case.patch
new file mode 100644
index 0000000000..eab4975cb6
--- /dev/null
+++ b/meta-oe/recipes-support/gd/gd/.gitignore-the-new-test-case.patch
@@ -0,0 +1,24 @@
+From 8520274759cb8f95e483b02a445aff225e13467b Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Tue, 16 Aug 2016 16:00:27 +0200
+Subject: [PATCH] .gitignore the new test case
+
+Upstream-Status: Backport
+
+Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
+---
+ tests/tga/.gitignore | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tests/tga/.gitignore b/tests/tga/.gitignore
+index e88e124..7a659b1 100644
+--- a/tests/tga/.gitignore
++++ b/tests/tga/.gitignore
+@@ -4,3 +4,4 @@
+ /bug00248
+ /bug00248a
+ /tga_null
++/tga_read
+-- 
+2.10.2
+
diff --git a/meta-oe/recipes-support/gd/gd/CVE-2016-6906-1.patch b/meta-oe/recipes-support/gd/gd/CVE-2016-6906-1.patch
new file mode 100644
index 0000000000..97b7f72498
--- /dev/null
+++ b/meta-oe/recipes-support/gd/gd/CVE-2016-6906-1.patch
@@ -0,0 +1,167 @@
+From fb0e0cce0b9f25389ab56604c3547351617e1415 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Tue, 16 Aug 2016 16:26:19 +0200
+Subject: [PATCH] Fix OOB reads of the TGA decompression buffer
+
+It is possible to craft TGA files which will overflow the decompression
+buffer, but not the image's bitmap. Therefore we augment the check for the
+bitmap's overflow with a check for the buffer's overflow.
+
+This issue had been reported by Ibrahim El-Sayed to security@libgd.org.
+
+CVE-2016-6906
+
+Upstream-Status: Backport
+CVE: CVE-2016-6906
+
+Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
+---
+ src/gd_tga.c                |   6 ++++--
+ tests/tga/.gitignore        |   1 +
+ tests/tga/CMakeLists.txt    |   1 +
+ tests/tga/Makemodule.am     |   2 ++
+ tests/tga/heap_overflow.c   |  51 ++++++++++++++++++++++++++++++++++++++++++++
+ tests/tga/heap_overflow.tga | Bin 0 -> 605 bytes
+ 6 files changed, 59 insertions(+), 2 deletions(-)
+ create mode 100644 tests/tga/heap_overflow.c
+ create mode 100644 tests/tga/heap_overflow.tga
+
+diff --git a/src/gd_tga.c b/src/gd_tga.c
+index 8737b04..68e4b17 100644
+--- a/src/gd_tga.c
++++ b/src/gd_tga.c
+@@ -300,7 +300,8 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga )
+ 				encoded_pixels = ( ( decompression_buffer[ buffer_caret ] & ~TGA_RLE_FLAG ) + 1 );
+ 				buffer_caret++;
+ 
+-				if ((bitmap_caret + (encoded_pixels * pixel_block_size)) > image_block_size) {
++				if ((bitmap_caret + (encoded_pixels * pixel_block_size)) > image_block_size
++						|| buffer_caret + pixel_block_size > rle_size) {
+ 					gdFree( decompression_buffer );
+ 					gdFree( conversion_buffer );
+ 					return -1;
+@@ -316,7 +317,8 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga )
+ 				encoded_pixels = decompression_buffer[ buffer_caret ] + 1;
+ 				buffer_caret++;
+ 
+-				if ((bitmap_caret + (encoded_pixels * pixel_block_size)) > image_block_size) {
++				if ((bitmap_caret + (encoded_pixels * pixel_block_size)) > image_block_size
++						|| buffer_caret + (encoded_pixels * pixel_block_size) > rle_size) {
+ 					gdFree( decompression_buffer );
+ 					gdFree( conversion_buffer );
+ 					return -1;
+diff --git a/tests/tga/.gitignore b/tests/tga/.gitignore
+index 7a659b1..cf0556b 100644
+--- a/tests/tga/.gitignore
++++ b/tests/tga/.gitignore
+@@ -3,5 +3,6 @@
+ /bug00247a
+ /bug00248
+ /bug00248a
++/heap_overflow
+ /tga_null
+ /tga_read
+diff --git a/tests/tga/CMakeLists.txt b/tests/tga/CMakeLists.txt
+index 789fb14..11542a0 100644
+--- a/tests/tga/CMakeLists.txt
++++ b/tests/tga/CMakeLists.txt
+@@ -5,6 +5,7 @@ LIST(APPEND TESTS_FILES
+ 	bug00247a
+ 	bug00248
+ 	bug00248a
++	heap_overflow
+ 	tga_read
+ )
+ 
+diff --git a/tests/tga/Makemodule.am b/tests/tga/Makemodule.am
+index a1e6af6..916d707 100644
+--- a/tests/tga/Makemodule.am
++++ b/tests/tga/Makemodule.am
+@@ -4,6 +4,7 @@ libgd_test_programs += \
+ 	tga/bug00247a \
+ 	tga/bug00248 \
+ 	tga/bug00248a \
++	tga/heap_overflow \
+ 	tga/tga_null \
+ 	tga/tga_read
+ 
+@@ -14,6 +15,7 @@ EXTRA_DIST += \
+ 	tga/bug00247a.tga \
+ 	tga/bug00248.tga \
+ 	tga/bug00248a.tga \
++	tga/heap_overflow.tga \
+ 	tga/tga_read_rgb.png \
+ 	tga/tga_read_rgb.tga \
+ 	tga/tga_read_rgb_rle.tga
+diff --git a/tests/tga/heap_overflow.c b/tests/tga/heap_overflow.c
+new file mode 100644
+index 0000000..0e9a2d0
+--- /dev/null
++++ b/tests/tga/heap_overflow.c
+@@ -0,0 +1,51 @@
++/**
++ * Test that the crafted TGA file doesn't trigger OOB reads.
++ */
++
++
++#include "gd.h"
++#include "gdtest.h"
++
++
++static size_t read_test_file(char **buffer, char *basename);
++
++
++int main()
++{
++    gdImagePtr im;
++    char *buffer;
++    size_t size;
++
++    size = read_test_file(&buffer, "heap_overflow.tga");
++    im = gdImageCreateFromTgaPtr(size, (void *) buffer);
++    gdTestAssert(im == NULL);
++    free(buffer);
++
++    return gdNumFailures();
++}
++
++
++static size_t read_test_file(char **buffer, char *basename)
++{
++    char *filename;
++    FILE *fp;
++    size_t exp_size, act_size;
++
++    filename = gdTestFilePath2("tga", basename);
++    fp = fopen(filename, "rb");
++    gdTestAssert(fp != NULL);
++
++	fseek(fp, 0, SEEK_END);
++	exp_size = ftell(fp);
++	fseek(fp, 0, SEEK_SET);
++
++    *buffer = malloc(exp_size);
++    gdTestAssert(*buffer != NULL);
++    act_size = fread(*buffer, sizeof(**buffer), exp_size, fp);
++    gdTestAssert(act_size == exp_size);
++
++    fclose(fp);
++    free(filename);
++
++    return act_size;
++}
+diff --git a/tests/tga/heap_overflow.tga b/tests/tga/heap_overflow.tga
+new file mode 100644
+index 0000000000000000000000000000000000000000..e9bc0ecb2a847ac6edba92dd0ff61167b49002cd
+GIT binary patch
+literal 605
+zcmZQz;9`IQ9tIu;g&7<$F3o7Yg1qzyh6tefy9wZAs2d<Uh*yuz=?XwW4Qvuv#g2nS
+zp93+mT0rVR>T&8(2TGy=f_l)@gSap~$FayUFu(!|SyJIFga^{8fGj~vwq8kkVgvv>
+Cavop+
+
+literal 0
+HcmV?d00001
+
+-- 
+2.10.2
+
diff --git a/meta-oe/recipes-support/gd/gd/CVE-2016-6906-2.patch b/meta-oe/recipes-support/gd/gd/CVE-2016-6906-2.patch
new file mode 100644
index 0000000000..8b6de97112
--- /dev/null
+++ b/meta-oe/recipes-support/gd/gd/CVE-2016-6906-2.patch
@@ -0,0 +1,135 @@
+From 58b6dde319c301b0eae27d12e2a659e067d80558 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Tue, 16 Aug 2016 16:26:19 +0200
+Subject: [PATCH] Fix OOB reads of the TGA decompression buffer
+
+It is possible to craft TGA files which will overflow the decompression
+buffer, but not the image's bitmap. Therefore we also have to check for
+potential decompression buffer overflows.
+
+This issue had been reported by Ibrahim El-Sayed to security@libgd.org;
+a modified case exposing an off-by-one error of the first patch had been
+provided by Konrad Beckmann.
+
+This commit is an amendment to commit fb0e0cce, so we use CVE-2016-6906
+as well.
+
+Upstream-Status: Backport
+CVE: CVE-2016-6906
+
+Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
+---
+ src/gd_tga.c                  |   8 +++++++-
+ tests/tga/Makemodule.am       |   3 ++-
+ tests/tga/heap_overflow.c     |  16 ++++++++++++----
+ tests/tga/heap_overflow_1.tga | Bin 0 -> 605 bytes
+ tests/tga/heap_overflow_2.tga | Bin 0 -> 8746 bytes
+ 5 files changed, 21 insertions(+), 6 deletions(-)
+ create mode 100644 tests/tga/heap_overflow_1.tga
+ create mode 100644 tests/tga/heap_overflow_2.tga
+
+diff --git a/src/gd_tga.c b/src/gd_tga.c
+index 68e4b17..f80f0b1 100644
+--- a/src/gd_tga.c
++++ b/src/gd_tga.c
+@@ -295,7 +295,13 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga )
+ 		buffer_caret = 0;
+ 
+ 		while( bitmap_caret < image_block_size ) {
+-			
++
++			if (buffer_caret + pixel_block_size > rle_size) {
++				gdFree( decompression_buffer );
++				gdFree( conversion_buffer );
++				return -1;
++			}
++
+ 			if ((decompression_buffer[buffer_caret] & TGA_RLE_FLAG) == TGA_RLE_FLAG) {
+ 				encoded_pixels = ( ( decompression_buffer[ buffer_caret ] & ~TGA_RLE_FLAG ) + 1 );
+ 				buffer_caret++;
+diff --git a/tests/tga/Makemodule.am b/tests/tga/Makemodule.am
+index 916d707..ab08dbf 100644
+--- a/tests/tga/Makemodule.am
++++ b/tests/tga/Makemodule.am
+@@ -15,7 +15,8 @@ EXTRA_DIST += \
+ 	tga/bug00247a.tga \
+ 	tga/bug00248.tga \
+ 	tga/bug00248a.tga \
+-	tga/heap_overflow.tga \
++	tga/heap_overflow_1.tga \
++	tga/heap_overflow_2.tga \
+ 	tga/tga_read_rgb.png \
+ 	tga/tga_read_rgb.tga \
+ 	tga/tga_read_rgb_rle.tga
+diff --git a/tests/tga/heap_overflow.c b/tests/tga/heap_overflow.c
+index 0e9a2d0..ddd4b63 100644
+--- a/tests/tga/heap_overflow.c
++++ b/tests/tga/heap_overflow.c
+@@ -1,5 +1,5 @@
+ /**
+- * Test that the crafted TGA file doesn't trigger OOB reads.
++ * Test that crafted TGA files don't trigger OOB reads.
+  */
+ 
+ 
+@@ -7,21 +7,29 @@
+ #include "gdtest.h"
+ 
+ 
++static void check_file(char *basename);
+ static size_t read_test_file(char **buffer, char *basename);
+ 
+ 
+ int main()
+ {
++    check_file("heap_overflow_1.tga");
++    check_file("heap_overflow_2.tga");
++
++    return gdNumFailures();
++}
++
++
++static void check_file(char *basename)
++{
+     gdImagePtr im;
+     char *buffer;
+     size_t size;
+ 
+-    size = read_test_file(&buffer, "heap_overflow.tga");
++    size = read_test_file(&buffer, basename);
+     im = gdImageCreateFromTgaPtr(size, (void *) buffer);
+     gdTestAssert(im == NULL);
+     free(buffer);
+-
+-    return gdNumFailures();
+ }
+ 
+ 
+diff --git a/tests/tga/heap_overflow_1.tga b/tests/tga/heap_overflow_1.tga
+new file mode 100644
+index 0000000000000000000000000000000000000000..e9bc0ecb2a847ac6edba92dd0ff61167b49002cd
+GIT binary patch
+literal 605
+zcmZQz;9`IQ9tIu;g&7<$F3o7Yg1qzyh6tefy9wZAs2d<Uh*yuz=?XwW4Qvuv#g2nS
+zp93+mT0rVR>T&8(2TGy=f_l)@gSap~$FayUFu(!|SyJIFga^{8fGj~vwq8kkVgvv>
+Cavop+
+
+literal 0
+HcmV?d00001
+
+diff --git a/tests/tga/heap_overflow_2.tga b/tests/tga/heap_overflow_2.tga
+new file mode 100644
+index 0000000000000000000000000000000000000000..2b681f2df8941d6823aa761be0a7fa3c02c92cbf
+GIT binary patch
+literal 8746
+zcmeIxF$#b%6a>*<djij4?cuz+Vi5?!RIY)@*eDAQ@`zPSwQE1NTI<YQEqdQG#s5@h
+zwDFtAoIjm)CIQa|$z*q(vz}DbnPjrN&RI{Y=}a=&UFWPP)joCZ<31}ey8!(}FZZ71
+zWop>#e)AY=opmMw&j!h4cb&7IRMVMcvb)Y%PpaumGTB|{tS8lUCYkK6bJmk;IzMDC
+D4PYIN
+
+literal 0
+HcmV?d00001
+
+-- 
+2.10.2
+
diff --git a/meta-oe/recipes-support/gd/gd/Fix-290-TGA-RLE-decoding-is-broken.patch b/meta-oe/recipes-support/gd/gd/Fix-290-TGA-RLE-decoding-is-broken.patch
new file mode 100644
index 0000000000..64f5c62964
--- /dev/null
+++ b/meta-oe/recipes-support/gd/gd/Fix-290-TGA-RLE-decoding-is-broken.patch
@@ -0,0 +1,359 @@
+From 4f8e26f2a40ffaa3a5b77be6a49989a1a42e2b83 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Tue, 16 Aug 2016 14:27:23 +0200
+Subject: [PATCH] Fix #290: TGA RLE decoding is broken
+
+We make it work only, for now. Actually, it doesn't make sense that
+`oTga::bitmap` is an `int *` as we're storing only bytes there. If this
+will be changed, we can even get rid of the `conversion_buffer` in
+`read_image_tga` altogether, and read the image data into the
+`decompression_buffer` (if RLE'd) or the `tga->bitmap` (if uncompressed)
+directly.
+
+Upstream-Status: Backport
+
+Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
+---
+ src/gd_tga.c                   |  18 ++++++++++--------
+ tests/tga/CMakeLists.txt       |   1 +
+ tests/tga/Makemodule.am        |   8 ++++++--
+ tests/tga/tga_read.c           |  40 ++++++++++++++++++++++++++++++++++++++++
+ tests/tga/tga_read_rgb.png     | Bin 0 -> 2349 bytes
+ tests/tga/tga_read_rgb.tga     | Bin 0 -> 90444 bytes
+ tests/tga/tga_read_rgb_rle.tga | Bin 0 -> 9987 bytes
+ 7 files changed, 57 insertions(+), 10 deletions(-)
+ create mode 100644 tests/tga/tga_read.c
+ create mode 100644 tests/tga/tga_read_rgb.png
+ create mode 100644 tests/tga/tga_read_rgb.tga
+ create mode 100644 tests/tga/tga_read_rgb_rle.tga
+
+diff --git a/src/gd_tga.c b/src/gd_tga.c
+index ec6781f..8737b04 100644
+--- a/src/gd_tga.c
++++ b/src/gd_tga.c
+@@ -207,12 +207,13 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga )
+ {
+ 	int pixel_block_size = (tga->bits / 8);
+ 	int image_block_size = (tga->width * tga->height) * pixel_block_size;
+-	uint8_t* decompression_buffer = NULL;
++	int* decompression_buffer = NULL;
+ 	unsigned char* conversion_buffer = NULL;
+ 	int buffer_caret = 0;
+ 	int bitmap_caret = 0;
+ 	int i = 0;
+ 	int encoded_pixels;
++	int rle_size;
+ 
+ 	if(overflow2(tga->width, tga->height)) {
+ 		return -1;
+@@ -266,7 +267,7 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga )
+ 		/*! \brief Read in RLE compressed RGB TGA
+ 		 *  Chunk load the pixel data from an RLE compressed RGB type TGA.
+ 		 */
+-		decompression_buffer = (uint8_t*) gdMalloc(image_block_size * sizeof(uint8_t));
++		decompression_buffer = (int*) gdMalloc(image_block_size * sizeof(int));
+ 		if (decompression_buffer == NULL) {
+ 			return -1;
+ 		}
+@@ -277,7 +278,8 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga )
+ 			return -1;
+ 		}
+ 
+-		if (gdGetBuf(conversion_buffer, image_block_size, ctx) != image_block_size) {
++		rle_size = gdGetBuf(conversion_buffer, image_block_size, ctx);
++		if (rle_size <= 0) {
+ 			gdFree(conversion_buffer);
+ 			gdFree(decompression_buffer);
+ 			return -1;
+@@ -285,7 +287,7 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga )
+ 
+ 		buffer_caret = 0;
+ 
+-		while( buffer_caret < image_block_size) {
++		while( buffer_caret < rle_size) {
+ 			decompression_buffer[buffer_caret] = (int)conversion_buffer[buffer_caret];
+ 			buffer_caret++;
+ 		}
+@@ -298,14 +300,14 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga )
+ 				encoded_pixels = ( ( decompression_buffer[ buffer_caret ] & ~TGA_RLE_FLAG ) + 1 );
+ 				buffer_caret++;
+ 
+-				if ((bitmap_caret + (encoded_pixels * pixel_block_size)) >= image_block_size) {
++				if ((bitmap_caret + (encoded_pixels * pixel_block_size)) > image_block_size) {
+ 					gdFree( decompression_buffer );
+ 					gdFree( conversion_buffer );
+ 					return -1;
+ 				}
+ 
+ 				for (i = 0; i < encoded_pixels; i++) {
+-					memcpy(tga->bitmap + bitmap_caret, decompression_buffer + buffer_caret, pixel_block_size);
++					memcpy(tga->bitmap + bitmap_caret, decompression_buffer + buffer_caret, pixel_block_size * sizeof(int));
+ 					bitmap_caret += pixel_block_size;
+ 				}
+ 				buffer_caret += pixel_block_size;
+@@ -314,13 +316,13 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga )
+ 				encoded_pixels = decompression_buffer[ buffer_caret ] + 1;
+ 				buffer_caret++;
+ 
+-				if ((bitmap_caret + (encoded_pixels * pixel_block_size)) >= image_block_size) {
++				if ((bitmap_caret + (encoded_pixels * pixel_block_size)) > image_block_size) {
+ 					gdFree( decompression_buffer );
+ 					gdFree( conversion_buffer );
+ 					return -1;
+ 				}
+ 
+-				memcpy(tga->bitmap + bitmap_caret, decompression_buffer + buffer_caret, encoded_pixels * pixel_block_size);
++				memcpy(tga->bitmap + bitmap_caret, decompression_buffer + buffer_caret, encoded_pixels * pixel_block_size * sizeof(int));
+ 				bitmap_caret += (encoded_pixels * pixel_block_size);
+ 				buffer_caret += (encoded_pixels * pixel_block_size);
+ 			}
+diff --git a/tests/tga/CMakeLists.txt b/tests/tga/CMakeLists.txt
+index c3a589c..789fb14 100644
+--- a/tests/tga/CMakeLists.txt
++++ b/tests/tga/CMakeLists.txt
+@@ -5,6 +5,7 @@ LIST(APPEND TESTS_FILES
+ 	bug00247a
+ 	bug00248
+ 	bug00248a
++	tga_read
+ )
+ 
+ ADD_GD_TESTS()
+diff --git a/tests/tga/Makemodule.am b/tests/tga/Makemodule.am
+index dff828f..a1e6af6 100644
+--- a/tests/tga/Makemodule.am
++++ b/tests/tga/Makemodule.am
+@@ -4,7 +4,8 @@ libgd_test_programs += \
+ 	tga/bug00247a \
+ 	tga/bug00248 \
+ 	tga/bug00248a \
+-	tga/tga_null
++	tga/tga_null \
++	tga/tga_read
+ 
+ EXTRA_DIST += \
+ 	tga/CMakeLists.txt \
+@@ -12,4 +13,7 @@ EXTRA_DIST += \
+ 	tga/bug00247.tga \
+ 	tga/bug00247a.tga \
+ 	tga/bug00248.tga \
+-	tga/bug00248a.tga
++	tga/bug00248a.tga \
++	tga/tga_read_rgb.png \
++	tga/tga_read_rgb.tga \
++	tga/tga_read_rgb_rle.tga
+diff --git a/tests/tga/tga_read.c b/tests/tga/tga_read.c
+new file mode 100644
+index 0000000..310b72f
+--- /dev/null
++++ b/tests/tga/tga_read.c
+@@ -0,0 +1,40 @@
++/**
++ * Basic test case for reading TGA files.
++ */
++
++
++#include "gd.h"
++#include "gdtest.h"
++
++
++static void assert_equals(char *exp, char *orig);
++
++
++int main()
++{
++    assert_equals("tga_read_rgb.png", "tga_read_rgb.tga");
++    assert_equals("tga_read_rgb.png", "tga_read_rgb_rle.tga");
++
++    return gdNumFailures();
++}
++
++
++static void assert_equals(char *exp, char *orig)
++{
++    gdImagePtr im;
++    FILE *fp;
++    char *filename;
++
++    fp = gdTestFileOpen2("tga", orig);
++    gdTestAssertMsg(fp != NULL, "can't open %s", orig);
++
++    im = gdImageCreateFromTga(fp);
++    gdTestAssertMsg(im != NULL, "can't read %s", orig);
++    fclose(fp);
++
++    filename = gdTestFilePath2("tga", exp);
++    gdAssertImageEqualsToFile(filename, im);
++    gdFree(filename);
++
++    gdImageDestroy(im);
++}
+diff --git a/tests/tga/tga_read_rgb.png b/tests/tga/tga_read_rgb.png
+new file mode 100644
+index 0000000000000000000000000000000000000000..bc468e3d927eaeb77d2f5c3bc35b970457f60f18
+GIT binary patch
+literal 2349
+zcmZ`*c{tSX7XOaO7-6K6b&RD_MnXy$nHe#bsVG~TvfZ*vO?Jle8%ar+AySDfStFGh
+zG#*)pL0RUPJ(FedBaE?x-*o@D_deZwpZ7WMdCuo~-t)faoX_)~lW+lNCI*p(001C{
+zHOJWSbt_+Pfp_!w<m@>WzS`|-X@&uIeytaE1*v>QB*5J9HUNl9{Spw6`Sc(k6uyJC
+zHWeNNLm|3~tCo{U002|57?VrEU+1$sy;a&|;-kbZl`6E_C%>gqbDtC=57F3fUD$)k
+zSG5DTL6#NnU=7wGcCw|<f|{rZi)5q<cVW*NQPQCY0xPU0_nGG#D?wR37BO^o^261%
+z+}quQI_1ZP=gTNp-n|;#)z~^;78o=e@tRYrS#8Jc>M{W*OdYEgjJp6u9Rb7l#X%t`
+zun;^h28uEP=P3Px?|rNGF#17D%A(CJ_ar|?n^0nq!~w+Wg23867ryn!Zlb|~&7A~z
+zqkP=IPyLrOM?58>2rEq=&{*9OMU!HNWJkg`(`y(=2{WLg392OTDyiM2$iCLcv5LCG
+zjWwRq46Da$pV|V^4Gvs36k1dWF^V4c8j%3~jN{*0*$phpF|-#zi@;k@t-s?cqW&sd
+zPh{x~@zm`!5V23*L&Qb=_elN~nEEqQhrhNZiRU#|qjK>6ptaYgj*sAcuS+t-7X5aB
+zUI5f*aL0Dut+y0vde?tg7QMa^0`(plvuD^Q>)J(abQY>@6P_*YY;XJ54VC^_f7F2x
+z21ee^35}!<L@bW?<-JgJ-%sahFv68xPXghCl|CsCc-P-A{`kl_3By}Mq}YnYYmSt4
+z8h8mx?<zBgq9CzV4*#zR8t}x5Or8!9Rn6LgajJ!B)ebxEtrwC@*p4M@D51#?OEY}<
+zqJHu+sCRU2YXNxiq(DP@*(Ui?Jz;IQ@O$Lbf}e8Nwij*L&iUd$N4-Ykfp$vDx#uv?
+z#_eULpAbPvN<tVA>Ek##rQDAOW+@)2?%}XiiSi^ted1PQu{v0&?bA^r%z?7*An3_H
+zvYFv8{p8fsCguNR$#3=6O{^H&8kT9N92CeaRAj3Y_cNl-znY8JZ{MpO#OK}A<_w9J
+zWMI2Kl?xv|S-FTV(aUG_`UWTZOFJGgv2)>JR#*H2Uad(wyqbIZt?w|Dw|k<eY&&9F
+zcr!zDg7=#H^=^MC+W02GN{78K=4Kuq90c@$7f$7+h)^YFm}-?3cEdU+Ivh5RC<+Yy
+zOz(7r<tT|Z34S@glz^9lpp@OstDBGA(iwk<LQ#r@i_)^MV*Re3^qB#j7N}4etZfK>
+zt6<wtj&M2(TLgTh3AH(}4;f4j=<Iu^axvT0!8B)K0O!7g?WnhIyGH5@EtT77&?E{6
+zB5<#{PWJOxQkF}LskzI@;(qVCjE%v-h|S8;`k#h^W5wR-cadW2H2Mk+7QZhqSRd!M
+zcQ8fpx~O^(^O#2gXiWDX&u@lZT#qjPG~Xh0UobVq#~Lumf!%S9`Jhf%MH?4Re5-17
+z7BP>D>=sy59jEGoeEx_W13BnmhAs?*j6#bG1a@#16O~1>q+P2@%QN~``Ws7=WX;F9
+z`=p5I$1ig*G|iW8vslr2^8hj+A0HWDoT-@fn5I53ZWWp!r8fMghmpjdqC%E#%2HFI
+zY&A(g!Li3+$<B^y8^Hw5!sXd&k%Ev!a;~aB#joj1?2ntu9|!GAFUwyc0oe_~y<}?E
+zUh@HUbCI(x2W1rmg7ckzRL2Ew#cdujut+*-t0g)81Tu+3ZH4uP`r1d1kSooU@5ybL
+zR5_J%A5sbak)KrSf>(r|V*&yCb;Ha(&ACi9w;?kQ7q1$hwjli^);+KIJAh|K&YL#E
+z+b(`PZN>V_5?v`hu-U429K9fO%8*k8pE=jDkn5ZJK|Vgl*@&QE^;mwlCxWbq4(hyi
+zUuz)bk@5^HOk@gB`SaWZfX07Eom07js%np8Xot&?YP8R+3|jrR4c#zO{LO<?^G84O
+zoP}G`MK)LZDo_$#nWR09X>NY_mL~1^BUG})*4b;Z_zq+`Q@kzUHC&`trCiQYum;1?
+zBic+0Bl>LLYU?>!B3k!Ils}uXR*`OEr3`f<P@HZFk`0fP5`^X=BOtC?@!vUq7B4OF
+zZEw6+3eoFRE@xEw(%DfIybhJuo03Du2ldm$20Sn3hj15Lu&gPQp=N%r%hME$*j{^@
+zRTffQhH7JLB-70qVkSm$9Zt`mahHLT7O^JnNqAAJs0C^n+1uj_E-}S^?&_U=H?;D_
+z1U9UJAz|+7z|Yq(6${A~5fhc}hH5twnKukf#Dn_JnQ$J4-Z$d}*Trq>?aKr2p19c6
+zYJ}r+^s>6aD~mrp;oIUhlig4sM)Jg3=J{K;dp#BCzRu1sU3D1wJl{jA^Y#ShVT+|^
+zUyjiM&wD~v3zy}K!zWm%3cpu#(*)cmxw1+n+C7V|hcZ6h8CZLubXt&J)h$6yflV6>
+zOVv_gDb*glO9FLL8x6bqM6(F#pGhGy+jjOyt9-daMWGrJKF{XvnT#^TeYaq2MG)qw
+zJ=RV;Mwg*goOa?(wM=EH<#AS$egRj*wnm+Bu4Pb{$-O}GZSiuT1UdBDwv2Rz)b3+L
+zRA=nkaWHB7I$T~B%;KynnS0b@3YpKqt$2;qzwLf>DZ4RFCQB!=QQ`Ft&y_PThuDsA
+zckawmbFnA9Tl7+Ez%a)>>T+Nh@8UxzrZP`<pHEXVd#|2v=f_b#A@|oAzbk6Q_>|O)
+zgw?Xli!)-)xrF2z=thH-TI;|>UVYK64@asT%484CF-pjk+~~wA+Z%fZYua+sDJ<Nf
+zfO`bfl}ig_0&C7BCuBa)xZ?-mQO=bQ2N5;>Sw}~|(tM}hK+z>+^8QQhOsTxl+2AJ+
+zX8WjlS|;0WRv7s_Bk=@u$v3GL@qC?&jcNEv<o68kaz!pHOs@;#CSh|{!j&zrsfn8j
+z6|o#^6C2NO9!G&u;Q0U5hkpCs|2Z3I$nNY~x}Tl<rOB|1KiB|RQyiuYbv@>9Cook&
+
+literal 0
+HcmV?d00001
+
+diff --git a/tests/tga/tga_read_rgb.tga b/tests/tga/tga_read_rgb.tga
+new file mode 100644
+index 0000000000000000000000000000000000000000..5f11f5a080f3424dff6ff368db6af140a5777e23
+GIT binary patch
+literal 90444
+zcmeI4Kab?b5yc6Af(;c(13`fU*%&xb;tQC_*aPhI`Y#kR+DO4FyO7x>23DD|fPu*!
+zc$3RVz$FeASlIpmlR7c>{0XS{cwI!Xhn!*0&G0z9w?L_y)m6=&?%yLhCt|YfC)vBd
+z@3Mbp-(`!RR#lbBv<6~842S_SAO^&M7!U(uKn#chF(3xSfEW-1Vn7Ut0Wly3#DEwO
+z17bi7hygJm2E>3E5CdYM&A?}$ex4m_TFdrYYCYz+9zh#Fz&|9|x2zKn^W#B#+TPQk
+zkGJqug1wSH+UqE;=D8ly$2|8{dOgm*N*~8rNAWn%b(B8lxv$dearRaEIL<nX$9b-!
+z^fAwUm0pjtuhPeH)=@mpa~-9RdG4$9dYpZgK8~}F;&GnqD1FRxU!~XM?5p%~oOKkB
+z^IXTEkMH5{66|-Z6BF}fVs88T*I)i3JJhoOSJ|O9w{_I#nWx?l)duSh)duUtlh$At
+z17Cjm-|T(t=^t5ksQGyXeY}RR66}rB$6N4TCD<$JL)!2RcC~{xmhcaW#u{p)fITEy
+zttmer=|ik~9;VU``gjIkB^qnU`Ab-pXwrv%OZ+UJZKV%gx2JNgp5i>D59woyTux<9
+z(uedh6&9yB59vetm?D=`nUnM(eN2VLDb7RskUpl!<y7V*eMlcuVR4G{kUpf3DRMcL
+zIY}SV$5dFH;yfm%k4wB~a-Co=-1}Dr-lw`wu&?y~m97o@G#T{q3H)`Uv4-!7EMeD)
+zw)K9=Z~mTThuUAV|7C~TzV%W6$E~45nY6k?xn!MZFO2s+{6m8MjdfuTKfpgE*thW<
+z{Cw2@xOHLsAGrJk{yNcELpGPN>qM)WwmHy;dAx?N66{Tw1IK#{s}k%La$6ep^HE#+
+za9lo1VAA+y4Y_=oz@+gjedzt&v$!^qahUWWUeAKpvG42Bhn^$GX6~HMCw)jC=fvyS
+zbCo`%kFl9Mr}If4(#JXRI`&+p59woU=FaJS(ueeMPP~piSLs9g7@N6sI-m3*eVh}o
+zW6yPB`q2AV`u~)Z`u~(cA78-VB^qn^p2#KaF44B$FA47vAM{(Ncz3vdANUYI_Vq~T
+zJFok7_+8Hr{@dw6AD4;m*uMzx*i#=x;yd<VQBUIaym%dZzk)u#fWJ#L*6_E}FJX6y
+zR{!R@|ExhDui;aE=k$%!$6N58@;j%mqz`GsGuYJ*`gjJP^1JEGWequh2}}9ibmmGQ
+z`krwX_ipJ!*U+x(reg27kUpdjX`!D1>7##b#EsTQ`Va%U4)il1ee|!5xY623A7Vh)
+zfqn+0kN&k0H(DF%Lk#FT(9eMM(Z4q0Mr$K|hyh&(`Wcv*KJ@;s-aDDpdnZ93Q+a<^
+z`j9>*rH}Wyw|@5N=h^$%`<z>~{m%qin`x{~&_)6OkZ858w2#x+NA1ID_95uwC47}=
+zz52*T_`_V+ZoXxF%76dsKew<oecZR}82QUk$J(XkqFq?rVsrM=+dI91F>*dfeUR^p
+zOs8;+{5;gLHn&=|ON(1<&R+VEKDzjZ2Kw$F(#J>m?+&_ubg5)Jru)Zfp6{oApOQYd
+zwa^ujKBNz5CFMK%pzr4xvxIHj*iUG$U^$H6v1y&(p%Guen9G_f*dx5vTC9wj2G56n
+z|5yYq@Of%s<Hq`6AI$y@fakh_U0A;Ni03elS1=yhthu+C<>UB*F_<5lxjeqIJnut3
+z$IoG`U%^;I&v~(rw(xbnjlQMNoBDNqtoebp40e+5=NOml8^f{p%x`^%M%@zTb9U92
+zey`caUXzcCKJMFfjC?Z2I$CbIXp=9ClcgtjY;nf67)H!$*JzV-%cp;I=eWXg*SM{G
+z<g|2%V~)!lp64;Nt>)excV35he&noN-o;q_P5nGz@Fe=cxFsxRdfmf(i(%wkbmVOi
+z<GmvulgFhoW*&QO%(TX~{yvYo+;Ngy9%9Bgxif~z9^;-Z_AjlDKIHhib%?RP2szXo
+zb1ZKaayY(coc$}-*dLD9FsrNkam>0$*aBw#8>@*ua-LwUy=ULlxgBeMVC(4mz?d=L
+z_l$AfL*EMCbKYVYeX+I**76U1IV`@fly#^3k7J@WwoB=3qAm}dkd@q$&?aw;nHAPY
+zkGSW%b<U`^)n{WM$234rTl(r4|H<k?-x@VGuhRF0{=)U=9sRs-S^X9J$Kr45=K*VE
+z?x@dK7_WdC|75w=hTj*&HZG^d4C4MiQTjTz(eKCSdA4$}-^NU9?0BsB7<EJRv5M<>
+zjM~z1wy>NiUh`*t=0grOa$~XBqwf(`bL{&Nv(L)Dt+i$hM%}T0Ywn2gyzFaqH+62u
+znjhFYg+6XEuIZ!mnU_qvoEF0_&M_9A1#2Vj?;)kd&10{Pnbz3W-{(;`L?3xqJ!<_u
+zq|pK5ox157qc4Ur$oM{eY<ASIP~Xx3bHlid(;DrJ#oyG=1J0<AOW0kav99wzjQAR6
+z`Y5~h4E?#wX&8>;RaY%z$lG}i?DabAc{6t3SU!%Lz54L^aXXxotd-Wsw#6;B%OjUM
+zD?;50zR?BR9J{qHINtkNk>fv?*DlXfkI5XH*VMTkYkuIY=KN6KHP49M!q(h-<VYWW
+zLC^-DH?WQ4)wtdAz7+ZEP_y$|;Kr`MgL4d5yYXXo?W<x{=lvjcT_Syye%-B&oGX~!
+zW14-9bW>S=?Dw6+?RztJJVw_s>il&!w;aSvSk0-$y1eBu-};Bt`kXMv2A<sC!l)bG
+zQ%nb~b#d{XpA~t{XF&S`wt&^23BL6loVw@AAFds+>%V`jj1%vpoYuag&vZk-^mW!o
+z{6l{K=$sQ6J4jooBdbp^vdU+vg?&!%Lto8v6gS<p*3sv%&2eF-hXQTt&W>B3NxTo|
+zJ$0?XuD>^IF^>ND-+x>CivCBKX=F=Z==0BJ%qu%s7{p9R-CoAQ)Ykbp4&p1v+l7tI
+ze2ZJmd-QdlGs;=m81zx!;LnQM`!EhYwMczD`tjIK-E-v+*Av$l%x)axyw+1Q)CIlg
+zpM1yqC=fG!(BE)O{-I56_<INY%evG32YWu48COQeJ6T1%gpnoM6RdT;#c>h(*uRR#
+zY-)Yn+8oQ(mKHZ3`i<p!4%SDH{&lEtt)tJeHuC&D>#-1P*4OgH`*7Y<*NSTlW~l?u
+z_^$TWzM?kP5H+#s8MCx~HSd@q%j9RD)x0AwhZ#4y8?Rv;{hN@pf@l0b9J7w+TUZ@E
+zj+<H^_ig0Zm>gprYP!Z|KdsSc$gk`Cn0;;JbB;C+{UXjy-E-v+*ORR^SdQ-lUL&6M
+zE`2O_=z-(-dq`>LH1C-49PDc6tVLb!*r{V7-Y|}SUhiYZIQE8p%=dqYHMKtO+pL3i
+zjmdEt=NMNo`wWHEBeo9lt#z~<?~%K5<8;=D_u;&!u9e>laJ+!s!q&m=;i;P(W_sz|
+zBlPomtc10+gk#qFF$;fAwz2;Oj7$x+MW|c2nmQKZxy4=HEn;Mob_2U$U;Kx7t2XYp
+zW90GN9LL7I568{8;kbmqa&-lc87nNd%d-|%1?#Ly-E-v+*Av(!|E7m#AN`)8pWK^1
+zntzY?IclF~1)z(S(?_E{e>U+xocGkVirDA1zqJQA=ChN3KDzOHqxR`m0J^w<*>l{g
+z?@XzCuKeM83jEu>fu366a~1CyYgpX3=-Vg7kFx^M1fQvL7@yhf*{XNl#rtsHQ`d?+
+z3Jt6x9e7RncENo8opuGF3A<;QHd_C`JU)Bso-2R2o@}k54}K5X^yq~5lcnX#pLPYH
+z5BttRos|2|Cf<khp1M}?+Cv8mSnjO#eI(A;@rPf5)IC@J>GY(v)!K>yF(3xSfEW-1
+zVn7Ut0Wly3#DEwO17bi7hygJm2E>3E5CdXB42S_SAO^&M7!U(uKn#chF(3xSfEW-1
+pVn7Ut0Wly3rpJK2`Txh?|LN;LKmWt?-@f?SH@|xR>#u*F{Rp+*(8>S+
+
+literal 0
+HcmV?d00001
+
+diff --git a/tests/tga/tga_read_rgb_rle.tga b/tests/tga/tga_read_rgb_rle.tga
+new file mode 100644
+index 0000000000000000000000000000000000000000..ce845ad0c3da65205af25854d64568b1cf0921e3
+GIT binary patch
+literal 9987
+zcmeI2J!~9R5Xbk<L5NgWrh*l6K@rf2A`LFK334O|$EPT_a+TuJx!kjzIGiJ2I<P>x
+ziiRRbk%9(oq!dtCIspYA&6UugGcC>X|IOQdZ+$+;#>5ek&eFVnJ3DVa{%>aX?a5Je
+zF>-%5qwk}eQT$4wzvw%Lr!o5$L%T1%_;U0&GrMhYD|*=1u+QBMI7bBz5GWAXUI?5o
+z4)=h152)YuP~W$``}B?1quuDQ!tKvI-d*GdmoNVj?N0AU(FV5-mWdwpH55x49>GD6
+z=%BBmXlU4mV>@qJ8fX!<cQoubnZc3TbVtK}?@1Y0!9an5mD0dE28xA&sM>=CL?@={
+z0-|RLqE&j)8olUxtrw;AqBVNamHEBs60Ks5R&l9p6>VC@T4)u!Z+{g<yLY2MYn^Q1
+zd9ELFE4tU$u)n0?3plJ1J?v}PZ)msyr`8V<5?$KSu-0S-M?&o#4QoBb4;grXfdT`M
+zN=c*-Fi>D%n-xb5tYDzPz)HDn9RtO}K-2&bfLTDa$ReF=%5-@43+;@(Xqh_Lqg5;e
+zg}THltzs{<ie37oodrXq8PIa=9O>E>BBIs4hP5RP*Wqxy6Qz9`Y(v8pI6+HwtX$ra
+zy1k}`<+7Ep?x=h3^=RRT3_QR<fq_Rg0|yu=Ft9z}zzPNm46Kv})-g~l4EUq{0-{A0
+z@uf#ui57)+Y^yj$Kb#Ty+&-!K64#`N?AC_rx07^75BGbIkyuBfFo`X6d}cobiI>AG
+z_yH!{gxCD>ho1(boNM2tG;8-@MK-H=sqwzy_Dk<p<<Y;ghphqw-d=+40((iXvX>d}
+zeC*AO?;PyiJI7egrh5aA*tASEv0P|sHWdv;37nkl7;GWQvslElsh1w>E)mVkrK5Wr
+zvyT~j8_(=*6BF=71Iw<4W?fOstUs?=BFaQ*Da#xiBX|}K8QkJdG}zFPqlKLAcr83*
+zWg<d$C_)R@Zt(9GMk4VnKb+4e=emmuJZ@>Q+HzQdV{TOj;%(7%jzp+KJSs$|sS9Fk
+zi>8|_;%+MHn6)L%h}LxJYN%Lsjm=l2JEG}rgt!}vT81WTD?iXN22oo(>Q%FW$7$$!
+zt&?$T0IopDHZ|A}nmLfzok8W3vju;nlA35T-r~-!Mh%-@xp^A6E=V4LfMg^hw4o2J
+zZI)js`N&kV*g%#wDTZ~m<nWLi1ePizuWxAjE=soYvC=mb&tTOxu05X^q<~*Zj<9wL
+zP=$-ZWz~5>cOy6~E}sky$N;c`=y|Ej2+1ZQ2f9i4w?h@e2{8NMT~!94nB@itGuLH}
+zXVpo_fLn+Ny=`_6ub%qVxz9IOHOQr&m-w|E<2CfOb2=CaIW-6=RoY?8DbvigNhHcJ
+zG#i_20Ls>TP|sG<1T!>Hm<6C_+a^z4YoiJ>5de05QI0M6IheVSK%5>}CEC#MwBHBI
+ziIa1Wpa&iZ_r@?tJkJ5<afw}YS{54Q*|ADIR<0rq7ju0Ezq{lB$w1gObbznQZdZVC
+zC{fEsk6_CHMd|PuWL7zD?Gbil$1PB(y&Zkn_I|ZCmODo!ml!;5_YN=f8&f%XLJ69i
+zw+YreoXy~Iho>|{-W{nZBP!8&Q$t}P*I~(hRwZ6%$Lp+>-V88<W1vX?KTsG@4Mp7*
+zP43JO--G~U!gJBc0<A+dG0?19zUEwf+}?LWRX6~j_TKxg%r*$-xiTt}Yajv!vcmP)
+zqnTh(gvtWBmMHdlF_;5HXb)v)Q_z7o(;nJBIi5s&D7DGOkh+Oa-OSuJgOmf2R1I-V
+zRL&L6j_DV<hr<B?9Mn_S!{H7Uhx4N2TcLZ}5FFv{ZJA>rG8_ARaUB|->lMt--ZnEI
+zTJ7{U4;S{j2Ay9PTlySLkZpPkSyjD9xB@11Gqz?H&}bm6INZyXa|<usjtD%sjy+Z`
+zO^{AKuWKHIUn2Ss=N8*9c5f<jyF%cp-^Zcb5%Fp{gGhMmxXnNb1>}y*$KYeSt=BT^
+z9)n8f69who6DC3I4i6#*smWsw#8aACPLFDXvaYploY`rTzv^v6%`=fZ=~tM<Gx7U2
+zGVu^u%W!94&zt&L+f3G5W^S(`9GhA$F^gxQaDFP%)PFP84q_$@7HzQb60>~+#d%*t
+zf%)V_G>Dlk3}01X6V9YA0}KH#x+MuyPXYm7$4BlC*YhI}#g|)Uh0-v*i7ggcv&@^C
+zjYO%ac80KpJfmhZkwXX$pH_*;t&cQIT_(xF6ht!Iic3UdT(%7ihfT|wtXWA&V1Sf;
+zU3WEU`G(*m{rfc5Lu-SUf;0gW_gTQ5!wKEEk(Qj)=S2;}8FVa^9uYEg=U`?TJS&;e
+zZ|IGrGhpnT4H$<N0L>R>%fn7eg+%K9in1ezX3K%Y`r6i<mRK!fyE0L3T&%#2e?}WI
+zcSMQE6&v2hGddfHYR&MD28%5H1s1ZQZU%;X@Wf!oTq<&1f;-%4`%tL#0yUz{`gTy@
+x8%~Vp2_Ce5$E=Cyg!2^tf$X%_aF4$a-uv+CN7vrJ_RjTJKYsJtTUTF;{sH~|7$pDz
+
+literal 0
+HcmV?d00001
+
+-- 
+2.10.2
+
diff --git a/meta-oe/recipes-support/gd/gd_2.2.3.bb b/meta-oe/recipes-support/gd/gd_2.2.3.bb
index 4e21d532d5..562170694c 100644
--- a/meta-oe/recipes-support/gd/gd_2.2.3.bb
+++ b/meta-oe/recipes-support/gd/gd_2.2.3.bb
@@ -16,7 +16,11 @@ SRC_URI = "git://github.com/libgd/libgd.git;branch=GD-2.2 \
            file://fix-gcc-unused-functions.patch \
            file://CVE-2016-10166.patch \
            file://CVE-2016-10167.patch \
-           file://CVE-2016-10168.patch"
+           file://CVE-2016-10168.patch \
+           file://.gitignore-the-new-test-case.patch \
+           file://Fix-290-TGA-RLE-decoding-is-broken.patch;apply=no \
+           file://CVE-2016-6906-1.patch;apply=no \
+           file://CVE-2016-6906-2.patch;apply=no"
 
 SRCREV = "46ceef5970bf3a847ff61d1bdde7501d66c11d0c"
 
@@ -35,6 +39,19 @@ EXTRA_OECONF += " --disable-rpath \
 
 EXTRA_OEMAKE = 'LDFLAGS="${LDFLAGS}"'
 
+do_git_apply () {
+       cd ${S}
+       if [ ! -f tests/tga/tga_read_rgb.png ]; then
+               git apply ${S}/../Fix-290-TGA-RLE-decoding-is-broken.patch
+               git apply ${S}/../CVE-2016-6906-1.patch
+               git apply ${S}/../CVE-2016-6906-2.patch
+       fi
+}
+
+do_patch_append() {
+    bb.build.exec_func('do_git_apply', d)
+}
+
 do_install_append() {
     # cleanup buildpaths from gdlib.pc
     sed -i -e 's#${STAGING_DIR_HOST}##g' ${D}${libdir}/pkgconfig/gdlib.pc