Date: Saturday, November 24, 2018 @ 09:56:44 Author: arojas Revision: 340366
Fix FTBFS, use Fedora fork that includes all CVE patches Added: libwmf/trunk/libwmf-freetype.patch Modified: libwmf/trunk/PKGBUILD Deleted: libwmf/trunk/libwmf-0.2.8.4-CAN-2004-0941.patch libwmf/trunk/libwmf-0.2.8.4-CVE-2007-0455.patch libwmf/trunk/libwmf-0.2.8.4-CVE-2007-2756.patch libwmf/trunk/libwmf-0.2.8.4-CVE-2007-3472.patch libwmf/trunk/libwmf-0.2.8.4-CVE-2007-3473.patch libwmf/trunk/libwmf-0.2.8.4-CVE-2007-3477.patch libwmf/trunk/libwmf-0.2.8.4-CVE-2009-3546.patch libwmf/trunk/libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch libwmf/trunk/libwmf-0.2.8.4-CVE-2015-4695.patch libwmf/trunk/libwmf-0.2.8.4-CVE-2015-4696.patch libwmf/trunk/libwmf-0.2.8.4-CVE-2016-9011.patch libwmf/trunk/libwmf-0.2.8.4-intoverflow-CVE-2006-3376.patch libwmf/trunk/libwmf-0.2.8.4-libpng-1.5.patch libwmf/trunk/libwmf-0.2.8.4-useafterfree-CVE-2009-1364.patch --------------------------------------------------+ PKGBUILD | 57 +--------- libwmf-0.2.8.4-CAN-2004-0941.patch | 17 --- libwmf-0.2.8.4-CVE-2007-0455.patch | 11 - libwmf-0.2.8.4-CVE-2007-2756.patch | 16 -- libwmf-0.2.8.4-CVE-2007-3472.patch | 59 ---------- libwmf-0.2.8.4-CVE-2007-3473.patch | 13 -- libwmf-0.2.8.4-CVE-2007-3477.patch | 38 ------ libwmf-0.2.8.4-CVE-2009-3546.patch | 13 -- libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch | 118 --------------------- libwmf-0.2.8.4-CVE-2015-4695.patch | 56 --------- libwmf-0.2.8.4-CVE-2015-4696.patch | 23 ---- libwmf-0.2.8.4-CVE-2016-9011.patch | 36 ------ libwmf-0.2.8.4-intoverflow-CVE-2006-3376.patch | 27 ---- libwmf-0.2.8.4-libpng-1.5.patch | 12 -- libwmf-0.2.8.4-useafterfree-CVE-2009-1364.patch | 10 - libwmf-freetype.patch | 65 +++++++++++ 16 files changed, 74 insertions(+), 497 deletions(-) Modified: PKGBUILD =================================================================== --- PKGBUILD 2018-11-24 08:51:13 UTC (rev 340365) +++ PKGBUILD 2018-11-24 09:56:44 UTC (rev 340366) @@ -1,63 +1,24 @@ # Maintainer: Eric BĂ©langer <[email protected]> pkgname=libwmf -pkgver=0.2.8.4 -pkgrel=14 +pkgver=0.2.10 +pkgrel=1 pkgdesc="A library for reading vector images in Microsoft's native Windows Metafile Format (WMF)" arch=('x86_64') url="http://wvware.sourceforge.net/libwmf.html"; license=('LGPL') -depends=('libx11' 'libjpeg' 'gsfonts') +depends=('libx11' 'libjpeg' 'gsfonts' 'freetype2' 'expat') makedepends=('gtk2' 'libxt') optdepends=('gdk-pixbuf2: for pixbuf loader') options=('!docs' '!emptydirs') -source=(http://downloads.sourceforge.net/sourceforge/wvware/${pkgname}-${pkgver}.tar.gz - libwmf-0.2.8.4-libpng-1.5.patch - libwmf-0.2.8.4-useafterfree-CVE-2009-1364.patch - libwmf-0.2.8.4-intoverflow-CVE-2006-3376.patch - libwmf-0.2.8.4-CAN-2004-0941.patch - libwmf-0.2.8.4-CVE-2007-0455.patch - libwmf-0.2.8.4-CVE-2007-2756.patch - libwmf-0.2.8.4-CVE-2007-3472.patch - libwmf-0.2.8.4-CVE-2007-3473.patch - libwmf-0.2.8.4-CVE-2007-3477.patch - libwmf-0.2.8.4-CVE-2009-3546.patch - libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch - libwmf-0.2.8.4-CVE-2015-4695.patch - libwmf-0.2.8.4-CVE-2015-4696.patch - libwmf-0.2.8.4-CVE-2016-9011.patch) -sha1sums=('822ab3bd0f5e8f39ad732f2774a8e9f18fc91e89' - '42aa4c2a82e4e14044c875a7f439baea732a355a' - 'ea6d28880840e86c96f9079bfd591da54dcffa5c' - '6f130ea9f639ccf88fef0fda74cf9fa3956f81b5' - '2f8a46698dac6d5f5c3109cb56ad675ff1efaee0' - '380d59744f174e12d4ba4f5cb63f14b6092850fa' - '45ae37f79b351fe738212caa3a3c61c9b6fa2d5b' - '1836f07750d3a8b4dd6354660875436b0e5c3b07' - 'c778b89445f621fd5e44b0bbf9d441cceea90d6c' - 'd0a6fefedd327f99c3ca1c2f7f19adddc2cef50a' - '83f32dac05c1492eef1e652c553a5ffc80a3e656' - '5608d0565890f2f89435bc13ad57279900ed83b4' - '408cfff29160b037b8baa26b4647e02f373b8b85' - 'e250f5ecefde4bf5c06f7fbc562566ce64204f2a' - '9f8670ef0b4862bb84aecc582bfbec45573a8831') +source=($pkgname-$pkgver.tar.gz::https://github.com/caolanm/libwmf/archive/v$pkgver.tar.gz libwmf-freetype.patch) +sha1sums=('1cd3044efbdcdcde11ddf79d3428167374ff3283' + 'ef4d452cd5e7fcb36751771c6f44b4b7a3f8693a') prepare() { cd ${pkgname}-${pkgver} - patch -p1 -i "${srcdir}/libwmf-0.2.8.4-libpng-1.5.patch" - patch -p1 -i "${srcdir}/libwmf-0.2.8.4-useafterfree-CVE-2009-1364.patch" - patch -p1 -i "${srcdir}/libwmf-0.2.8.4-intoverflow-CVE-2006-3376.patch" - patch -p1 -i "${srcdir}/libwmf-0.2.8.4-CAN-2004-0941.patch" - patch -p1 -i "${srcdir}/libwmf-0.2.8.4-CVE-2007-0455.patch" - patch -p1 -i "${srcdir}/libwmf-0.2.8.4-CVE-2007-2756.patch" - patch -p1 -i "${srcdir}/libwmf-0.2.8.4-CVE-2007-3472.patch" - patch -p1 -i "${srcdir}/libwmf-0.2.8.4-CVE-2007-3473.patch" - patch -p1 -i "${srcdir}/libwmf-0.2.8.4-CVE-2007-3477.patch" - patch -p1 -i "${srcdir}/libwmf-0.2.8.4-CVE-2009-3546.patch" - patch -p1 -i "${srcdir}/libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch" - patch -p1 -i "${srcdir}/libwmf-0.2.8.4-CVE-2015-4695.patch" - patch -p1 -i "${srcdir}/libwmf-0.2.8.4-CVE-2015-4696.patch" - patch -p1 -i "${srcdir}/libwmf-0.2.8.4-CVE-2016-9011.patch" + patch -p1 -i ../libwmf-freetype.patch # Port away from freetype-config, patch from openembedded.org + autoreconf -vi -Ipatches } build() { @@ -71,7 +32,7 @@ package() { cd ${pkgname}-${pkgver} - make DESTDIR="${pkgdir}" install + make DESTDIR="${pkgdir}" install -j1 #Remove fonts, these are in gsfonts rm -rf "${pkgdir}/usr/share/fonts" } Deleted: libwmf-0.2.8.4-CAN-2004-0941.patch =================================================================== --- libwmf-0.2.8.4-CAN-2004-0941.patch 2018-11-24 08:51:13 UTC (rev 340365) +++ libwmf-0.2.8.4-CAN-2004-0941.patch 2018-11-24 09:56:44 UTC (rev 340366) @@ -1,17 +0,0 @@ ---- libwmf-0.2.8.4/src/extra/gd/gd_png.c 2004-11-11 14:02:37.407589824 -0500 -+++ libwmf-0.2.8.4/src/extra/gd/gd_png.c 2004-11-11 14:04:29.672522960 -0500 -@@ -188,6 +188,14 @@ - - png_get_IHDR (png_ptr, info_ptr, &width, &height, &bit_depth, &color_type, - &interlace_type, NULL, NULL); -+ if (overflow2(sizeof (int), width)) -+ { -+ return NULL; -+ } -+ if (overflow2(sizeof (int) * width, height)) -+ { -+ return NULL; -+ } - if ((color_type == PNG_COLOR_TYPE_RGB) || - (color_type == PNG_COLOR_TYPE_RGB_ALPHA)) - { Deleted: libwmf-0.2.8.4-CVE-2007-0455.patch =================================================================== --- libwmf-0.2.8.4-CVE-2007-0455.patch 2018-11-24 08:51:13 UTC (rev 340365) +++ libwmf-0.2.8.4-CVE-2007-0455.patch 2018-11-24 09:56:44 UTC (rev 340366) @@ -1,11 +0,0 @@ ---- libwmf-0.2.8.4/src/extra/gd/gdft.c 2010-12-06 11:18:26.000000000 +0000 -+++ libwmf-0.2.8.4/src/extra/gd/gdft.c 2010-12-06 11:21:09.000000000 +0000 -@@ -811,7 +811,7 @@ - { - ch = c & 0xFF; /* don't extend sign */ - } -- next++; -+ if (*next) next++; - } - else - { Deleted: libwmf-0.2.8.4-CVE-2007-2756.patch =================================================================== --- libwmf-0.2.8.4-CVE-2007-2756.patch 2018-11-24 08:51:13 UTC (rev 340365) +++ libwmf-0.2.8.4-CVE-2007-2756.patch 2018-11-24 09:56:44 UTC (rev 340366) @@ -1,16 +0,0 @@ ---- libwmf-0.2.8.4/src/extra/gd/gd_png.c 1 Apr 2007 20:41:01 -0000 1.21.2.1 -+++ libwmf-0.2.8.4/src/extra/gd/gd_png.c 16 May 2007 19:06:11 -0000 -@@ -78,8 +78,11 @@ - gdPngReadData (png_structp png_ptr, - png_bytep data, png_size_t length) - { -- gdGetBuf (data, length, (gdIOCtx *) -- png_get_io_ptr (png_ptr)); -+ int check; -+ check = gdGetBuf (data, length, (gdIOCtx *) png_get_io_ptr (png_ptr)); -+ if (check != length) { -+ png_error(png_ptr, "Read Error: truncated data"); -+ } - } - - static void Deleted: libwmf-0.2.8.4-CVE-2007-3472.patch =================================================================== --- libwmf-0.2.8.4-CVE-2007-3472.patch 2018-11-24 08:51:13 UTC (rev 340365) +++ libwmf-0.2.8.4-CVE-2007-3472.patch 2018-11-24 09:56:44 UTC (rev 340366) @@ -1,59 +0,0 @@ ---- libwmf-0.2.8.4/src/extra/gd/gd.c -+++ libwmf-0.2.8.4/src/extra/gd/gd.c -@@ -106,6 +106,18 @@ - gdImagePtr im; - unsigned long cpa_size; - -+ if (overflow2(sx, sy)) { -+ return NULL; -+ } -+ -+ if (overflow2(sizeof (int *), sy)) { -+ return NULL; -+ } -+ -+ if (overflow2(sizeof(int), sx)) { -+ return NULL; -+ } -+ - im = (gdImage *) gdMalloc (sizeof (gdImage)); - if (im == 0) return 0; - memset (im, 0, sizeof (gdImage)); ---- libwmf-0.2.8.4/src/extra/gd/gdhelpers.c 2010-12-06 11:47:31.000000000 +0000 -+++ libwmf-0.2.8.4/src/extra/gd/gdhelpers.c 2010-12-06 11:48:04.000000000 +0000 -@@ -2,6 +2,7 @@ - #include "gdhelpers.h" - #include <stdlib.h> - #include <string.h> -+#include <limits.h> - - /* TBB: gd_strtok_r is not portable; provide an implementation */ - -@@ -94,3 +95,18 @@ - { - free (ptr); - } -+ -+int overflow2(int a, int b) -+{ -+ if(a < 0 || b < 0) { -+ fprintf(stderr, "gd warning: one parameter to a memory allocation multiplication is negative, failing operation gracefully\n"); -+ return 1; -+ } -+ if(b == 0) -+ return 0; -+ if(a > INT_MAX / b) { -+ fprintf(stderr, "gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully\n"); -+ return 1; -+ } -+ return 0; -+} ---- libwmf-0.2.8.4/src/extra/gd/gdhelpers.h 2010-12-06 11:47:17.000000000 +0000 -+++ libwmf-0.2.8.4/src/extra/gd/gdhelpers.h 2010-12-06 11:48:36.000000000 +0000 -@@ -15,4 +15,6 @@ - void *gdMalloc(size_t size); - void *gdRealloc(void *ptr, size_t size); - -+int overflow2(int a, int b); -+ - #endif /* GDHELPERS_H */ Deleted: libwmf-0.2.8.4-CVE-2007-3473.patch =================================================================== --- libwmf-0.2.8.4-CVE-2007-3473.patch 2018-11-24 08:51:13 UTC (rev 340365) +++ libwmf-0.2.8.4-CVE-2007-3473.patch 2018-11-24 09:56:44 UTC (rev 340366) @@ -1,13 +0,0 @@ ---- libwmf-0.2.8.4/src/extra/gd/gd.c -+++ libwmf-0.2.8.4/src/extra/gd/gd.c -@@ -2483,6 +2483,10 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromXbm (FILE * fd) - } - bytes = (w * h / 8) + 1; - im = gdImageCreate (w, h); -+ if (!im) { -+ return 0; -+ } -+ - gdImageColorAllocate (im, 255, 255, 255); - gdImageColorAllocate (im, 0, 0, 0); - x = 0; Deleted: libwmf-0.2.8.4-CVE-2007-3477.patch =================================================================== --- libwmf-0.2.8.4-CVE-2007-3477.patch 2018-11-24 08:51:13 UTC (rev 340365) +++ libwmf-0.2.8.4-CVE-2007-3477.patch 2018-11-24 09:56:44 UTC (rev 340366) @@ -1,38 +0,0 @@ ---- libwmf-0.2.8.4/src/extra/gd/gd.c -+++ libwmf-0.2.8.4/src/extra/gd/gd.c -@@ -1335,10 +1335,31 @@ - int w2, h2; - w2 = w / 2; - h2 = h / 2; -- while (e < s) -- { -- e += 360; -- } -+ -+ if ((s % 360) == (e % 360)) { -+ s = 0; e = 360; -+ } else { -+ if (s > 360) { -+ s = s % 360; -+ } -+ -+ if (e > 360) { -+ e = e % 360; -+ } -+ -+ while (s < 0) { -+ s += 360; -+ } -+ -+ while (e < s) { -+ e += 360; -+ } -+ -+ if (s == e) { -+ s = 0; e = 360; -+ } -+ } -+ - for (i = s; (i <= e); i++) - { - int x, y; Deleted: libwmf-0.2.8.4-CVE-2009-3546.patch =================================================================== --- libwmf-0.2.8.4-CVE-2009-3546.patch 2018-11-24 08:51:13 UTC (rev 340365) +++ libwmf-0.2.8.4-CVE-2009-3546.patch 2018-11-24 09:56:44 UTC (rev 340366) @@ -1,13 +0,0 @@ ---- libwmf-0.2.8.4/src/extra/gd/gd_gd.c 2010-12-06 14:56:06.000000000 +0000 -+++ libwmf-0.2.8.4/src/extra/gd/gd_gd.c 2010-12-06 14:57:04.000000000 +0000 -@@ -42,6 +42,10 @@ - { - goto fail1; - } -+ if (&im->colorsTotal > gdMaxColors) -+ { -+ goto fail1; -+ } - } - /* Int to accommodate truecolor single-color transparency */ - if (!gdGetInt (&im->transparent, in)) Deleted: libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch =================================================================== --- libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch 2018-11-24 08:51:13 UTC (rev 340365) +++ libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch 2018-11-24 09:56:44 UTC (rev 340366) @@ -1,118 +0,0 @@ ---- libwmf-0.2.8.4/src/ipa/ipa/bmp.h 2015-06-08 14:46:24.591876404 +0100 -+++ libwmf-0.2.8.4/src/ipa/ipa/bmp.h 2015-06-08 14:46:35.345993247 +0100 -@@ -859,7 +859,7 @@ - % - % - */ --static void DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels) -+static int DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels) - { int byte; - int count; - int i; -@@ -870,12 +870,14 @@ - U32 u; - - unsigned char* q; -+ unsigned char* end; - - for (u = 0; u < ((U32) bmp->width * (U32) bmp->height); u++) pixels[u] = 0; - - byte = 0; - x = 0; - q = pixels; -+ end = pixels + bmp->width * bmp->height; - - for (y = 0; y < bmp->height; ) - { count = ReadBlobByte (src); -@@ -884,7 +886,10 @@ - { /* Encoded mode. */ - byte = ReadBlobByte (src); - for (i = 0; i < count; i++) -- { if (compression == 1) -+ { -+ if (q == end) -+ return 0; -+ if (compression == 1) - { (*(q++)) = (unsigned char) byte; - } - else -@@ -896,13 +901,15 @@ - else - { /* Escape mode. */ - count = ReadBlobByte (src); -- if (count == 0x01) return; -+ if (count == 0x01) return 1; - switch (count) - { - case 0x00: - { /* End of line. */ - x = 0; - y++; -+ if (y >= bmp->height) -+ return 0; - q = pixels + y * bmp->width; - break; - } -@@ -910,13 +917,20 @@ - { /* Delta mode. */ - x += ReadBlobByte (src); - y += ReadBlobByte (src); -+ if (y >= bmp->height) -+ return 0; -+ if (x >= bmp->width) -+ return 0; - q = pixels + y * bmp->width + x; - break; - } - default: - { /* Absolute mode. */ - for (i = 0; i < count; i++) -- { if (compression == 1) -+ { -+ if (q == end) -+ return 0; -+ if (compression == 1) - { (*(q++)) = ReadBlobByte (src); - } - else -@@ -943,7 +957,7 @@ - byte = ReadBlobByte (src); /* end of line */ - byte = ReadBlobByte (src); - -- return; -+ return 1; - } - - /* -@@ -1143,8 +1157,18 @@ - } - } - else -- { /* Convert run-length encoded raster pixels. */ -- DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image); -+ { -+ if (bmp_info.bits_per_pixel == 8) /* Convert run-length encoded raster pixels. */ -+ { -+ if (!DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image)) -+ { WMF_ERROR (API,"corrupt bmp"); -+ API->err = wmf_E_BadFormat; -+ } -+ } -+ else -+ { WMF_ERROR (API,"Unexpected pixel depth"); -+ API->err = wmf_E_BadFormat; -+ } - } - - if (ERR (API)) ---- libwmf-0.2.8.4/src/ipa/ipa.h 2015-06-08 14:46:24.590876393 +0100 -+++ libwmf-0.2.8.4/src/ipa/ipa.h 2015-06-08 14:46:35.345993247 +0100 -@@ -48,7 +48,7 @@ - static unsigned short ReadBlobLSBShort (BMPSource*); - static unsigned long ReadBlobLSBLong (BMPSource*); - static long TellBlob (BMPSource*); --static void DecodeImage (wmfAPI*,wmfBMP*,BMPSource*,unsigned int,unsigned char*); -+static int DecodeImage (wmfAPI*,wmfBMP*,BMPSource*,unsigned int,unsigned char*); - static void ReadBMPImage (wmfAPI*,wmfBMP*,BMPSource*); - static int ExtractColor (wmfAPI*,wmfBMP*,wmfRGB*,unsigned int,unsigned int); - static void SetColor (wmfAPI*,wmfBMP*,wmfRGB*,unsigned char,unsigned int,unsigned int); Deleted: libwmf-0.2.8.4-CVE-2015-4695.patch =================================================================== --- libwmf-0.2.8.4-CVE-2015-4695.patch 2018-11-24 08:51:13 UTC (rev 340365) +++ libwmf-0.2.8.4-CVE-2015-4695.patch 2018-11-24 09:56:44 UTC (rev 340366) @@ -1,56 +0,0 @@ ---- libwmf-0.2.8.4/src/player/meta.h -+++ libwmf-0.2.8.4/src/player/meta.h -@@ -1565,7 +1565,7 @@ static int meta_rgn_create (wmfAPI* API, - objects = P->objects; - - i = 0; -- while (objects[i].type && (i < NUM_OBJECTS (API))) i++; -+ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++; - - if (i == NUM_OBJECTS (API)) - { WMF_ERROR (API,"Object out of range!"); -@@ -2142,7 +2142,7 @@ static int meta_dib_brush (wmfAPI* API,w - objects = P->objects; - - i = 0; -- while (objects[i].type && (i < NUM_OBJECTS (API))) i++; -+ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++; - - if (i == NUM_OBJECTS (API)) - { WMF_ERROR (API,"Object out of range!"); -@@ -3067,7 +3067,7 @@ static int meta_pen_create (wmfAPI* API, - objects = P->objects; - - i = 0; -- while (objects[i].type && (i < NUM_OBJECTS (API))) i++; -+ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++; - - if (i == NUM_OBJECTS (API)) - { WMF_ERROR (API,"Object out of range!"); -@@ -3181,7 +3181,7 @@ static int meta_brush_create (wmfAPI* AP - objects = P->objects; - - i = 0; -- while (objects[i].type && (i < NUM_OBJECTS (API))) i++; -+ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++; - - if (i == NUM_OBJECTS (API)) - { WMF_ERROR (API,"Object out of range!"); -@@ -3288,7 +3288,7 @@ static int meta_font_create (wmfAPI* API - objects = P->objects; - - i = 0; -- while (objects[i].type && (i < NUM_OBJECTS (API))) i++; -+ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++; - - if (i == NUM_OBJECTS (API)) - { WMF_ERROR (API,"Object out of range!"); -@@ -3396,7 +3396,7 @@ static int meta_palette_create (wmfAPI* - objects = P->objects; - - i = 0; -- while (objects[i].type && (i < NUM_OBJECTS (API))) i++; -+ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++; - - if (i == NUM_OBJECTS (API)) - { WMF_ERROR (API,"Object out of range!"); Deleted: libwmf-0.2.8.4-CVE-2015-4696.patch =================================================================== --- libwmf-0.2.8.4-CVE-2015-4696.patch 2018-11-24 08:51:13 UTC (rev 340365) +++ libwmf-0.2.8.4-CVE-2015-4696.patch 2018-11-24 09:56:44 UTC (rev 340366) @@ -1,23 +0,0 @@ ---- libwmf-0.2.8.4/src/player/meta.h -+++ libwmf-0.2.8.4/src/player/meta.h -@@ -2585,6 +2585,8 @@ - polyrect.BR[i] = clip->rects[i].BR; - } - -+ if (FR->region_clip) FR->region_clip (API,&polyrect); -+ - wmf_free (API,polyrect.TL); - wmf_free (API,polyrect.BR); - } -@@ -2593,9 +2595,10 @@ - polyrect.BR = 0; - - polyrect.count = 0; -+ -+ if (FR->region_clip) FR->region_clip (API,&polyrect); - } - -- if (FR->region_clip) FR->region_clip (API,&polyrect); - - return (changed); - } Deleted: libwmf-0.2.8.4-CVE-2016-9011.patch =================================================================== --- libwmf-0.2.8.4-CVE-2016-9011.patch 2018-11-24 08:51:13 UTC (rev 340365) +++ libwmf-0.2.8.4-CVE-2016-9011.patch 2018-11-24 09:56:44 UTC (rev 340366) @@ -1,36 +0,0 @@ ---- libwmf-0.2.8.4/src/player.c -+++ libwmf-0.2.8.4/src/player.c -@@ -139,8 +139,31 @@ - WMF_DEBUG (API,"bailing..."); - return (API->err); - } -- -- P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char)); -+ -+ U32 nMaxRecordSize = (MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char); -+ if (nMaxRecordSize) -+ { -+ //before allocating memory do a sanity check on size by seeking -+ //to claimed end to see if its possible. We're constrained here -+ //by the api and existing implementations to not simply seeking -+ //to SEEK_END. So use what we have to skip to the last byte and -+ //try and read it. -+ const long nPos = WMF_TELL (API); -+ WMF_SEEK (API, nPos + nMaxRecordSize - 1); -+ if (ERR (API)) -+ { WMF_DEBUG (API,"bailing..."); -+ return (API->err); -+ } -+ int byte = WMF_READ (API); -+ if (byte == (-1)) -+ { WMF_ERROR (API,"Unexpected EOF!"); -+ API->err = wmf_E_EOF; -+ return (API->err); -+ } -+ WMF_SEEK (API, nPos); -+ } -+ -+ P->Parameters = (unsigned char*) wmf_malloc (API, nMaxRecordSize); - - if (ERR (API)) - { WMF_DEBUG (API,"bailing..."); Deleted: libwmf-0.2.8.4-intoverflow-CVE-2006-3376.patch =================================================================== --- libwmf-0.2.8.4-intoverflow-CVE-2006-3376.patch 2018-11-24 08:51:13 UTC (rev 340365) +++ libwmf-0.2.8.4-intoverflow-CVE-2006-3376.patch 2018-11-24 09:56:44 UTC (rev 340366) @@ -1,27 +0,0 @@ ---- libwmf-0.2.8.4.orig/src/player.c 2002-12-10 19:30:26.000000000 +0000 -+++ libwmf-0.2.8.4/src/player.c 2006-07-12 15:12:52.000000000 +0100 -@@ -42,6 +42,7 @@ - #include "player/defaults.h" /* Provides: default settings */ - #include "player/record.h" /* Provides: parameter mechanism */ - #include "player/meta.h" /* Provides: record interpreters */ -+#include <stdint.h> - - /** - * @internal -@@ -132,8 +134,14 @@ - } - } - --/* P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)-3) * 2 * sizeof (unsigned char)); -- */ P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char)); -+ if (MAX_REC_SIZE(API) > UINT32_MAX / 2) -+ { -+ API->err = wmf_E_InsMem; -+ WMF_DEBUG (API,"bailing..."); -+ return (API->err); -+ } -+ -+ P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char)); - - if (ERR (API)) - { WMF_DEBUG (API,"bailing..."); Deleted: libwmf-0.2.8.4-libpng-1.5.patch =================================================================== --- libwmf-0.2.8.4-libpng-1.5.patch 2018-11-24 08:51:13 UTC (rev 340365) +++ libwmf-0.2.8.4-libpng-1.5.patch 2018-11-24 09:56:44 UTC (rev 340366) @@ -1,12 +0,0 @@ -diff -urN libwmf-0.2.8.4.old/src/ipa/ipa/bmp.h libwmf-0.2.8.4/src/ipa/ipa/bmp.h ---- libwmf-0.2.8.4.old/src/ipa/ipa/bmp.h 2011-05-23 19:14:23.000000000 +0200 -+++ libwmf-0.2.8.4/src/ipa/ipa/bmp.h 2011-05-23 19:15:11.000000000 +0200 -@@ -66,7 +66,7 @@ - return; - } - -- if (setjmp (png_ptr->jmpbuf)) -+ if (setjmp(png_jmpbuf(png_ptr))) - { WMF_DEBUG (API,"Failed to write bitmap as PNG! (setjmp failed)"); - png_destroy_write_struct (&png_ptr,&info_ptr); - wmf_free (API,buffer); Deleted: libwmf-0.2.8.4-useafterfree-CVE-2009-1364.patch =================================================================== --- libwmf-0.2.8.4-useafterfree-CVE-2009-1364.patch 2018-11-24 08:51:13 UTC (rev 340365) +++ libwmf-0.2.8.4-useafterfree-CVE-2009-1364.patch 2018-11-24 09:56:44 UTC (rev 340366) @@ -1,10 +0,0 @@ ---- libwmf-0.2.8.4/src/extra/gd/gd_clip.c.CVE-2009-1364-im-clip-list 2009-04-24 04:06:44.000000000 -0400 -+++ libwmf-0.2.8.4/src/extra/gd/gd_clip.c 2009-04-24 04:08:30.000000000 -0400 -@@ -70,6 +70,7 @@ void gdClipSetAdd(gdImagePtr im,gdClipRe - { more = gdRealloc (im->clip->list,(im->clip->max + 8) * sizeof (gdClipRectangle)); - if (more == 0) return; - im->clip->max += 8; -+ im->clip->list = more; - } - im->clip->list[im->clip->count] = (*rect); - im->clip->count++; Added: libwmf-freetype.patch =================================================================== --- libwmf-freetype.patch (rev 0) +++ libwmf-freetype.patch 2018-11-24 09:56:44 UTC (rev 340366) @@ -0,0 +1,65 @@ +From 61655f82224cadb261e81f8bae111eaaa7bdf531 Mon Sep 17 00:00:00 2001 +From: Koen Kooi <[email protected]> +Date: Wed, 6 Aug 2014 14:53:03 +0200 +Subject: [PATCH] configure: use pkg-config for freetype + +Upstream-status: Pending +Signed-off-by: Koen Kooi <[email protected]> +--- + configure.ac | 37 ++++++++----------------------------- + 1 file changed, 8 insertions(+), 29 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 3cfe974..0055a8c 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -399,40 +399,19 @@ AC_ARG_WITH(freetype,[ --with-freetype=DIR use freetype2 in DIR],[ + fi + ]) + +-if [ test -n "$FREETYPE_DIR" ]; then +- AC_PATH_PROG(FREETYPE_CONFIG,freetype-config, ,[$FREETYPE_DIR/bin:$PATH]) +-else +- AC_PATH_PROG(FREETYPE_CONFIG,freetype-config) +-fi +- +-if [ test -n "$FREETYPE_CONFIG" ]; then +- if [ test -n "$FREETYPE_DIR" ]; then +- freetype_cflags="`$FREETYPE_CONFIG --cflags` -I$FREETYPE_DIR/include" +- freetype_libs=`$FREETYPE_CONFIG --libs` +- else +- freetype_cflags=`$FREETYPE_CONFIG --cflags` +- freetype_libs=`$FREETYPE_CONFIG --libs` +- fi +-else +- if [ test -n "$FREETYPE_DIR" ]; then +- freetype_cflags="-I$FREETYPE_DIR/include/freetype2 -I$FREETYPE_DIR/include" +- freetype_libs="-L$FREETYPE_DIR/lib -lfreetype" +- else +- freetype_cflags="" +- freetype_libs="-lfreetype" +- fi +-fi +- +-CPPFLAGS="$freetype_cflags $CPPFLAGS" +-LDFLAGS="$LDFLAGS $freetype_libs" ++PKG_CHECK_MODULES(FREETYPE2, freetype2, ++ CFLAGS="$CFLAGS $FREETYPE2_CFLAGS" ++ LDFLAGS="$LDFLAGS $FREETYPE2_LIBS", ++ AC_MSG_ERROR([*** Unable to find FreeType2 library (http://www.freetype.org/)]) ++) + + AC_CHECK_LIB(freetype,FT_Init_FreeType,[ +- WMF_FT_LDFLAGS="$freetype_libs" ++ WMF_FT_LDFLAGS="$FREETYPE2_LIBS" + ],[ AC_MSG_ERROR([* * * freetype(2) is required * * *]) + ]) + AC_CHECK_HEADER(ft2build.h,[ +- WMF_FT_CFLAGS="$freetype_cflags" +- WMF_FT_CONFIG_CFLAGS="$freetype_cflags" ++ WMF_FT_CFLAGS="$FREETYPE2_CFLAGS" ++ WMF_FT_CONFIG_CFLAGS="$FREETYPE2_CFLAGS" + ],[ AC_MSG_ERROR([* * * freetype(2) is required * * *]) + ]) + +
