M gnu-system.am => gnu-system.am +10 -1
@@ 536,9 536,18 @@ dist_patch_DATA = \
gnu/packages/patches/libtheora-config-guess.patch \
gnu/packages/patches/libtool-skip-tests2.patch \
gnu/packages/patches/libssh-CVE-2014-0017.patch \
+ gnu/packages/patches/libwmf-CAN-2004-0941.patch \
gnu/packages/patches/libwmf-CVE-2006-3376.patch \
+ gnu/packages/patches/libwmf-CVE-2007-0455.patch \
+ gnu/packages/patches/libwmf-CVE-2007-2756.patch \
+ gnu/packages/patches/libwmf-CVE-2007-3472.patch \
+ gnu/packages/patches/libwmf-CVE-2007-3473.patch \
+ gnu/packages/patches/libwmf-CVE-2007-3477.patch \
gnu/packages/patches/libwmf-CVE-2009-1364.patch \
- gnu/packages/patches/libwmf-CVE-2015-0848+4588+4695+4696.patch \
+ gnu/packages/patches/libwmf-CVE-2009-3546.patch \
+ gnu/packages/patches/libwmf-CVE-2015-0848+CVE-2015-4588.patch \
+ gnu/packages/patches/libwmf-CVE-2015-4695.patch \
+ gnu/packages/patches/libwmf-CVE-2015-4696.patch \
gnu/packages/patches/lirc-localstatedir.patch \
gnu/packages/patches/libpthread-glibc-preparation.patch \
gnu/packages/patches/lm-sensors-hwmon-attrs.patch \
M gnu/packages/image.scm => gnu/packages/image.scm +11 -2
@@ 148,9 148,18 @@ collection of tools for doing simple manipulations of TIFF images.")
(sha256
(base32 "1y3wba4q8pl7kr51212jwrsz1x6nslsx1gsjml1x0i8549lmqd2v"))
(patches
- (map search-patch '("libwmf-CVE-2006-3376.patch"
+ (map search-patch '("libwmf-CAN-2004-0941.patch"
+ "libwmf-CVE-2006-3376.patch"
+ "libwmf-CVE-2007-0455.patch"
+ "libwmf-CVE-2007-2756.patch"
+ "libwmf-CVE-2007-3472.patch"
+ "libwmf-CVE-2007-3473.patch"
+ "libwmf-CVE-2007-3477.patch"
"libwmf-CVE-2009-1364.patch"
- "libwmf-CVE-2015-0848+4588+4695+4696.patch")))))
+ "libwmf-CVE-2009-3546.patch"
+ "libwmf-CVE-2015-0848+CVE-2015-4588.patch"
+ "libwmf-CVE-2015-4695.patch"
+ "libwmf-CVE-2015-4696.patch")))))
(build-system gnu-build-system)
(inputs
A gnu/packages/patches/libwmf-CAN-2004-0941.patch => gnu/packages/patches/libwmf-CAN-2004-0941.patch +21 -0
@@ 0,0 1,21 @@
+Copied from Fedora.
+
+http://pkgs.fedoraproject.org/cgit/libwmf.git/tree/libwmf-0.2.8.4-CAN-2004-0941.patch
+
+--- libwmf-0.2.8.4/src/extra/gd/gd_png.c 2004-11-11 14:02:37.407589824 -0500
++++ libwmf-0.2.8.4/src/extra/gd/gd_png.c 2004-11-11 14:04:29.672522960 -0500
+@@ -188,6 +188,14 @@
+
+ png_get_IHDR (png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
+ &interlace_type, NULL, NULL);
++ if (overflow2(sizeof (int), width))
++ {
++ return NULL;
++ }
++ if (overflow2(sizeof (int) * width, height))
++ {
++ return NULL;
++ }
+ if ((color_type == PNG_COLOR_TYPE_RGB) ||
+ (color_type == PNG_COLOR_TYPE_RGB_ALPHA))
+ {
A gnu/packages/patches/libwmf-CVE-2007-0455.patch => gnu/packages/patches/libwmf-CVE-2007-0455.patch +15 -0
@@ 0,0 1,15 @@
+Copied from Fedora.
+
+http://pkgs.fedoraproject.org/cgit/libwmf.git/tree/libwmf-0.2.8.4-CVE-2007-0455.patch
+
+--- libwmf-0.2.8.4/src/extra/gd/gdft.c 2010-12-06 11:18:26.000000000 +0000
++++ libwmf-0.2.8.4/src/extra/gd/gdft.c 2010-12-06 11:21:09.000000000 +0000
+@@ -811,7 +811,7 @@
+ {
+ ch = c & 0xFF; /* don't extend sign */
+ }
+- next++;
++ if (*next) next++;
+ }
+ else
+ {
A gnu/packages/patches/libwmf-CVE-2007-2756.patch => gnu/packages/patches/libwmf-CVE-2007-2756.patch +20 -0
@@ 0,0 1,20 @@
+Copied from Fedora.
+
+http://pkgs.fedoraproject.org/cgit/libwmf.git/tree/libwmf-0.2.8.4-CVE-2007-2756.patch
+
+--- libwmf-0.2.8.4/src/extra/gd/gd_png.c 1 Apr 2007 20:41:01 -0000 1.21.2.1
++++ libwmf-0.2.8.4/src/extra/gd/gd_png.c 16 May 2007 19:06:11 -0000
+@@ -78,8 +78,11 @@
+ gdPngReadData (png_structp png_ptr,
+ png_bytep data, png_size_t length)
+ {
+- gdGetBuf (data, length, (gdIOCtx *)
+- png_get_io_ptr (png_ptr));
++ int check;
++ check = gdGetBuf (data, length, (gdIOCtx *) png_get_io_ptr (png_ptr));
++ if (check != length) {
++ png_error(png_ptr, "Read Error: truncated data");
++ }
+ }
+
+ static void
A gnu/packages/patches/libwmf-CVE-2007-3472.patch => gnu/packages/patches/libwmf-CVE-2007-3472.patch +63 -0
@@ 0,0 1,63 @@
+Based on a patch from Fedora.
+
+http://pkgs.fedoraproject.org/cgit/libwmf.git/tree/libwmf-0.2.8.4-CVE-2007-3472.patch
+
+--- libwmf-0.2.8.4/src/extra/gd/gd.c
++++ libwmf-0.2.8.4/src/extra/gd/gd.c
+@@ -106,6 +106,18 @@
+ gdImagePtr im;
+ unsigned long cpa_size;
+
++ if (overflow2(sx, sy)) {
++ return NULL;
++ }
++
++ if (overflow2(sizeof (int *), sy)) {
++ return NULL;
++ }
++
++ if (overflow2(sizeof(int), sx)) {
++ return NULL;
++ }
++
+ im = (gdImage *) gdMalloc (sizeof (gdImage));
+ if (im == 0) return 0;
+ memset (im, 0, sizeof (gdImage));
+--- libwmf-0.2.8.4/src/extra/gd/gdhelpers.c 2010-12-06 11:47:31.000000000 +0000
++++ libwmf-0.2.8.4/src/extra/gd/gdhelpers.c 2010-12-06 11:48:04.000000000 +0000
+@@ -2,6 +2,7 @@
+ #include "gdhelpers.h"
+ #include <stdlib.h>
+ #include <string.h>
++#include <limits.h>
+
+ /* TBB: gd_strtok_r is not portable; provide an implementation */
+
+@@ -94,3 +95,18 @@
+ {
+ free (ptr);
+ }
++
++int overflow2(int a, int b)
++{
++ if(a < 0 || b < 0) {
++ fprintf(stderr, "gd warning: one parameter to a memory allocation multiplication is negative, failing operation gracefully\n");
++ return 1;
++ }
++ if(b == 0)
++ return 0;
++ if(a > INT_MAX / b) {
++ fprintf(stderr, "gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully\n");
++ return 1;
++ }
++ return 0;
++}
+--- libwmf-0.2.8.4/src/extra/gd/gdhelpers.h 2010-12-06 11:47:17.000000000 +0000
++++ libwmf-0.2.8.4/src/extra/gd/gdhelpers.h 2010-12-06 11:48:36.000000000 +0000
+@@ -15,4 +15,6 @@
+ void *gdMalloc(size_t size);
+ void *gdRealloc(void *ptr, size_t size);
+
++int overflow2(int a, int b);
++
+ #endif /* GDHELPERS_H */
A gnu/packages/patches/libwmf-CVE-2007-3473.patch => gnu/packages/patches/libwmf-CVE-2007-3473.patch +17 -0
@@ 0,0 1,17 @@
+Copied from Fedora.
+
+http://pkgs.fedoraproject.org/cgit/libwmf.git/tree/libwmf-0.2.8.4-CVE-2007-3473.patch
+
+--- libwmf-0.2.8.4/src/extra/gd/gd.c
++++ libwmf-0.2.8.4/src/extra/gd/gd.c
+@@ -2483,6 +2483,10 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromXbm (FILE * fd)
+ }
+ bytes = (w * h / 8) + 1;
+ im = gdImageCreate (w, h);
++ if (!im) {
++ return 0;
++ }
++
+ gdImageColorAllocate (im, 255, 255, 255);
+ gdImageColorAllocate (im, 0, 0, 0);
+ x = 0;
A gnu/packages/patches/libwmf-CVE-2007-3477.patch => gnu/packages/patches/libwmf-CVE-2007-3477.patch +42 -0
@@ 0,0 1,42 @@
+Copied from Fedora.
+
+http://pkgs.fedoraproject.org/cgit/libwmf.git/tree/libwmf-0.2.8.4-CVE-2007-3477.patch
+
+--- libwmf-0.2.8.4/src/extra/gd/gd.c
++++ libwmf-0.2.8.4/src/extra/gd/gd.c
+@@ -1335,10 +1335,31 @@
+ int w2, h2;
+ w2 = w / 2;
+ h2 = h / 2;
+- while (e < s)
+- {
+- e += 360;
+- }
++
++ if ((s % 360) == (e % 360)) {
++ s = 0; e = 360;
++ } else {
++ if (s > 360) {
++ s = s % 360;
++ }
++
++ if (e > 360) {
++ e = e % 360;
++ }
++
++ while (s < 0) {
++ s += 360;
++ }
++
++ while (e < s) {
++ e += 360;
++ }
++
++ if (s == e) {
++ s = 0; e = 360;
++ }
++ }
++
+ for (i = s; (i <= e); i++)
+ {
+ int x, y;
A gnu/packages/patches/libwmf-CVE-2009-3546.patch => gnu/packages/patches/libwmf-CVE-2009-3546.patch +17 -0
@@ 0,0 1,17 @@
+Copied from Fedora.
+
+http://pkgs.fedoraproject.org/cgit/libwmf.git/tree/libwmf-0.2.8.4-CVE-2009-3546.patch
+
+--- libwmf-0.2.8.4/src/extra/gd/gd_gd.c 2010-12-06 14:56:06.000000000 +0000
++++ libwmf-0.2.8.4/src/extra/gd/gd_gd.c 2010-12-06 14:57:04.000000000 +0000
+@@ -42,6 +42,10 @@
+ {
+ goto fail1;
+ }
++ if (&im->colorsTotal > gdMaxColors)
++ {
++ goto fail1;
++ }
+ }
+ /* Int to accommodate truecolor single-color transparency */
+ if (!gdGetInt (&im->transparent, in))
R gnu/packages/patches/libwmf-CVE-2015-0848+4588+4695+4696.patch => gnu/packages/patches/libwmf-CVE-2015-0848+CVE-2015-4588.patch +23 -90
@@ 1,88 1,10 @@
-Fix CVE-2015-0848, CVE-2015-4588, CVE-2015-4695, and CVE-2015-4696.
-Copied from Debian.
+Copied from Fedora.
---- libwmf-0.2.8.4.orig/src/player/meta.h
-+++ libwmf-0.2.8.4/src/player/meta.h
-@@ -1565,7 +1565,7 @@ static int meta_rgn_create (wmfAPI* API,
- objects = P->objects;
-
- i = 0;
-- while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
-+ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
-
- if (i == NUM_OBJECTS (API))
- { WMF_ERROR (API,"Object out of range!");
-@@ -2142,7 +2142,7 @@ static int meta_dib_brush (wmfAPI* API,w
- objects = P->objects;
-
- i = 0;
-- while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
-+ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
-
- if (i == NUM_OBJECTS (API))
- { WMF_ERROR (API,"Object out of range!");
-@@ -2593,9 +2593,10 @@ static int meta_dc_restore (wmfAPI* API,
- polyrect.BR = 0;
-
- polyrect.count = 0;
-+
-+ if (FR->region_clip) FR->region_clip (API,&polyrect);
- }
-
-- if (FR->region_clip) FR->region_clip (API,&polyrect);
-
- return (changed);
- }
-@@ -3067,7 +3068,7 @@ static int meta_pen_create (wmfAPI* API,
- objects = P->objects;
-
- i = 0;
-- while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
-+ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
-
- if (i == NUM_OBJECTS (API))
- { WMF_ERROR (API,"Object out of range!");
-@@ -3181,7 +3182,7 @@ static int meta_brush_create (wmfAPI* AP
- objects = P->objects;
-
- i = 0;
-- while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
-+ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
-
- if (i == NUM_OBJECTS (API))
- { WMF_ERROR (API,"Object out of range!");
-@@ -3288,7 +3289,7 @@ static int meta_font_create (wmfAPI* API
- objects = P->objects;
-
- i = 0;
-- while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
-+ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
-
- if (i == NUM_OBJECTS (API))
- { WMF_ERROR (API,"Object out of range!");
-@@ -3396,7 +3397,7 @@ static int meta_palette_create (wmfAPI*
- objects = P->objects;
-
- i = 0;
-- while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
-+ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
-
- if (i == NUM_OBJECTS (API))
- { WMF_ERROR (API,"Object out of range!");
---- libwmf-0.2.8.4.orig/src/ipa/ipa.h
-+++ libwmf-0.2.8.4/src/ipa/ipa.h
-@@ -48,7 +48,7 @@ static int ReadBlobByte (BMPS
- static unsigned short ReadBlobLSBShort (BMPSource*);
- static unsigned long ReadBlobLSBLong (BMPSource*);
- static long TellBlob (BMPSource*);
--static void DecodeImage (wmfAPI*,wmfBMP*,BMPSource*,unsigned int,unsigned char*);
-+static int DecodeImage (wmfAPI*,wmfBMP*,BMPSource*,unsigned int,unsigned char*);
- static void ReadBMPImage (wmfAPI*,wmfBMP*,BMPSource*);
- static int ExtractColor (wmfAPI*,wmfBMP*,wmfRGB*,unsigned int,unsigned int);
- static void SetColor (wmfAPI*,wmfBMP*,wmfRGB*,unsigned char,unsigned int,unsigned int);
---- libwmf-0.2.8.4.orig/src/ipa/ipa/bmp.h
-+++ libwmf-0.2.8.4/src/ipa/ipa/bmp.h
-@@ -859,7 +859,7 @@ static long TellBlob (BMPSource* src)
+http://pkgs.fedoraproject.org/cgit/libwmf.git/tree/libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch
+
+--- libwmf-0.2.8.4/src/ipa/ipa/bmp.h 2015-06-08 14:46:24.591876404 +0100
++++ libwmf-0.2.8.4/src/ipa/ipa/bmp.h 2015-06-08 14:46:35.345993247 +0100
+@@ -859,7 +859,7 @@
%
%
*/
@@ 91,7 13,7 @@ Copied from Debian.
{ int byte;
int count;
int i;
-@@ -870,12 +870,14 @@ static void DecodeImage (wmfAPI* API,wmf
+@@ -870,12 +870,14 @@
U32 u;
unsigned char* q;
@@ 106,7 28,7 @@ Copied from Debian.
for (y = 0; y < bmp->height; )
{ count = ReadBlobByte (src);
-@@ -884,7 +886,10 @@ static void DecodeImage (wmfAPI* API,wmf
+@@ -884,7 +886,10 @@
{ /* Encoded mode. */
byte = ReadBlobByte (src);
for (i = 0; i < count; i++)
@@ 118,7 40,7 @@ Copied from Debian.
{ (*(q++)) = (unsigned char) byte;
}
else
-@@ -896,13 +901,15 @@ static void DecodeImage (wmfAPI* API,wmf
+@@ -896,13 +901,15 @@
else
{ /* Escape mode. */
count = ReadBlobByte (src);
@@ 135,7 57,7 @@ Copied from Debian.
q = pixels + y * bmp->width;
break;
}
-@@ -910,13 +917,20 @@ static void DecodeImage (wmfAPI* API,wmf
+@@ -910,13 +917,20 @@
{ /* Delta mode. */
x += ReadBlobByte (src);
y += ReadBlobByte (src);
@@ 157,7 79,7 @@ Copied from Debian.
{ (*(q++)) = ReadBlobByte (src);
}
else
-@@ -943,7 +957,7 @@ static void DecodeImage (wmfAPI* API,wmf
+@@ -943,7 +957,7 @@
byte = ReadBlobByte (src); /* end of line */
byte = ReadBlobByte (src);
@@ 166,7 88,7 @@ Copied from Debian.
}
/*
-@@ -1143,8 +1157,18 @@ static void ReadBMPImage (wmfAPI* API,wm
+@@ -1143,8 +1157,18 @@
}
}
else
@@ 187,3 109,14 @@ Copied from Debian.
}
if (ERR (API))
+--- libwmf-0.2.8.4/src/ipa/ipa.h 2015-06-08 14:46:24.590876393 +0100
++++ libwmf-0.2.8.4/src/ipa/ipa.h 2015-06-08 14:46:35.345993247 +0100
+@@ -48,7 +48,7 @@
+ static unsigned short ReadBlobLSBShort (BMPSource*);
+ static unsigned long ReadBlobLSBLong (BMPSource*);
+ static long TellBlob (BMPSource*);
+-static void DecodeImage (wmfAPI*,wmfBMP*,BMPSource*,unsigned int,unsigned char*);
++static int DecodeImage (wmfAPI*,wmfBMP*,BMPSource*,unsigned int,unsigned char*);
+ static void ReadBMPImage (wmfAPI*,wmfBMP*,BMPSource*);
+ static int ExtractColor (wmfAPI*,wmfBMP*,wmfRGB*,unsigned int,unsigned int);
+ static void SetColor (wmfAPI*,wmfBMP*,wmfRGB*,unsigned char,unsigned int,unsigned int);
A gnu/packages/patches/libwmf-CVE-2015-4695.patch => gnu/packages/patches/libwmf-CVE-2015-4695.patch +60 -0
@@ 0,0 1,60 @@
+Copied from Fedora.
+
+http://pkgs.fedoraproject.org/cgit/libwmf.git/tree/libwmf-0.2.8.4-CVE-2015-4695.patch
+
+--- libwmf-0.2.8.4/src/player/meta.h
++++ libwmf-0.2.8.4/src/player/meta.h
+@@ -1565,7 +1565,7 @@ static int meta_rgn_create (wmfAPI* API,
+ objects = P->objects;
+
+ i = 0;
+- while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
++ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
+
+ if (i == NUM_OBJECTS (API))
+ { WMF_ERROR (API,"Object out of range!");
+@@ -2142,7 +2142,7 @@ static int meta_dib_brush (wmfAPI* API,w
+ objects = P->objects;
+
+ i = 0;
+- while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
++ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
+
+ if (i == NUM_OBJECTS (API))
+ { WMF_ERROR (API,"Object out of range!");
+@@ -3067,7 +3067,7 @@ static int meta_pen_create (wmfAPI* API,
+ objects = P->objects;
+
+ i = 0;
+- while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
++ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
+
+ if (i == NUM_OBJECTS (API))
+ { WMF_ERROR (API,"Object out of range!");
+@@ -3181,7 +3181,7 @@ static int meta_brush_create (wmfAPI* AP
+ objects = P->objects;
+
+ i = 0;
+- while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
++ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
+
+ if (i == NUM_OBJECTS (API))
+ { WMF_ERROR (API,"Object out of range!");
+@@ -3288,7 +3288,7 @@ static int meta_font_create (wmfAPI* API
+ objects = P->objects;
+
+ i = 0;
+- while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
++ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
+
+ if (i == NUM_OBJECTS (API))
+ { WMF_ERROR (API,"Object out of range!");
+@@ -3396,7 +3396,7 @@ static int meta_palette_create (wmfAPI*
+ objects = P->objects;
+
+ i = 0;
+- while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
++ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
+
+ if (i == NUM_OBJECTS (API))
+ { WMF_ERROR (API,"Object out of range!");
A gnu/packages/patches/libwmf-CVE-2015-4696.patch => gnu/packages/patches/libwmf-CVE-2015-4696.patch +27 -0
@@ 0,0 1,27 @@
+Copied from Fedora.
+
+http://pkgs.fedoraproject.org/cgit/libwmf.git/tree/libwmf-0.2.8.4-CVE-2015-4696.patch
+
+--- libwmf-0.2.8.4/src/player/meta.h
++++ libwmf-0.2.8.4/src/player/meta.h
+@@ -2585,6 +2585,8 @@
+ polyrect.BR[i] = clip->rects[i].BR;
+ }
+
++ if (FR->region_clip) FR->region_clip (API,&polyrect);
++
+ wmf_free (API,polyrect.TL);
+ wmf_free (API,polyrect.BR);
+ }
+@@ -2593,9 +2595,10 @@
+ polyrect.BR = 0;
+
+ polyrect.count = 0;
++
++ if (FR->region_clip) FR->region_clip (API,&polyrect);
+ }
+
+- if (FR->region_clip) FR->region_clip (API,&polyrect);
+
+ return (changed);
+ }