diff options
Diffstat (limited to 'gnu/packages/patches')
31 files changed, 592 insertions, 2064 deletions
diff --git a/gnu/packages/patches/gajim-CVE-2016-10376.patch b/gnu/packages/patches/gajim-CVE-2016-10376.patch new file mode 100644 index 0000000000..591dd1af21 --- /dev/null +++ b/gnu/packages/patches/gajim-CVE-2016-10376.patch @@ -0,0 +1,57 @@ +Fix CVE-2016-10376. + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10376 +http://seclists.org/oss-sec/2017/q2/341 +https://dev.gajim.org/gajim/gajim/issues/8378 + +Patch copied from upstream source repository: + +https://dev.gajim.org/gajim/gajim/commit/cb65cfc5aed9efe05208ebbb7fb2d41fcf7253cc + +(adapted for context in config.py) + +From cb65cfc5aed9efe05208ebbb7fb2d41fcf7253cc Mon Sep 17 00:00:00 2001 +From: Philipp Hörist <forenjunkie@chello.at> +Date: Fri, 26 May 2017 23:10:05 +0200 +Subject: [PATCH] Add config option to activate XEP-0146 commands + +Some of the Commands have security implications, thats why we disable them per default +Fixes #8378 +--- + src/common/commands.py | 7 ++++--- + src/common/config.py | 1 + + 2 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/src/common/commands.py b/src/common/commands.py +index 19d8c13..0eeb57c 100644 +--- a/src/common/commands.py ++++ b/src/common/commands.py +@@ -345,9 +345,10 @@ class ConnectionCommands: + def __init__(self): + # a list of all commands exposed: node -> command class + self.__commands = {} +- for cmdobj in (ChangeStatusCommand, ForwardMessagesCommand, +- LeaveGroupchatsCommand, FwdMsgThenDisconnectCommand): +- self.__commands[cmdobj.commandnode] = cmdobj ++ if gajim.config.get('remote_commands'): ++ for cmdobj in (ChangeStatusCommand, ForwardMessagesCommand, ++ LeaveGroupchatsCommand, FwdMsgThenDisconnectCommand): ++ self.__commands[cmdobj.commandnode] = cmdobj + + # a list of sessions; keys are tuples (jid, sessionid, node) + self.__sessions = {} +diff --git a/src/common/config.py b/src/common/config.py +index cde1f81..fe25455 100644 +--- a/src/common/config.py ++++ b/src/common/config.py +@@ -314,6 +314,7 @@ class Config: + 'ignore_incoming_attention': [opt_bool, False, _('If True, Gajim will ignore incoming attention requestd ("wizz").')], + 'remember_opened_chat_controls': [ opt_bool, True, _('If enabled, Gajim will reopen chat windows that were opened last time Gajim was closed.')], + 'positive_184_ack': [ opt_bool, False, _('If enabled, Gajim will show an icon to show that sent message has been received by your contact')], ++ 'remote_commands': [opt_bool, False, _('If True, Gajim will execute XEP-0146 Commands.')], + }, {}) + + __options_per_key = { +-- +libgit2 0.24.0 + diff --git a/gnu/packages/patches/jasper-CVE-2017-6850.patch b/gnu/packages/patches/jasper-CVE-2017-6850.patch deleted file mode 100644 index 07672762a1..0000000000 --- a/gnu/packages/patches/jasper-CVE-2017-6850.patch +++ /dev/null @@ -1,284 +0,0 @@ -This patch is from upstream and should be fixed included in the next release - -From e96fc4fdd525fa0ede28074a7e2b1caf94b58b0d Mon Sep 17 00:00:00 2001 -From: Michael Adams <mdadams@ece.uvic.ca> -Date: Sat, 4 Mar 2017 14:43:24 -0800 -Subject: [PATCH] Fixed bugs due to uninitialized data in the JP2 decoder. - Also, added some comments marking I/O stream interfaces that probably need to - be changed (in the long term) to fix integer overflow problems. - ---- - src/libjasper/base/jas_stream.c | 18 +++++++++++++++++ - src/libjasper/jp2/jp2_cod.c | 44 ++++++++++++++++++++++++++++------------- - 2 files changed, 48 insertions(+), 14 deletions(-) - -diff --git a/src/libjasper/base/jas_stream.c b/src/libjasper/base/jas_stream.c -index 327ee57..d70408f 100644 ---- a/src/libjasper/base/jas_stream.c -+++ b/src/libjasper/base/jas_stream.c -@@ -664,6 +664,7 @@ int jas_stream_ungetc(jas_stream_t *stream, int c) - return 0; - } - -+/* FIXME integral type */ - int jas_stream_read(jas_stream_t *stream, void *buf, int cnt) - { - int n; -@@ -690,6 +691,7 @@ int jas_stream_read(jas_stream_t *stream, void *buf, int cnt) - return n; - } - -+/* FIXME integral type */ - int jas_stream_write(jas_stream_t *stream, const void *buf, int cnt) - { - int n; -@@ -742,6 +744,7 @@ int jas_stream_puts(jas_stream_t *stream, const char *s) - return 0; - } - -+/* FIXME integral type */ - char *jas_stream_gets(jas_stream_t *stream, char *buf, int bufsize) - { - int c; -@@ -765,6 +768,7 @@ char *jas_stream_gets(jas_stream_t *stream, char *buf, int bufsize) - return buf; - } - -+/* FIXME integral type */ - int jas_stream_gobble(jas_stream_t *stream, int n) - { - int m; -@@ -783,6 +787,7 @@ int jas_stream_gobble(jas_stream_t *stream, int n) - return n; - } - -+/* FIXME integral type */ - int jas_stream_pad(jas_stream_t *stream, int n, int c) - { - int m; -@@ -885,6 +890,7 @@ long jas_stream_tell(jas_stream_t *stream) - * Buffer initialization code. - \******************************************************************************/ - -+/* FIXME integral type */ - static void jas_stream_initbuf(jas_stream_t *stream, int bufmode, char *buf, - int bufsize) - { -@@ -1060,6 +1066,7 @@ static int jas_strtoopenmode(const char *s) - return openmode; - } - -+/* FIXME integral type */ - int jas_stream_copy(jas_stream_t *out, jas_stream_t *in, int n) - { - int all; -@@ -1085,6 +1092,7 @@ int jas_stream_copy(jas_stream_t *out, jas_stream_t *in, int n) - return 0; - } - -+/* FIXME integral type */ - long jas_stream_setrwcount(jas_stream_t *stream, long rwcnt) - { - int old; -@@ -1094,6 +1102,7 @@ long jas_stream_setrwcount(jas_stream_t *stream, long rwcnt) - return old; - } - -+/* FIXME integral type */ - int jas_stream_display(jas_stream_t *stream, FILE *fp, int n) - { - unsigned char buf[16]; -@@ -1168,6 +1177,7 @@ long jas_stream_length(jas_stream_t *stream) - * Memory stream object. - \******************************************************************************/ - -+/* FIXME integral type */ - static int mem_read(jas_stream_obj_t *obj, char *buf, int cnt) - { - ssize_t n; -@@ -1209,6 +1219,7 @@ static int mem_resize(jas_stream_memobj_t *m, size_t bufsize) - return 0; - } - -+/* FIXME integral type */ - static int mem_write(jas_stream_obj_t *obj, char *buf, int cnt) - { - size_t n; -@@ -1264,6 +1275,7 @@ static int mem_write(jas_stream_obj_t *obj, char *buf, int cnt) - return ret; - } - -+/* FIXME integral type */ - static long mem_seek(jas_stream_obj_t *obj, long offset, int origin) - { - jas_stream_memobj_t *m = (jas_stream_memobj_t *)obj; -@@ -1310,6 +1322,7 @@ static int mem_close(jas_stream_obj_t *obj) - * File stream object. - \******************************************************************************/ - -+/* FIXME integral type */ - static int file_read(jas_stream_obj_t *obj, char *buf, int cnt) - { - jas_stream_fileobj_t *fileobj; -@@ -1318,6 +1331,7 @@ static int file_read(jas_stream_obj_t *obj, char *buf, int cnt) - return read(fileobj->fd, buf, cnt); - } - -+/* FIXME integral type */ - static int file_write(jas_stream_obj_t *obj, char *buf, int cnt) - { - jas_stream_fileobj_t *fileobj; -@@ -1326,6 +1340,7 @@ static int file_write(jas_stream_obj_t *obj, char *buf, int cnt) - return write(fileobj->fd, buf, cnt); - } - -+/* FIXME integral type */ - static long file_seek(jas_stream_obj_t *obj, long offset, int origin) - { - jas_stream_fileobj_t *fileobj; -@@ -1352,6 +1367,7 @@ static int file_close(jas_stream_obj_t *obj) - * Stdio file stream object. - \******************************************************************************/ - -+/* FIXME integral type */ - static int sfile_read(jas_stream_obj_t *obj, char *buf, int cnt) - { - FILE *fp; -@@ -1367,6 +1383,7 @@ static int sfile_read(jas_stream_obj_t *obj, char *buf, int cnt) - return result; - } - -+/* FIXME integral type */ - static int sfile_write(jas_stream_obj_t *obj, char *buf, int cnt) - { - FILE *fp; -@@ -1377,6 +1394,7 @@ static int sfile_write(jas_stream_obj_t *obj, char *buf, int cnt) - return (n != JAS_CAST(size_t, cnt)) ? (-1) : cnt; - } - -+/* FIXME integral type */ - static long sfile_seek(jas_stream_obj_t *obj, long offset, int origin) - { - FILE *fp; -diff --git a/src/libjasper/jp2/jp2_cod.c b/src/libjasper/jp2/jp2_cod.c -index 7f3608a..8d98a2c 100644 ---- a/src/libjasper/jp2/jp2_cod.c -+++ b/src/libjasper/jp2/jp2_cod.c -@@ -183,15 +183,28 @@ jp2_boxinfo_t jp2_boxinfo_unk = { - * Box constructor. - \******************************************************************************/ - --jp2_box_t *jp2_box_create(int type) -+jp2_box_t *jp2_box_create0() - { - jp2_box_t *box; -- jp2_boxinfo_t *boxinfo; -- - if (!(box = jas_malloc(sizeof(jp2_box_t)))) { - return 0; - } - memset(box, 0, sizeof(jp2_box_t)); -+ box->type = 0; -+ box->len = 0; -+ // Mark the box data as never having been constructed -+ // so that we will not errantly attempt to destroy it later. -+ box->ops = &jp2_boxinfo_unk.ops; -+ return box; -+} -+ -+jp2_box_t *jp2_box_create(int type) -+{ -+ jp2_box_t *box; -+ jp2_boxinfo_t *boxinfo; -+ if (!(box = jp2_box_create0())) { -+ return 0; -+ } - box->type = type; - box->len = 0; - if (!(boxinfo = jp2_boxinfolookup(type))) { -@@ -248,14 +261,9 @@ jp2_box_t *jp2_box_get(jas_stream_t *in) - box = 0; - tmpstream = 0; - -- if (!(box = jas_malloc(sizeof(jp2_box_t)))) { -+ if (!(box = jp2_box_create0())) { - goto error; - } -- -- // Mark the box data as never having been constructed -- // so that we will not errantly attempt to destroy it later. -- box->ops = &jp2_boxinfo_unk.ops; -- - if (jp2_getuint32(in, &len) || jp2_getuint32(in, &box->type)) { - goto error; - } -@@ -263,10 +271,12 @@ jp2_box_t *jp2_box_get(jas_stream_t *in) - box->info = boxinfo; - box->len = len; - JAS_DBGLOG(10, ( -- "preliminary processing of JP2 box: type=%c%s%c (0x%08x); length=%d\n", -+ "preliminary processing of JP2 box: " -+ "type=%c%s%c (0x%08x); length=%"PRIuFAST32"\n", - '"', boxinfo->name, '"', box->type, box->len - )); - if (box->len == 1) { -+ JAS_DBGLOG(10, ("big length\n")); - if (jp2_getuint64(in, &extlen)) { - goto error; - } -@@ -382,6 +392,7 @@ static int jp2_bpcc_getdata(jp2_box_t *box, jas_stream_t *in) - { - jp2_bpcc_t *bpcc = &box->data.bpcc; - unsigned int i; -+ bpcc->bpcs = 0; - bpcc->numcmpts = box->datalen; - if (!(bpcc->bpcs = jas_alloc2(bpcc->numcmpts, sizeof(uint_fast8_t)))) { - return -1; -@@ -462,6 +473,7 @@ static int jp2_cdef_getdata(jp2_box_t *box, jas_stream_t *in) - jp2_cdef_t *cdef = &box->data.cdef; - jp2_cdefchan_t *chan; - unsigned int channo; -+ cdef->ents = 0; - if (jp2_getuint16(in, &cdef->numchans)) { - return -1; - } -@@ -518,7 +530,9 @@ int jp2_box_put(jp2_box_t *box, jas_stream_t *out) - } - - if (dataflag) { -- if (jas_stream_copy(out, tmpstream, box->len - JP2_BOX_HDRLEN(false))) { -+ if (jas_stream_copy(out, tmpstream, box->len - -+ JP2_BOX_HDRLEN(false))) { -+ jas_eprintf("cannot copy box data\n"); - goto error; - } - jas_stream_close(tmpstream); -@@ -777,6 +791,7 @@ static int jp2_cmap_getdata(jp2_box_t *box, jas_stream_t *in) - jp2_cmap_t *cmap = &box->data.cmap; - jp2_cmapent_t *ent; - unsigned int i; -+ cmap->ents = 0; - - cmap->numchans = (box->datalen) / 4; - if (!(cmap->ents = jas_alloc2(cmap->numchans, sizeof(jp2_cmapent_t)))) { -@@ -835,6 +850,7 @@ static int jp2_pclr_getdata(jp2_box_t *box, jas_stream_t *in) - int_fast32_t x; - - pclr->lutdata = 0; -+ pclr->bpc = 0; - - if (jp2_getuint16(in, &pclr->numlutents) || - jp2_getuint8(in, &pclr->numchans)) { -@@ -869,9 +885,9 @@ static int jp2_pclr_putdata(jp2_box_t *box, jas_stream_t *out) - #if 0 - jp2_pclr_t *pclr = &box->data.pclr; - #endif --/* Eliminate warning about unused variable. */ --box = 0; --out = 0; -+ /* Eliminate warning about unused variable. */ -+ box = 0; -+ out = 0; - return -1; - } - diff --git a/gnu/packages/patches/libtiff-CVE-2016-10092.patch b/gnu/packages/patches/libtiff-CVE-2016-10092.patch deleted file mode 100644 index d5fd796169..0000000000 --- a/gnu/packages/patches/libtiff-CVE-2016-10092.patch +++ /dev/null @@ -1,42 +0,0 @@ -Fix CVE-2016-10092: - -http://bugzilla.maptools.org/show_bug.cgi?id=2620 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10092 -https://security-tracker.debian.org/tracker/CVE-2016-10092 - -2016-12-03 Even Rouault <even.rouault at spatialys.com> - - * tools/tiffcrop.c: fix readContigStripsIntoBuffer() in -i (ignore) - mode so that the output buffer is correctly incremented to avoid write - outside bounds. - Reported by Agostino Sarubbo. - Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2620 - -/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog -new revision: 1.1178; previous revision: 1.1177 -/cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v <-- tools/tiffcrop.c -new revision: 1.47; previous revision: 1.46 - -Index: libtiff/tools/tiffcrop.c -=================================================================== -RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v -retrieving revision 1.46 -retrieving revision 1.47 -diff -u -r1.46 -r1.47 ---- libtiff/tools/tiffcrop.c 18 Nov 2016 14:58:46 -0000 1.46 -+++ libtiff/tools/tiffcrop.c 3 Dec 2016 11:35:56 -0000 1.47 -@@ -1,4 +1,4 @@ --/* $Id: tiffcrop.c,v 1.46 2016-11-18 14:58:46 erouault Exp $ */ -+/* $Id: tiffcrop.c,v 1.47 2016-12-03 11:35:56 erouault Exp $ */ - - /* tiffcrop.c -- a port of tiffcp.c extended to include manipulations of - * the image data through additional options listed below -@@ -3698,7 +3698,7 @@ - (unsigned long) strip, (unsigned long)rows); - return 0; - } -- bufp += bytes_read; -+ bufp += stripsize; - } - - return 1; diff --git a/gnu/packages/patches/libtiff-CVE-2016-10093.patch b/gnu/packages/patches/libtiff-CVE-2016-10093.patch deleted file mode 100644 index 5897ec1029..0000000000 --- a/gnu/packages/patches/libtiff-CVE-2016-10093.patch +++ /dev/null @@ -1,53 +0,0 @@ -Fix CVE-2016-10093: - -http://bugzilla.maptools.org/show_bug.cgi?id=2610 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10093 -https://security-tracker.debian.org/tracker/CVE-2016-10093 - -2016-12-03 Even Rouault <even.rouault at spatialys.com> - - * tools/tiffcp.c: fix uint32 underflow/overflow that can cause - heap-based buffer overflow. - Reported by Agostino Sarubbo. - Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2610 - -/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog -new revision: 1.1187; previous revision: 1.1186 -/cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v <-- tools/tiffcp.c -new revision: 1.59; previous revision: 1.58 - -Index: libtiff/tools/tiffcp.c -=================================================================== -RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v -retrieving revision 1.58 -retrieving revision 1.59 -diff -u -r1.58 -r1.59 ---- libtiff/tools/tiffcp.c 3 Dec 2016 15:44:15 -0000 1.58 -+++ libtiff/tools/tiffcp.c 3 Dec 2016 16:40:01 -0000 1.59 -@@ -1163,7 +1163,7 @@ - - static void - cpStripToTile(uint8* out, uint8* in, -- uint32 rows, uint32 cols, int outskew, int inskew) -+ uint32 rows, uint32 cols, int outskew, int64 inskew) - { - while (rows-- > 0) { - uint32 j = cols; -@@ -1320,7 +1320,7 @@ - tdata_t tilebuf; - uint32 imagew = TIFFScanlineSize(in); - uint32 tilew = TIFFTileRowSize(in); -- int iskew = imagew - tilew; -+ int64 iskew = (int64)imagew - (int64)tilew; - uint8* bufp = (uint8*) buf; - uint32 tw, tl; - uint32 row; -@@ -1348,7 +1348,7 @@ - status = 0; - goto done; - } -- if (colb + tilew > imagew) { -+ if (colb > iskew) { - uint32 width = imagew - colb; - uint32 oskew = tilew - width; - cpStripToTile(bufp + colb, diff --git a/gnu/packages/patches/libtiff-CVE-2016-10094.patch b/gnu/packages/patches/libtiff-CVE-2016-10094.patch deleted file mode 100644 index 9018773565..0000000000 --- a/gnu/packages/patches/libtiff-CVE-2016-10094.patch +++ /dev/null @@ -1,34 +0,0 @@ -Fix CVE-2016-10094: - -http://bugzilla.maptools.org/show_bug.cgi?id=2640 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10094 -https://security-tracker.debian.org/tracker/CVE-2016-10094 - -2016-12-20 Even Rouault <even.rouault at spatialys.com> - - * tools/tiff2pdf.c: avoid potential heap-based overflow in - t2p_readwrite_pdf_image_tile(). - Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2640 - -/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog -new revision: 1.1199; previous revision: 1.1198 -/cvs/maptools/cvsroot/libtiff/tools/tiff2pdf.c,v <-- tools/tiff2pdf.c -new revision: 1.101; previous revision: 1.100 - -Index: libtiff/tools/tiff2pdf.c -=================================================================== -RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiff2pdf.c,v -retrieving revision 1.100 -retrieving revision 1.101 -diff -u -r1.100 -r1.101 ---- libtiff/tools/tiff2pdf.c 20 Dec 2016 17:24:35 -0000 1.100 -+++ libtiff/tools/tiff2pdf.c 20 Dec 2016 17:28:17 -0000 1.101 -@@ -2895,7 +2895,7 @@ - return(0); - } - if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0) { -- if (count >= 4) { -+ if (count > 4) { - int retTIFFReadRawTile; - /* Ignore EOI marker of JpegTables */ - _TIFFmemcpy(buffer, jpt, count - 2); diff --git a/gnu/packages/patches/libtiff-CVE-2017-5225.patch b/gnu/packages/patches/libtiff-CVE-2017-5225.patch deleted file mode 100644 index 3158b49360..0000000000 --- a/gnu/packages/patches/libtiff-CVE-2017-5225.patch +++ /dev/null @@ -1,86 +0,0 @@ -Fix CVE-2017-5225 (Heap based buffer overflow in tools/tiffcp): - -http://bugzilla.maptools.org/show_bug.cgi?id=2656 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5225 -https://security-tracker.debian.org/tracker/CVE-2017-5225 - -2017-01-11 Even Rouault <even.rouault at spatialys.com> - - * tools/tiffcp.c: error out cleanly in cpContig2SeparateByRow and - cpSeparate2ContigByRow if BitsPerSample != 8 to avoid heap based -overflow. - Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2656 and - http://bugzilla.maptools.org/show_bug.cgi?id=2657 - - -less C/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog -new revision: 1.1210; previous revision: 1.1209 -/cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v <-- tools/tiffcp.c -new revision: 1.61; previous revision: 1.60 - -Index: libtiff/tools/tiffcp.c -=================================================================== -RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v -retrieving revision 1.60 -retrieving revision 1.61 -diff -u -r1.60 -r1.61 ---- libtiff/tools/tiffcp.c 3 Dec 2016 16:50:02 -0000 1.60 -+++ libtiff/tools/tiffcp.c 11 Jan 2017 19:26:14 -0000 1.61 -#@@ -1,4 +1,4 @@ -#-/* $Id: tiffcp.c,v 1.60 2016-12-03 16:50:02 erouault Exp $ */ -#+/* $Id: tiffcp.c,v 1.61 2017-01-11 19:26:14 erouault Exp $ */ -# -# /* -# * Copyright (c) 1988-1997 Sam Leffler -@@ -591,7 +591,7 @@ - static int - tiffcp(TIFF* in, TIFF* out) - { -- uint16 bitspersample, samplesperpixel = 1; -+ uint16 bitspersample = 1, samplesperpixel = 1; - uint16 input_compression, input_photometric = PHOTOMETRIC_MINISBLACK; - copyFunc cf; - uint32 width, length; -@@ -1067,6 +1067,16 @@ - register uint32 n; - uint32 row; - tsample_t s; -+ uint16 bps = 0; -+ -+ (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps); -+ if( bps != 8 ) -+ { -+ TIFFError(TIFFFileName(in), -+ "Error, can only handle BitsPerSample=8 in %s", -+ "cpContig2SeparateByRow"); -+ return 0; -+ } - - inbuf = _TIFFmalloc(scanlinesizein); - outbuf = _TIFFmalloc(scanlinesizeout); -@@ -1120,6 +1130,16 @@ - register uint32 n; - uint32 row; - tsample_t s; -+ uint16 bps = 0; -+ -+ (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps); -+ if( bps != 8 ) -+ { -+ TIFFError(TIFFFileName(in), -+ "Error, can only handle BitsPerSample=8 in %s", -+ "cpSeparate2ContigByRow"); -+ return 0; -+ } - - inbuf = _TIFFmalloc(scanlinesizein); - outbuf = _TIFFmalloc(scanlinesizeout); -@@ -1784,7 +1804,7 @@ - uint32 w, l, tw, tl; - int bychunk; - -- (void) TIFFGetField(in, TIFFTAG_PLANARCONFIG, &shortv); -+ (void) TIFFGetFieldDefaulted(in, TIFFTAG_PLANARCONFIG, &shortv); - if (shortv != config && bitspersample != 8 && samplesperpixel > 1) { - fprintf(stderr, - "%s: Cannot handle different planar configuration w/ bits/sample != 8\n", diff --git a/gnu/packages/patches/libtiff-CVE-2017-7593.patch b/gnu/packages/patches/libtiff-CVE-2017-7593.patch deleted file mode 100644 index 496efb73b9..0000000000 --- a/gnu/packages/patches/libtiff-CVE-2017-7593.patch +++ /dev/null @@ -1,113 +0,0 @@ -Fixes CVE-2017-7593 (Potential uninitialized-memory access from tif_rawdata): - -http://bugzilla.maptools.org/show_bug.cgi?id=2651 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7593 -https://security-tracker.debian.org/tracker/CVE-2017-7593 - -2017-01-11 Even Rouault <even.rouault at spatialys.com> - - * libtiff/tiffio.h, tif_unix.c, tif_win32.c, tif_vms.c: add - _TIFFcalloc() - - * libtiff/tif_read.c: TIFFReadBufferSetup(): use _TIFFcalloc() to zero - initialize tif_rawdata. - Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2651 - -/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog -new revision: 1.1208; previous revision: 1.1207 -/cvs/maptools/cvsroot/libtiff/libtiff/tif_read.c,v <-- libtiff/tif_read.c -new revision: 1.53; previous revision: 1.52 -/cvs/maptools/cvsroot/libtiff/libtiff/tif_unix.c,v <-- libtiff/tif_unix.c -new revision: 1.28; previous revision: 1.27 -/cvs/maptools/cvsroot/libtiff/libtiff/tif_vms.c,v <-- libtiff/tif_vms.c -new revision: 1.14; previous revision: 1.13 -/cvs/maptools/cvsroot/libtiff/libtiff/tif_win32.c,v <-- libtiff/tif_win32.c -new revision: 1.42; previous revision: 1.41 -/cvs/maptools/cvsroot/libtiff/libtiff/tiffio.h,v <-- libtiff/tiffio.h -new revision: 1.94; previous revision: 1.93 - -diff -ru tiff-4.0.7/libtiff/tiffio.h tiff-4.0.7.new/libtiff/tiffio.h ---- tiff-4.0.7/libtiff/tiffio.h 1969-12-31 19:00:00.000000000 -0500 -+++ tiff-4.0.7.new/libtiff/tiffio.h 2017-05-05 19:08:03.772999790 -0400 -@@ -1,4 +1,4 @@ --/* $Id: tiffio.h,v 1.92 2016-01-23 21:20:34 erouault Exp $ */ -+/* $Id: tiffio.h,v 1.94 2017-01-11 19:02:49 erouault Exp $ */ - - /* - * Copyright (c) 1988-1997 Sam Leffler -@@ -293,6 +293,7 @@ - */ - - extern void* _TIFFmalloc(tmsize_t s); -+extern void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz); - extern void* _TIFFrealloc(void* p, tmsize_t s); - extern void _TIFFmemset(void* p, int v, tmsize_t c); - extern void _TIFFmemcpy(void* d, const void* s, tmsize_t c); -diff -ru tiff-4.0.7/libtiff/tif_read.c tiff-4.0.7.new/libtiff/tif_read.c ---- tiff-4.0.7/libtiff/tif_read.c 2017-05-05 19:04:09.740966642 -0400 -+++ tiff-4.0.7.new/libtiff/tif_read.c 2017-05-05 18:59:11.070709441 -0400 -@@ -1,4 +1,4 @@ --/* $Id: tif_read.c,v 1.50 2016-12-02 21:56:56 erouault Exp $ */ -+/* $Id: tif_read.c,v 1.53 2017-01-11 19:02:49 erouault Exp $ */ - - /* - * Copyright (c) 1988-1997 Sam Leffler -@@ -976,7 +976,9 @@ - "Invalid buffer size"); - return (0); - } -- tif->tif_rawdata = (uint8*) _TIFFmalloc(tif->tif_rawdatasize); -+ /* Initialize to zero to avoid uninitialized buffers in case of */ -+ /* short reads (http://bugzilla.maptools.org/show_bug.cgi?id=2651) */ -+ tif->tif_rawdata = (uint8*) _TIFFcalloc(1, tif->tif_rawdatasize); - tif->tif_flags |= TIFF_MYBUFFER; - } - if (tif->tif_rawdata == NULL) { -diff -ru tiff-4.0.7/libtiff/tif_unix.c tiff-4.0.7.new/libtiff/tif_unix.c ---- tiff-4.0.7/libtiff/tif_unix.c 1969-12-31 19:00:00.000000000 -0500 -+++ tiff-4.0.7.new/libtiff/tif_unix.c 2017-05-05 19:10:48.302645187 -0400 -@@ -1,4 +1,4 @@ --/* $Id: tif_unix.c,v 1.27 2015-08-19 02:31:04 bfriesen Exp $ */ -+/* $Id: tif_unix.c,v 1.28 2017-01-11 19:02:49 erouault Exp $ */ - - /* - * Copyright (c) 1988-1997 Sam Leffler -@@ -316,6 +316,14 @@ - return (malloc((size_t) s)); - } - -+void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz) -+{ -+ if( nmemb == 0 || siz == 0 ) -+ return ((void *) NULL); -+ -+ return calloc((size_t) nmemb, (size_t)siz); -+} -+ - void - _TIFFfree(void* p) - { -diff -ru tiff-4.0.7/libtiff/tif_win32.c tiff-4.0.7.new/libtiff/tif_win32.c ---- tiff-4.0.7/libtiff/tif_win32.c 1969-12-31 19:00:00.000000000 -0500 -+++ tiff-4.0.7.new/libtiff/tif_win32.c 2017-05-05 19:13:06.903399627 -0400 -@@ -1,4 +1,4 @@ --/* $Id: tif_win32.c,v 1.41 2015-08-23 20:12:44 bfriesen Exp $ */ -+/* $Id: tif_win32.c,v 1.42 2017-01-11 19:02:49 erouault Exp $ */ - - /* - * Copyright (c) 1988-1997 Sam Leffler -@@ -360,6 +360,14 @@ - return (malloc((size_t) s)); - } - -+void* _TIFFcalloc(tmsize_t nmemb, tmsize_t siz) -+{ -+ if( nmemb == 0 || siz == 0 ) -+ return ((void *) NULL); -+ -+ return calloc((size_t) nmemb, (size_t)siz); -+} -+ - void - _TIFFfree(void* p) - { diff --git a/gnu/packages/patches/libtiff-CVE-2017-7594.patch b/gnu/packages/patches/libtiff-CVE-2017-7594.patch deleted file mode 100644 index d17997d447..0000000000 --- a/gnu/packages/patches/libtiff-CVE-2017-7594.patch +++ /dev/null @@ -1,54 +0,0 @@ -Fixes CVE-2017-7594 (Direct leak in tif_ojpeg.c): - -http://bugzilla.maptools.org/show_bug.cgi?id=2659 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7594 -https://security-tracker.debian.org/tracker/CVE-2017-7594 - -2017-01-12 Even Rouault <even.rouault at spatialys.com> - - * libtiff/tif_ojpeg.c: fix leak in OJPEGReadHeaderInfoSecTablesAcTable - when read fails. - Patch by Nicolás Peña. - Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2659 - -/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog -new revision: 1.1212; previous revision: 1.1211 -/cvs/maptools/cvsroot/libtiff/libtiff/tif_ojpeg.c,v <-- libtiff/tif_ojpeg.c -new revision: 1.67; previous revision: 1.66 - -Index: libtiff/libtiff/tif_ojpeg.c -=================================================================== -RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_ojpeg.c,v -retrieving revision 1.67 -retrieving revision 1.68 -diff -u -r1.67 -r1.68 ---- libtiff/libtiff/tif_ojpeg.c 12 Jan 2017 17:43:26 -0000 1.67 -+++ libtiff/libtiff/tif_ojpeg.c 12 Jan 2017 19:23:20 -0000 1.68 -@@ -1,4 +1,4 @@ --/* $Id: tif_ojpeg.c,v 1.66 2016-12-03 11:15:18 erouault Exp $ */ -+/* $Id: tif_ojpeg.c,v 1.68 2017-01-12 19:23:20 erouault Exp $ */ - - /* WARNING: The type of JPEG encapsulation defined by the TIFF Version 6.0 - specification is now totally obsolete and deprecated for new applications and -@@ -1790,7 +1790,10 @@ - TIFFSeekFile(tif,sp->qtable_offset[m],SEEK_SET); - p=(uint32)TIFFReadFile(tif,&ob[sizeof(uint32)+5],64); - if (p!=64) -+ { -+ _TIFFfree(ob); - return(0); -+ } - sp->qtable[m]=ob; - sp->sof_tq[m]=m; - } -@@ -1854,7 +1857,10 @@ - rb[sizeof(uint32)+5+n]=o[n]; - p=(uint32)TIFFReadFile(tif,&(rb[sizeof(uint32)+21]),q); - if (p!=q) -+ { -+ _TIFFfree(rb); - return(0); -+ } - sp->dctable[m]=rb; - sp->sos_tda[m]=(m<<4); - } diff --git a/gnu/packages/patches/libtiff-assertion-failure.patch b/gnu/packages/patches/libtiff-assertion-failure.patch deleted file mode 100644 index ef747fbdd7..0000000000 --- a/gnu/packages/patches/libtiff-assertion-failure.patch +++ /dev/null @@ -1,60 +0,0 @@ -Fix assertion failure in readSeparateTilesIntoBuffer(): - -http://bugzilla.maptools.org/show_bug.cgi?id=2605 - -2016-12-03 Even Rouault <even.rouault at spatialys.com> - - * tools/tiffcp.c: replace assert( (bps % 8) == 0 ) by a non assert -check. - Reported by Agostino Sarubbo. - Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2605 - -/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog -new revision: 1.1188; previous revision: 1.1187 -/cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v <-- tools/tiffcp.c -new revision: 1.60; previous revision: 1.59 - -Index: libtiff/tools/tiffcp.c -=================================================================== -RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v -retrieving revision 1.59 -retrieving revision 1.60 -diff -u -r1.59 -r1.60 ---- libtiff/tools/tiffcp.c 3 Dec 2016 16:40:01 -0000 1.59 -+++ libtiff/tools/tiffcp.c 3 Dec 2016 16:50:02 -0000 1.60 -@@ -45,7 +45,6 @@ - #include <string.h> - - #include <ctype.h> --#include <assert.h> - - #ifdef HAVE_UNISTD_H - # include <unistd.h> -@@ -1393,7 +1392,12 @@ - status = 0; - goto done; - } -- assert( bps % 8 == 0 ); -+ if( (bps % 8) != 0 ) -+ { -+ TIFFError(TIFFFileName(in), "Error, cannot handle BitsPerSample that is not a multiple of 8"); -+ status = 0; -+ goto done; -+ } - bytes_per_sample = bps/8; - - for (row = 0; row < imagelength; row += tl) { -@@ -1584,7 +1588,12 @@ - _TIFFfree(obuf); - return 0; - } -- assert( bps % 8 == 0 ); -+ if( (bps % 8) != 0 ) -+ { -+ TIFFError(TIFFFileName(out), "Error, cannot handle BitsPerSample that is not a multiple of 8"); -+ _TIFFfree(obuf); -+ return 0; -+ } - bytes_per_sample = bps/8; - - for (row = 0; row < imagelength; row += tl) { diff --git a/gnu/packages/patches/libtiff-divide-by-zero-ojpeg.patch b/gnu/packages/patches/libtiff-divide-by-zero-ojpeg.patch deleted file mode 100644 index 2a96b68521..0000000000 --- a/gnu/packages/patches/libtiff-divide-by-zero-ojpeg.patch +++ /dev/null @@ -1,63 +0,0 @@ -Fix divide-by-zero in OJPEGDecodeRaw(): - -http://bugzilla.maptools.org/show_bug.cgi?id=2611 - -2016-12-03 Even Rouault <even.rouault at spatialys.com> - - * libtiff/tif_ojpeg.c: make OJPEGDecode() early exit in case of failure -in - OJPEGPreDecode(). This will avoid a divide by zero, and potential other -issues. - Reported by Agostino Sarubbo. - Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2611 - -/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog -new revision: 1.1177; previous revision: 1.1176 -/cvs/maptools/cvsroot/libtiff/libtiff/tif_ojpeg.c,v <-- libtiff/tif_ojpeg.c -new revision: 1.66; previous revision: 1.65 - -Index: libtiff/libtiff/tif_ojpeg.c -=================================================================== -RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_ojpeg.c,v -retrieving revision 1.65 -retrieving revision 1.66 -diff -u -r1.65 -r1.66 ---- libtiff/libtiff/tif_ojpeg.c 4 Sep 2016 21:32:56 -0000 1.65 -+++ libtiff/libtiff/tif_ojpeg.c 3 Dec 2016 11:15:18 -0000 1.66 -@@ -1,4 +1,4 @@ --/* $Id: tif_ojpeg.c,v 1.65 2016-09-04 21:32:56 erouault Exp $ */ -+/* $Id: tif_ojpeg.c,v 1.66 2016-12-03 11:15:18 erouault Exp $ */ - - /* WARNING: The type of JPEG encapsulation defined by the TIFF Version 6.0 - specification is now totally obsolete and deprecated for new applications and -@@ -244,6 +244,7 @@ - - typedef struct { - TIFF* tif; -+ int decoder_ok; - #ifndef LIBJPEG_ENCAP_EXTERNAL - JMP_BUF exit_jmpbuf; - #endif -@@ -722,6 +723,7 @@ - } - sp->write_curstrile++; - } -+ sp->decoder_ok = 1; - return(1); - } - -@@ -784,8 +786,14 @@ - static int - OJPEGDecode(TIFF* tif, uint8* buf, tmsize_t cc, uint16 s) - { -+ static const char module[]="OJPEGDecode"; - OJPEGState* sp=(OJPEGState*)tif->tif_data; - (void)s; -+ if( !sp->decoder_ok ) -+ { -+ TIFFErrorExt(tif->tif_clientdata,module,"Cannot decode: decoder not correctly initialized"); -+ return 0; -+ } - if (sp->libjpeg_jpeg_query_style==0) - { - if (OJPEGDecodeRaw(tif,buf,cc)==0) diff --git a/gnu/packages/patches/libtiff-divide-by-zero-tiffcp.patch b/gnu/packages/patches/libtiff-divide-by-zero-tiffcp.patch deleted file mode 100644 index d3f1c2b60e..0000000000 --- a/gnu/packages/patches/libtiff-divide-by-zero-tiffcp.patch +++ /dev/null @@ -1,104 +0,0 @@ -Fix two divide-by-zero bugs in readSeparateTilesIntoBuffer(): - -http://bugzilla.maptools.org/show_bug.cgi?id=2597 -http://bugzilla.maptools.org/show_bug.cgi?id=2607 - -2016-12-03 Even Rouault <even.rouault at spatialys.com> - - * tools/tiffcp.c: avoid potential division by zero is BitsPerSamples -tag is - missing. - Reported by Agostino sarubbo. - Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2597 - -/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog -new revision: 1.1183; previous revision: 1.1182 -/cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v <-- tools/tiffcp.c -new revision: 1.57; previous revision: 1.56 - -Index: libtiff/tools/tiffcp.c -=================================================================== -RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v -retrieving revision 1.56 -retrieving revision 1.57 -diff -u -r1.56 -r1.57 ---- libtiff/tools/tiffcp.c 2 Dec 2016 22:13:32 -0000 1.56 -+++ libtiff/tools/tiffcp.c 3 Dec 2016 14:42:40 -0000 1.57 -@@ -1,4 +1,4 @@ --/* $Id: tiffcp.c,v 1.56 2016-12-02 22:13:32 erouault Exp $ */ -+/* $Id: tiffcp.c,v 1.57 2016-12-03 14:42:40 erouault Exp $ */ - - /* - * Copyright (c) 1988-1997 Sam Leffler -@@ -1378,7 +1378,7 @@ - uint8* bufp = (uint8*) buf; - uint32 tw, tl; - uint32 row; -- uint16 bps, bytes_per_sample; -+ uint16 bps = 0, bytes_per_sample; - - tilebuf = _TIFFmalloc(tilesize); - if (tilebuf == 0) -@@ -1387,6 +1387,12 @@ - (void) TIFFGetField(in, TIFFTAG_TILEWIDTH, &tw); - (void) TIFFGetField(in, TIFFTAG_TILELENGTH, &tl); - (void) TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps); -+ if( bps == 0 ) -+ { -+ TIFFError(TIFFFileName(in), "Error, cannot read BitsPerSample"); -+ status = 0; -+ goto done; -+ } - assert( bps % 8 == 0 ); - bytes_per_sample = bps/8; - -2016-12-03 Even Rouault <even.rouault at spatialys.com> - - * tools/tiffcp.c: avoid potential division by zero is BitsPerSamples -tag is - missing. - Reported by Agostino Sarubbo. - Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2607 - - -/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog -new revision: 1.1186; previous revision: 1.1185 -/cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v <-- tools/tiffcp.c -new revision: 1.58; previous revision: 1.57 - -Index: libtiff/tools/tiffcp.c -=================================================================== -RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v -retrieving revision 1.57 -retrieving revision 1.58 -diff -u -r1.57 -r1.58 ---- libtiff/tools/tiffcp.c 3 Dec 2016 14:42:40 -0000 1.57 -+++ libtiff/tools/tiffcp.c 3 Dec 2016 15:44:15 -0000 1.58 -@@ -1,4 +1,4 @@ --/* $Id: tiffcp.c,v 1.57 2016-12-03 14:42:40 erouault Exp $ */ -+/* $Id: tiffcp.c,v 1.58 2016-12-03 15:44:15 erouault Exp $ */ - - /* - * Copyright (c) 1988-1997 Sam Leffler -@@ -1569,7 +1569,7 @@ - uint8* bufp = (uint8*) buf; - uint32 tl, tw; - uint32 row; -- uint16 bps, bytes_per_sample; -+ uint16 bps = 0, bytes_per_sample; - - obuf = _TIFFmalloc(TIFFTileSize(out)); - if (obuf == NULL) -@@ -1578,6 +1578,12 @@ - (void) TIFFGetField(out, TIFFTAG_TILELENGTH, &tl); - (void) TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw); - (void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps); -+ if( bps == 0 ) -+ { -+ TIFFError(TIFFFileName(out), "Error, cannot read BitsPerSample"); -+ _TIFFfree(obuf); -+ return 0; -+ } - assert( bps % 8 == 0 ); - bytes_per_sample = bps/8; - diff --git a/gnu/packages/patches/libtiff-divide-by-zero-tiffcrop.patch b/gnu/packages/patches/libtiff-divide-by-zero-tiffcrop.patch deleted file mode 100644 index 823293f1cf..0000000000 --- a/gnu/packages/patches/libtiff-divide-by-zero-tiffcrop.patch +++ /dev/null @@ -1,57 +0,0 @@ -Fix divide-by-zero in readSeparateStripsIntoBuffer(): - -http://bugzilla.maptools.org/show_bug.cgi?id=2619 - -2016-12-03 Even Rouault <even.rouault at spatialys.com> - - * tools/tiffcrop.c: fix integer division by zero when BitsPerSample is -missing. - Reported by Agostina Sarubo. - Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2619 - -/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog -new revision: 1.1180; previous revision: 1.1179 -/cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v <-- tools/tiffcrop.c -new revision: 1.49; previous revision: 1.48 - -Index: libtiff/tools/tiffcrop.c -=================================================================== -RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v -retrieving revision 1.48 -retrieving revision 1.49 -diff -u -r1.48 -r1.49 ---- libtiff/tools/tiffcrop.c 3 Dec 2016 12:19:32 -0000 1.48 -+++ libtiff/tools/tiffcrop.c 3 Dec 2016 13:00:04 -0000 1.49 -@@ -1,4 +1,4 @@ --/* $Id: tiffcrop.c,v 1.48 2016-12-03 12:19:32 erouault Exp $ */ -+/* $Id: tiffcrop.c,v 1.49 2016-12-03 13:00:04 erouault Exp $ */ - - /* tiffcrop.c -- a port of tiffcp.c extended to include manipulations of - * the image data through additional options listed below -@@ -1164,7 +1164,7 @@ - tdata_t obuf; - - (void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip); -- (void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps); -+ (void) TIFFGetFieldDefaulted(out, TIFFTAG_BITSPERSAMPLE, &bps); - bytes_per_sample = (bps + 7) / 8; - if( width == 0 || - (uint32)bps * (uint32)spp > TIFF_UINT32_MAX / width || -@@ -4760,7 +4760,7 @@ - int i, bytes_per_sample, bytes_per_pixel, shift_width, result = 1; - uint32 j; - int32 bytes_read = 0; -- uint16 bps, planar; -+ uint16 bps = 0, planar; - uint32 nstrips; - uint32 strips_per_sample; - uint32 src_rowsize, dst_rowsize, rows_processed, rps; -@@ -4780,7 +4780,7 @@ - } - - memset (srcbuffs, '\0', sizeof(srcbuffs)); -- TIFFGetField(in, TIFFTAG_BITSPERSAMPLE, &bps); -+ TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps); - TIFFGetFieldDefaulted(in, TIFFTAG_PLANARCONFIG, &planar); - TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rps); - if (rps > length) diff --git a/gnu/packages/patches/libtiff-divide-by-zero.patch b/gnu/packages/patches/libtiff-divide-by-zero.patch deleted file mode 100644 index 6dbd4666cd..0000000000 --- a/gnu/packages/patches/libtiff-divide-by-zero.patch +++ /dev/null @@ -1,67 +0,0 @@ -Fix an integer overflow in TIFFReadEncodedStrip() that led to division-by-zero: - -http://bugzilla.maptools.org/show_bug.cgi?id=2596 - -2016-12-02 Even Rouault <even.rouault at spatialys.com> - - * libtiff/tif_read.c, libtiff/tiffiop.h: fix uint32 overflow in - TIFFReadEncodedStrip() that caused an integer division by zero. - Reported by Agostino Sarubbo. - Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2596 - - -/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog -new revision: 1.1173; previous revision: 1.1172 -/cvs/maptools/cvsroot/libtiff/libtiff/tif_read.c,v <-- libtiff/tif_read.c -new revision: 1.50; previous revision: 1.49 -/cvs/maptools/cvsroot/libtiff/libtiff/tiffiop.h,v <-- libtiff/tiffiop.h -new revision: 1.90; previous revision: 1.89 - -Index: libtiff/libtiff/tif_read.c -=================================================================== -RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_read.c,v -retrieving revision 1.49 -retrieving revision 1.50 -diff -u -r1.49 -r1.50 ---- libtiff/libtiff/tif_read.c 10 Jul 2016 18:00:21 -0000 1.49 -+++ libtiff/libtiff/tif_read.c 2 Dec 2016 21:56:56 -0000 1.50 -@@ -1,4 +1,4 @@ --/* $Id: tif_read.c,v 1.49 2016-07-10 18:00:21 erouault Exp $ */ -+/* $Id: tif_read.c,v 1.50 2016-12-02 21:56:56 erouault Exp $ */ - - /* - * Copyright (c) 1988-1997 Sam Leffler -@@ -346,7 +346,7 @@ - rowsperstrip=td->td_rowsperstrip; - if (rowsperstrip>td->td_imagelength) - rowsperstrip=td->td_imagelength; -- stripsperplane=((td->td_imagelength+rowsperstrip-1)/rowsperstrip); -+ stripsperplane= TIFFhowmany_32_maxuint_compat(td->td_imagelength, rowsperstrip); - stripinplane=(strip%stripsperplane); - plane=(uint16)(strip/stripsperplane); - rows=td->td_imagelength-stripinplane*rowsperstrip; -Index: libtiff/libtiff/tiffiop.h -=================================================================== -RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tiffiop.h,v -retrieving revision 1.89 -retrieving revision 1.90 -diff -u -r1.89 -r1.90 ---- libtiff/libtiff/tiffiop.h 23 Jan 2016 21:20:34 -0000 1.89 -+++ libtiff/libtiff/tiffiop.h 2 Dec 2016 21:56:56 -0000 1.90 -@@ -1,4 +1,4 @@ --/* $Id: tiffiop.h,v 1.89 2016-01-23 21:20:34 erouault Exp $ */ -+/* $Id: tiffiop.h,v 1.90 2016-12-02 21:56:56 erouault Exp $ */ - - /* - * Copyright (c) 1988-1997 Sam Leffler -@@ -250,6 +250,10 @@ - #define TIFFhowmany_32(x, y) (((uint32)x < (0xffffffff - (uint32)(y-1))) ? \ - ((((uint32)(x))+(((uint32)(y))-1))/((uint32)(y))) : \ - 0U) -+/* Variant of TIFFhowmany_32() that doesn't return 0 if x close to MAXUINT. */ -+/* Caution: TIFFhowmany_32_maxuint_compat(x,y)*y might overflow */ -+#define TIFFhowmany_32_maxuint_compat(x, y) \ -+ (((uint32)(x) / (uint32)(y)) + ((((uint32)(x) % (uint32)(y)) != 0) ? 1 : 0)) - #define TIFFhowmany8_32(x) (((x)&0x07)?((uint32)(x)>>3)+1:(uint32)(x)>>3) - #define TIFFroundup_32(x, y) (TIFFhowmany_32(x,y)*(y)) - #define TIFFhowmany_64(x, y) ((((uint64)(x))+(((uint64)(y))-1))/((uint64)(y))) diff --git a/gnu/packages/patches/libtiff-heap-overflow-pixarlog-luv.patch b/gnu/packages/patches/libtiff-heap-overflow-pixarlog-luv.patch deleted file mode 100644 index 2d5e23586d..0000000000 --- a/gnu/packages/patches/libtiff-heap-overflow-pixarlog-luv.patch +++ /dev/null @@ -1,131 +0,0 @@ -Fix heap-based buffer overflow in _TIFFmemcpy(): - -http://bugzilla.maptools.org/show_bug.cgi?id=2604 - -2016-12-03 Even Rouault <even.rouault at spatialys.com> - - * libtiff/tif_pixarlog.c, libtiff/tif_luv.c: fix heap-based buffer - overflow on generation of PixarLog / LUV compressed files, with - ColorMap, TransferFunction attached and nasty plays with bitspersample. - The fix for LUV has not been tested, but suffers from the same kind - of issue of PixarLog. - Reported by Agostino Sarubbo. - Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2604 - -/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog -new revision: 1.1175; previous revision: 1.1174 -/cvs/maptools/cvsroot/libtiff/libtiff/tif_luv.c,v <-- libtiff/tif_luv.c -new revision: 1.44; previous revision: 1.43 -/cvs/maptools/cvsroot/libtiff/libtiff/tif_pixarlog.c,v <-- -libtiff/tif_pixarlog.c -new revision: 1.49; previous revision: 1.48 - -Index: libtiff/libtiff/tif_luv.c -=================================================================== -RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_luv.c,v -retrieving revision 1.43 -retrieving revision 1.44 -diff -u -r1.43 -r1.44 ---- libtiff/libtiff/tif_luv.c 4 Sep 2016 21:32:56 -0000 1.43 -+++ libtiff/libtiff/tif_luv.c 2 Dec 2016 23:05:51 -0000 1.44 -@@ -1,4 +1,4 @@ --/* $Id: tif_luv.c,v 1.43 2016-09-04 21:32:56 erouault Exp $ */ -+/* $Id: tif_luv.c,v 1.44 2016-12-02 23:05:51 erouault Exp $ */ - - /* - * Copyright (c) 1997 Greg Ward Larson -@@ -158,6 +158,7 @@ - typedef struct logLuvState LogLuvState; - - struct logLuvState { -+ int encoder_state; /* 1 if encoder correctly initialized */ - int user_datafmt; /* user data format */ - int encode_meth; /* encoding method */ - int pixel_size; /* bytes per pixel */ -@@ -1552,6 +1553,7 @@ - td->td_photometric, "must be either LogLUV or LogL"); - break; - } -+ sp->encoder_state = 1; - return (1); - notsupported: - TIFFErrorExt(tif->tif_clientdata, module, -@@ -1563,19 +1565,27 @@ - static void - LogLuvClose(TIFF* tif) - { -+ LogLuvState* sp = (LogLuvState*) tif->tif_data; - TIFFDirectory *td = &tif->tif_dir; - -+ assert(sp != 0); - /* - * For consistency, we always want to write out the same - * bitspersample and sampleformat for our TIFF file, - * regardless of the data format being used by the application. - * Since this routine is called after tags have been set but - * before they have been recorded in the file, we reset them here. -+ * Note: this is really a nasty approach. See PixarLogClose - */ -- td->td_samplesperpixel = -- (td->td_photometric == PHOTOMETRIC_LOGL) ? 1 : 3; -- td->td_bitspersample = 16; -- td->td_sampleformat = SAMPLEFORMAT_INT; -+ if( sp->encoder_state ) -+ { -+ /* See PixarLogClose. Might avoid issues with tags whose size depends -+ * on those below, but not completely sure this is enough. */ -+ td->td_samplesperpixel = -+ (td->td_photometric == PHOTOMETRIC_LOGL) ? 1 : 3; -+ td->td_bitspersample = 16; -+ td->td_sampleformat = SAMPLEFORMAT_INT; -+ } - } - - static void -Index: libtiff/libtiff/tif_pixarlog.c -=================================================================== -RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_pixarlog.c,v -retrieving revision 1.48 -retrieving revision 1.49 -diff -u -r1.48 -r1.49 ---- libtiff/libtiff/tif_pixarlog.c 23 Sep 2016 22:12:18 -0000 1.48 -+++ libtiff/libtiff/tif_pixarlog.c 2 Dec 2016 23:05:51 -0000 1.49 -@@ -1,4 +1,4 @@ --/* $Id: tif_pixarlog.c,v 1.48 2016-09-23 22:12:18 erouault Exp $ */ -+/* $Id: tif_pixarlog.c,v 1.49 2016-12-02 23:05:51 erouault Exp $ */ - - /* - * Copyright (c) 1996-1997 Sam Leffler -@@ -1233,8 +1233,10 @@ - static void - PixarLogClose(TIFF* tif) - { -+ PixarLogState* sp = (PixarLogState*) tif->tif_data; - TIFFDirectory *td = &tif->tif_dir; - -+ assert(sp != 0); - /* In a really sneaky (and really incorrect, and untruthful, and - * troublesome, and error-prone) maneuver that completely goes against - * the spirit of TIFF, and breaks TIFF, on close, we covertly -@@ -1243,8 +1245,19 @@ - * readers that don't know about PixarLog, or how to set - * the PIXARLOGDATFMT pseudo-tag. - */ -- td->td_bitspersample = 8; -- td->td_sampleformat = SAMPLEFORMAT_UINT; -+ -+ if (sp->state&PLSTATE_INIT) { -+ /* We test the state to avoid an issue such as in -+ * http://bugzilla.maptools.org/show_bug.cgi?id=2604 -+ * What appends in that case is that the bitspersample is 1 and -+ * a TransferFunction is set. The size of the TransferFunction -+ * depends on 1<<bitspersample. So if we increase it, an access -+ * out of the buffer will happen at directory flushing. -+ * Another option would be to clear those targs. -+ */ -+ td->td_bitspersample = 8; -+ td->td_sampleformat = SAMPLEFORMAT_UINT; -+ } - } - - static void diff --git a/gnu/packages/patches/libtiff-heap-overflow-tif-dirread.patch b/gnu/packages/patches/libtiff-heap-overflow-tif-dirread.patch deleted file mode 100644 index 68889b121b..0000000000 --- a/gnu/packages/patches/libtiff-heap-overflow-tif-dirread.patch +++ /dev/null @@ -1,132 +0,0 @@ -Fix heap-based buffer overflow in TIFFFillStrip(): - -http://bugzilla.maptools.org/show_bug.cgi?id=2608 - -2016-12-03 Even Rouault <even.rouault at spatialys.com> - - * libtiff/tif_dirread.c: modify ChopUpSingleUncompressedStrip() to - instanciate compute ntrips as TIFFhowmany_32(td->td_imagelength, -rowsperstrip), - instead of a logic based on the total size of data. Which is faulty is - the total size of data is not sufficient to fill the whole image, and -thus - results in reading outside of the StripByCounts/StripOffsets arrays -when - using TIFFReadScanline(). - Reported by Agostino Sarubbo. - Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2608. - - * libtiff/tif_strip.c: revert the change in TIFFNumberOfStrips() done - for http://bugzilla.maptools.org/show_bug.cgi?id=2587 / CVE-2016-9273 -since - the above change is a better fix that makes it unnecessary. - -/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog -new revision: 1.1176; previous revision: 1.1175 -/cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v <-- -libtiff/tif_dirread.c -new revision: 1.205; previous revision: 1.204 -/cvs/maptools/cvsroot/libtiff/libtiff/tif_strip.c,v <-- libtiff/tif_strip.c -new revision: 1.38; previous revision: 1.37 - -Index: libtiff/libtiff/tif_dirread.c -=================================================================== -RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v -retrieving revision 1.204 -retrieving revision 1.205 -diff -u -r1.204 -r1.205 ---- libtiff/libtiff/tif_dirread.c 16 Nov 2016 15:14:15 -0000 1.204 -+++ libtiff/libtiff/tif_dirread.c 3 Dec 2016 11:02:15 -0000 1.205 -@@ -1,4 +1,4 @@ --/* $Id: tif_dirread.c,v 1.204 2016-11-16 15:14:15 erouault Exp $ */ -+/* $Id: tif_dirread.c,v 1.205 2016-12-03 11:02:15 erouault Exp $ */ - - /* - * Copyright (c) 1988-1997 Sam Leffler -@@ -5502,8 +5502,7 @@ - uint64 rowblockbytes; - uint64 stripbytes; - uint32 strip; -- uint64 nstrips64; -- uint32 nstrips32; -+ uint32 nstrips; - uint32 rowsperstrip; - uint64* newcounts; - uint64* newoffsets; -@@ -5534,18 +5533,17 @@ - return; - - /* -- * never increase the number of strips in an image -+ * never increase the number of rows per strip - */ - if (rowsperstrip >= td->td_rowsperstrip) - return; -- nstrips64 = TIFFhowmany_64(bytecount, stripbytes); -- if ((nstrips64==0)||(nstrips64>0xFFFFFFFF)) /* something is wonky, do nothing. */ -- return; -- nstrips32 = (uint32)nstrips64; -+ nstrips = TIFFhowmany_32(td->td_imagelength, rowsperstrip); -+ if( nstrips == 0 ) -+ return; - -- newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64), -+ newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), - "for chopped \"StripByteCounts\" array"); -- newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips32, sizeof (uint64), -+ newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), - "for chopped \"StripOffsets\" array"); - if (newcounts == NULL || newoffsets == NULL) { - /* -@@ -5562,18 +5560,18 @@ - * Fill the strip information arrays with new bytecounts and offsets - * that reflect the broken-up format. - */ -- for (strip = 0; strip < nstrips32; strip++) { -+ for (strip = 0; strip < nstrips; strip++) { - if (stripbytes > bytecount) - stripbytes = bytecount; - newcounts[strip] = stripbytes; -- newoffsets[strip] = offset; -+ newoffsets[strip] = stripbytes ? offset : 0; - offset += stripbytes; - bytecount -= stripbytes; - } - /* - * Replace old single strip info with multi-strip info. - */ -- td->td_stripsperimage = td->td_nstrips = nstrips32; -+ td->td_stripsperimage = td->td_nstrips = nstrips; - TIFFSetField(tif, TIFFTAG_ROWSPERSTRIP, rowsperstrip); - - _TIFFfree(td->td_stripbytecount); -Index: libtiff/libtiff/tif_strip.c -=================================================================== -RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_strip.c,v -retrieving revision 1.37 -retrieving revision 1.38 -diff -u -r1.37 -r1.38 ---- libtiff/libtiff/tif_strip.c 9 Nov 2016 23:00:49 -0000 1.37 -+++ libtiff/libtiff/tif_strip.c 3 Dec 2016 11:02:15 -0000 1.38 -@@ -1,4 +1,4 @@ --/* $Id: tif_strip.c,v 1.37 2016-11-09 23:00:49 erouault Exp $ */ -+/* $Id: tif_strip.c,v 1.38 2016-12-03 11:02:15 erouault Exp $ */ - - /* - * Copyright (c) 1991-1997 Sam Leffler -@@ -63,15 +63,6 @@ - TIFFDirectory *td = &tif->tif_dir; - uint32 nstrips; - -- /* If the value was already computed and store in td_nstrips, then return it, -- since ChopUpSingleUncompressedStrip might have altered and resized the -- since the td_stripbytecount and td_stripoffset arrays to the new value -- after the initial affectation of td_nstrips = TIFFNumberOfStrips() in -- tif_dirread.c ~line 3612. -- See http://bugzilla.maptools.org/show_bug.cgi?id=2587 */ -- if( td->td_nstrips ) -- return td->td_nstrips; -- - nstrips = (td->td_rowsperstrip == (uint32) -1 ? 1 : - TIFFhowmany_32(td->td_imagelength, td->td_rowsperstrip)); - if (td->td_planarconfig == PLANARCONFIG_SEPARATE) diff --git a/gnu/packages/patches/libtiff-heap-overflow-tiffcp.patch b/gnu/packages/patches/libtiff-heap-overflow-tiffcp.patch deleted file mode 100644 index f0fef08bf3..0000000000 --- a/gnu/packages/patches/libtiff-heap-overflow-tiffcp.patch +++ /dev/null @@ -1,67 +0,0 @@ -Fix heap buffer overflow in tiffcp when parsing number of inks: - -http://bugzilla.maptools.org/show_bug.cgi?id=2599 - -2016-12-03 Even Rouault <even.rouault at spatialys.com> - - * tools/tif_dir.c: when TIFFGetField(, TIFFTAG_NUMBEROFINKS, ) is -called, - limit the return number of inks to SamplesPerPixel, so that code that -parses - ink names doesn't go past the end of the buffer. - Reported by Agostino Sarubbo. - Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599 - - -/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog -new revision: 1.1184; previous revision: 1.1183 -/cvs/maptools/cvsroot/libtiff/libtiff/tif_dir.c,v <-- libtiff/tif_dir.c -new revision: 1.128; previous revision: 1.127 - -Index: libtiff/libtiff/tif_dir.c -=================================================================== -RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dir.c,v -retrieving revision 1.127 -retrieving revision 1.128 -diff -u -r1.127 -r1.128 ---- libtiff/libtiff/tif_dir.c 25 Oct 2016 21:35:15 -0000 1.127 -+++ libtiff/libtiff/tif_dir.c 3 Dec 2016 15:30:31 -0000 1.128 -@@ -1,4 +1,4 @@ --/* $Id: tif_dir.c,v 1.127 2016-10-25 21:35:15 erouault Exp $ */ -+/* $Id: tif_dir.c,v 1.128 2016-12-03 15:30:31 erouault Exp $ */ - - /* - * Copyright (c) 1988-1997 Sam Leffler -@@ -854,6 +854,32 @@ - if( fip == NULL ) /* cannot happen since TIFFGetField() already checks it */ - return 0; - -+ if( tag == TIFFTAG_NUMBEROFINKS ) -+ { -+ int i; -+ for (i = 0; i < td->td_customValueCount; i++) { -+ uint16 val; -+ TIFFTagValue *tv = td->td_customValues + i; -+ if (tv->info->field_tag != tag) -+ continue; -+ val = *(uint16 *)tv->value; -+ /* Truncate to SamplesPerPixel, since the */ -+ /* setting code for INKNAMES assume that there are SamplesPerPixel */ -+ /* inknames. */ -+ /* Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599 */ -+ if( val > td->td_samplesperpixel ) -+ { -+ TIFFWarningExt(tif->tif_clientdata,"_TIFFVGetField", -+ "Truncating NumberOfInks from %u to %u", -+ val, td->td_samplesperpixel); -+ val = td->td_samplesperpixel; -+ } -+ *va_arg(ap, uint16*) = val; -+ return 1; -+ } -+ return 0; -+ } -+ - /* - * We want to force the custom code to be used for custom - * fields even if the tag happens to match a well known diff --git a/gnu/packages/patches/libtiff-heap-overflow-tiffcrop.patch b/gnu/packages/patches/libtiff-heap-overflow-tiffcrop.patch deleted file mode 100644 index 8166c55758..0000000000 --- a/gnu/packages/patches/libtiff-heap-overflow-tiffcrop.patch +++ /dev/null @@ -1,60 +0,0 @@ -Fix heap-based buffer overflow in combineSeparateSamples16bits(): - -http://bugzilla.maptools.org/show_bug.cgi?id=2621 - -2016-12-03 Even Rouault <even.rouault at spatialys.com> - - * tools/tiffcrop.c: add 3 extra bytes at end of strip buffer in - readSeparateStripsIntoBuffer() to avoid read outside of heap allocated -buffer. - Reported by Agostina Sarubo. - Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2621 - -/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog -new revision: 1.1179; previous revision: 1.1178 -/cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v <-- tools/tiffcrop.c -new revision: 1.48; previous revision: 1.47 - -Index: libtiff/tools/tiffcrop.c -=================================================================== -RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v -retrieving revision 1.47 -retrieving revision 1.48 -diff -u -r1.47 -r1.48 ---- libtiff/tools/tiffcrop.c 3 Dec 2016 11:35:56 -0000 1.47 -+++ libtiff/tools/tiffcrop.c 3 Dec 2016 12:19:32 -0000 1.48 -@@ -1,4 +1,4 @@ --/* $Id: tiffcrop.c,v 1.47 2016-12-03 11:35:56 erouault Exp $ */ -+/* $Id: tiffcrop.c,v 1.48 2016-12-03 12:19:32 erouault Exp $ */ - - /* tiffcrop.c -- a port of tiffcp.c extended to include manipulations of - * the image data through additional options listed below -@@ -4815,10 +4815,17 @@ - nstrips = TIFFNumberOfStrips(in); - strips_per_sample = nstrips /spp; - -+ /* Add 3 padding bytes for combineSeparateSamples32bits */ -+ if( (size_t) stripsize > 0xFFFFFFFFU - 3U ) -+ { -+ TIFFError("readSeparateStripsIntoBuffer", "Integer overflow when calculating buffer size."); -+ exit(-1); -+ } -+ - for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) - { - srcbuffs[s] = NULL; -- buff = _TIFFmalloc(stripsize); -+ buff = _TIFFmalloc(stripsize + 3); - if (!buff) - { - TIFFError ("readSeparateStripsIntoBuffer", -@@ -4827,6 +4834,9 @@ - _TIFFfree (srcbuffs[i]); - return 0; - } -+ buff[stripsize] = 0; -+ buff[stripsize+1] = 0; -+ buff[stripsize+2] = 0; - srcbuffs[s] = buff; - } - diff --git a/gnu/packages/patches/libtiff-invalid-read.patch b/gnu/packages/patches/libtiff-invalid-read.patch deleted file mode 100644 index 92742d8757..0000000000 --- a/gnu/packages/patches/libtiff-invalid-read.patch +++ /dev/null @@ -1,64 +0,0 @@ -Fix invalid read in t2p_writeproc(): - -http://bugzilla.maptools.org/show_bug.cgi?id=2639 - -2016-12-20 Even Rouault <even.rouault at spatialys.com> - - * tools/tiff2pdf.c: avoid potential invalid memory read in - t2p_writeproc. - Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2639 - - -/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog -new revision: 1.1198; previous revision: 1.1197 -/cvs/maptools/cvsroot/libtiff/tools/tiff2pdf.c,v <-- tools/tiff2pdf.c -new revision: 1.100; previous revision: 1.99 - -Index: libtiff/tools/tiff2pdf.c -=================================================================== -RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiff2pdf.c,v -retrieving revision 1.99 -retrieving revision 1.100 -diff -u -r1.99 -r1.100 ---- libtiff/tools/tiff2pdf.c 20 Dec 2016 17:13:26 -0000 1.99 -+++ libtiff/tools/tiff2pdf.c 20 Dec 2016 17:24:35 -0000 1.100 -@@ -2896,6 +2896,7 @@ - } - if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0) { - if (count >= 4) { -+ int retTIFFReadRawTile; - /* Ignore EOI marker of JpegTables */ - _TIFFmemcpy(buffer, jpt, count - 2); - bufferoffset += count - 2; -@@ -2903,22 +2904,23 @@ - table_end[0] = buffer[bufferoffset-2]; - table_end[1] = buffer[bufferoffset-1]; - xuint32 = bufferoffset; -- bufferoffset -= 2; -- bufferoffset += TIFFReadRawTile( -+ bufferoffset -= 2; -+ retTIFFReadRawTile= TIFFReadRawTile( - input, - tile, - (tdata_t) &(((unsigned char*)buffer)[bufferoffset]), - -1); -+ if( retTIFFReadRawTile < 0 ) -+ { -+ _TIFFfree(buffer); -+ t2p->t2p_error = T2P_ERR_ERROR; -+ return(0); -+ } -+ bufferoffset += retTIFFReadRawTile; - /* Overwrite SOI marker of image scan with previously */ - /* saved end of JpegTables */ - buffer[xuint32-2]=table_end[0]; - buffer[xuint32-1]=table_end[1]; -- } else { -- bufferoffset += TIFFReadRawTile( -- input, -- tile, -- (tdata_t) &(((unsigned char*)buffer)[bufferoffset]), -- -1); - } - } - t2pWriteFile(output, (tdata_t) buffer, bufferoffset); diff --git a/gnu/packages/patches/libtiff-multiple-UBSAN-crashes.patch b/gnu/packages/patches/libtiff-multiple-UBSAN-crashes.patch deleted file mode 100644 index 2f4509f386..0000000000 --- a/gnu/packages/patches/libtiff-multiple-UBSAN-crashes.patch +++ /dev/null @@ -1,449 +0,0 @@ -Fixes CVE-2017-{7595,7596,7597,7598,7599,7600,7601,7602}: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7595 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7596 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7597 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7598 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7599 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7600 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7601 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7602 - -2017-01-11 Even Rouault <even.rouault at spatialys.com> - - * libtiff/tif_dir.c, tif_dirread.c, tif_dirwrite.c: implement various - clampings - of double to other data types to avoid undefined behaviour if the - output range - isn't big enough to hold the input value. - Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2643 - http://bugzilla.maptools.org/show_bug.cgi?id=2642 - http://bugzilla.maptools.org/show_bug.cgi?id=2646 - http://bugzilla.maptools.org/show_bug.cgi?id=2647 - -/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog -new revision: 1.1204; previous revision: 1.1203 -/cvs/maptools/cvsroot/libtiff/libtiff/tif_dir.c,v <-- libtiff/tif_dir.c -new revision: 1.129; previous revision: 1.128 -/cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v <-- libtiff/tif_dirread.c -new revision: 1.207; previous revision: 1.206 -/cvs/maptools/cvsroot/libtiff/libtiff/tif_dirwrite.c,v <-- libtiff/tif_dirwrite.c -new revision: 1.85; previous revision: 1.84 - -2017-01-11 Even Rouault <even.rouault at spatialys.com> - - * libtiff/tif_dirread.c: avoid division by floating point 0 in - TIFFReadDirEntryCheckedRational() and - TIFFReadDirEntryCheckedSrational(), - and return 0 in that case (instead of infinity as before presumably) - Apparently some sanitizers do not like those divisions by zero. - Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2644 - -/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog -new revision: 1.1203; previous revision: 1.1202 -/cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v <-- libtiff/tif_dirread.c -new revision: 1.206; previous revision: 1.205 - -2017-01-11 Even Rouault <even.rouault at spatialys.com> - - * libtiff/tif_jpeg.c: validate BitsPerSample in JPEGSetupEncode() to - avoid undefined behaviour caused by invalid shift exponent. - Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2648 - - -/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog -new revision: 1.1205; previous revision: 1.1204 -/cvs/maptools/cvsroot/libtiff/libtiff/tif_jpeg.c,v <-- libtiff/tif_jpeg.c -new revision: 1.126; previous revision: 1.125 - -2017-01-11 Even Rouault <even.rouault at spatialys.com> - - * libtiff/tif_read.c: avoid potential undefined behaviour on signed - integer addition in TIFFReadRawStrip1() in isMapped() case. - Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2650 - -/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog -new revision: 1.1206; previous revision: 1.1205 -/cvs/maptools/cvsroot/libtiff/libtiff/tif_read.c,v <-- libtiff/tif_read.c -new revision: 1.51; previous revision: 1.50 - -Index: libtiff/libtiff/tif_dir.c -=================================================================== -RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dir.c,v -retrieving revision 1.128 -retrieving revision 1.129 -diff -u -r1.128 -r1.129 ---- libtiff/libtiff/tif_dir.c 3 Dec 2016 15:30:31 -0000 1.128 -+++ libtiff/libtiff/tif_dir.c 11 Jan 2017 16:09:02 -0000 1.129 -@@ -1,4 +1,4 @@ --/* $Id: tif_dir.c,v 1.128 2016-12-03 15:30:31 erouault Exp $ */ -+/* $Id: tif_dir.c,v 1.129 2017-01-11 16:09:02 erouault Exp $ */ - - /* - * Copyright (c) 1988-1997 Sam Leffler -@@ -31,6 +31,7 @@ - * (and also some miscellaneous stuff) - */ - #include "tiffiop.h" -+#include <float.h> - - /* - * These are used in the backwards compatibility code... -@@ -154,6 +155,15 @@ - return (0); - } - -+static float TIFFClampDoubleToFloat( double val ) -+{ -+ if( val > FLT_MAX ) -+ return FLT_MAX; -+ if( val < -FLT_MAX ) -+ return -FLT_MAX; -+ return (float)val; -+} -+ - static int - _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap) - { -@@ -312,13 +322,13 @@ - dblval = va_arg(ap, double); - if( dblval < 0 ) - goto badvaluedouble; -- td->td_xresolution = (float) dblval; -+ td->td_xresolution = TIFFClampDoubleToFloat( dblval ); - break; - case TIFFTAG_YRESOLUTION: - dblval = va_arg(ap, double); - if( dblval < 0 ) - goto badvaluedouble; -- td->td_yresolution = (float) dblval; -+ td->td_yresolution = TIFFClampDoubleToFloat( dblval ); - break; - case TIFFTAG_PLANARCONFIG: - v = (uint16) va_arg(ap, uint16_vap); -@@ -327,10 +337,10 @@ - td->td_planarconfig = (uint16) v; - break; - case TIFFTAG_XPOSITION: -- td->td_xposition = (float) va_arg(ap, double); -+ td->td_xposition = TIFFClampDoubleToFloat( va_arg(ap, double) ); - break; - case TIFFTAG_YPOSITION: -- td->td_yposition = (float) va_arg(ap, double); -+ td->td_yposition = TIFFClampDoubleToFloat( va_arg(ap, double) ); - break; - case TIFFTAG_RESOLUTIONUNIT: - v = (uint16) va_arg(ap, uint16_vap); -Index: libtiff/libtiff/tif_dirread.c -=================================================================== -RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v -retrieving revision 1.206 -retrieving revision 1.207 -diff -u -r1.206 -r1.207 ---- libtiff/libtiff/tif_dirread.c 11 Jan 2017 13:28:01 -0000 1.206 -+++ libtiff/libtiff/tif_dirread.c 11 Jan 2017 16:09:02 -0000 1.207 -@@ -1,4 +1,4 @@ --/* $Id: tif_dirread.c,v 1.205 2016-12-03 11:02:15 erouault Exp $ */ -+/* $Id: tif_dirread.c,v 1.207 2017-01-11 16:09:02 erouault Exp $ */ - - /* - * Copyright (c) 1988-1997 Sam Leffler -@@ -40,6 +40,7 @@ - */ - - #include "tiffiop.h" -+#include <float.h> - - #define IGNORE 0 /* tag placeholder used below */ - #define FAILED_FII ((uint32) -1) -@@ -2406,7 +2407,14 @@ - ma=(double*)origdata; - mb=data; - for (n=0; n<count; n++) -- *mb++=(float)(*ma++); -+ { -+ double val = *ma++; -+ if( val > FLT_MAX ) -+ val = FLT_MAX; -+ else if( val < -FLT_MAX ) -+ val = -FLT_MAX; -+ *mb++=(float)val; -+ } - } - break; - } -Index: libtiff/libtiff/tif_dirwrite.c -=================================================================== -RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirwrite.c,v -retrieving revision 1.84 -retrieving revision 1.85 -diff -u -r1.84 -r1.85 ---- libtiff/libtiff/tif_dirwrite.c 11 Jan 2017 12:51:59 -0000 1.84 -+++ libtiff/libtiff/tif_dirwrite.c 11 Jan 2017 16:09:02 -0000 1.85 -@@ -1,4 +1,4 @@ --/* $Id: tif_dirwrite.c,v 1.83 2016-10-25 21:35:15 erouault Exp $ */ -+/* $Id: tif_dirwrite.c,v 1.85 2017-01-11 16:09:02 erouault Exp $ */ - - /* - * Copyright (c) 1988-1997 Sam Leffler -@@ -30,6 +30,7 @@ - * Directory Write Support Routines. - */ - #include "tiffiop.h" -+#include <float.h> - - #ifdef HAVE_IEEEFP - #define TIFFCvtNativeToIEEEFloat(tif, n, fp) -@@ -939,6 +940,69 @@ - return(0); - } - -+static float TIFFClampDoubleToFloat( double val ) -+{ -+ if( val > FLT_MAX ) -+ return FLT_MAX; -+ if( val < -FLT_MAX ) -+ return -FLT_MAX; -+ return (float)val; -+} -+ -+static int8 TIFFClampDoubleToInt8( double val ) -+{ -+ if( val > 127 ) -+ return 127; -+ if( val < -128 || val != val ) -+ return -128; -+ return (int8)val; -+} -+ -+static int16 TIFFClampDoubleToInt16( double val ) -+{ -+ if( val > 32767 ) -+ return 32767; -+ if( val < -32768 || val != val ) -+ return -32768; -+ return (int16)val; -+} -+ -+static int32 TIFFClampDoubleToInt32( double val ) -+{ -+ if( val > 0x7FFFFFFF ) -+ return 0x7FFFFFFF; -+ if( val < -0x7FFFFFFF-1 || val != val ) -+ return -0x7FFFFFFF-1; -+ return (int32)val; -+} -+ -+static uint8 TIFFClampDoubleToUInt8( double val ) -+{ -+ if( val < 0 ) -+ return 0; -+ if( val > 255 || val != val ) -+ return 255; -+ return (uint8)val; -+} -+ -+static uint16 TIFFClampDoubleToUInt16( double val ) -+{ -+ if( val < 0 ) -+ return 0; -+ if( val > 65535 || val != val ) -+ return 65535; -+ return (uint16)val; -+} -+ -+static uint32 TIFFClampDoubleToUInt32( double val ) -+{ -+ if( val < 0 ) -+ return 0; -+ if( val > 0xFFFFFFFFU || val != val ) -+ return 0xFFFFFFFFU; -+ return (uint32)val; -+} -+ - static int - TIFFWriteDirectoryTagSampleformatArray(TIFF* tif, uint32* ndir, TIFFDirEntry* dir, uint16 tag, uint32 count, double* value) - { -@@ -959,7 +1023,7 @@ - if (tif->tif_dir.td_bitspersample<=32) - { - for (i = 0; i < count; ++i) -- ((float*)conv)[i] = (float)value[i]; -+ ((float*)conv)[i] = TIFFClampDoubleToFloat(value[i]); - ok = TIFFWriteDirectoryTagFloatArray(tif,ndir,dir,tag,count,(float*)conv); - } - else -@@ -971,19 +1035,19 @@ - if (tif->tif_dir.td_bitspersample<=8) - { - for (i = 0; i < count; ++i) -- ((int8*)conv)[i] = (int8)value[i]; -+ ((int8*)conv)[i] = TIFFClampDoubleToInt8(value[i]); - ok = TIFFWriteDirectoryTagSbyteArray(tif,ndir,dir,tag,count,(int8*)conv); - } - else if (tif->tif_dir.td_bitspersample<=16) - { - for (i = 0; i < count; ++i) -- ((int16*)conv)[i] = (int16)value[i]; -+ ((int16*)conv)[i] = TIFFClampDoubleToInt16(value[i]); - ok = TIFFWriteDirectoryTagSshortArray(tif,ndir,dir,tag,count,(int16*)conv); - } - else - { - for (i = 0; i < count; ++i) -- ((int32*)conv)[i] = (int32)value[i]; -+ ((int32*)conv)[i] = TIFFClampDoubleToInt32(value[i]); - ok = TIFFWriteDirectoryTagSlongArray(tif,ndir,dir,tag,count,(int32*)conv); - } - break; -@@ -991,19 +1055,19 @@ - if (tif->tif_dir.td_bitspersample<=8) - { - for (i = 0; i < count; ++i) -- ((uint8*)conv)[i] = (uint8)value[i]; -+ ((uint8*)conv)[i] = TIFFClampDoubleToUInt8(value[i]); - ok = TIFFWriteDirectoryTagByteArray(tif,ndir,dir,tag,count,(uint8*)conv); - } - else if (tif->tif_dir.td_bitspersample<=16) - { - for (i = 0; i < count; ++i) -- ((uint16*)conv)[i] = (uint16)value[i]; -+ ((uint16*)conv)[i] = TIFFClampDoubleToUInt16(value[i]); - ok = TIFFWriteDirectoryTagShortArray(tif,ndir,dir,tag,count,(uint16*)conv); - } - else - { - for (i = 0; i < count; ++i) -- ((uint32*)conv)[i] = (uint32)value[i]; -+ ((uint32*)conv)[i] = TIFFClampDoubleToUInt32(value[i]); - ok = TIFFWriteDirectoryTagLongArray(tif,ndir,dir,tag,count,(uint32*)conv); - } - break; -@@ -2102,7 +2102,7 @@ - m[0]=0; - m[1]=1; - } -- else if (value==(double)(uint32)value) -+ else if (value <= 0xFFFFFFFFU && value==(double)(uint32)value) - { - m[0]=(uint32)value; - m[1]=1; -@@ -2148,12 +2217,13 @@ - } - for (na=value, nb=m, nc=0; nc<count; na++, nb+=2, nc++) - { -- if (*na<=0.0) -+ if (*na<=0.0 || *na != *na) - { - nb[0]=0; - nb[1]=1; - } -- else if (*na==(float)(uint32)(*na)) -+ else if (*na >= 0 && *na <= (float)0xFFFFFFFFU && -+ *na==(float)(uint32)(*na)) - { - nb[0]=(uint32)(*na); - nb[1]=1; -Index: libtiff/libtiff/tif_dirread.c -=================================================================== -RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_dirread.c,v -retrieving revision 1.205 -retrieving revision 1.206 -diff -u -r1.205 -r1.206 ---- libtiff/libtiff/tif_dirread.c 3 Dec 2016 11:02:15 -0000 1.205 -+++ libtiff/libtiff/tif_dirread.c 11 Jan 2017 13:28:01 -0000 1.206 -@@ -2872,7 +2872,10 @@ - m.l = direntry->tdir_offset.toff_long8; - if (tif->tif_flags&TIFF_SWAB) - TIFFSwabArrayOfLong(m.i,2); -- if (m.i[0]==0) -+ /* Not completely sure what we should do when m.i[1]==0, but some */ -+ /* sanitizers do not like division by 0.0: */ -+ /* http://bugzilla.maptools.org/show_bug.cgi?id=2644 */ -+ if (m.i[0]==0 || m.i[1]==0) - *value=0.0; - else - *value=(double)m.i[0]/(double)m.i[1]; -@@ -2900,7 +2903,10 @@ - m.l=direntry->tdir_offset.toff_long8; - if (tif->tif_flags&TIFF_SWAB) - TIFFSwabArrayOfLong(m.i,2); -- if ((int32)m.i[0]==0) -+ /* Not completely sure what we should do when m.i[1]==0, but some */ -+ /* sanitizers do not like division by 0.0: */ -+ /* http://bugzilla.maptools.org/show_bug.cgi?id=2644 */ -+ if ((int32)m.i[0]==0 || m.i[1]==0) - *value=0.0; - else - *value=(double)((int32)m.i[0])/(double)m.i[1]; -Index: libtiff/libtiff/tif_jpeg.c -=================================================================== -RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_jpeg.c,v -retrieving revision 1.125 -retrieving revision 1.126 -diff -u -r1.125 -r1.126 ---- libtiff/libtiff/tif_jpeg.c 11 Jan 2017 12:15:01 -0000 1.125 -+++ libtiff/libtiff/tif_jpeg.c 11 Jan 2017 16:13:50 -0000 1.126 -@@ -1,4 +1,4 @@ --/* $Id: tif_jpeg.c,v 1.123 2016-01-23 21:20:34 erouault Exp $ */ -+/* $Id: tif_jpeg.c,v 1.126 2017-01-11 16:13:50 erouault Exp $ */ - - /* - * Copyright (c) 1994-1997 Sam Leffler -@@ -1632,6 +1632,13 @@ - "Invalig horizontal/vertical sampling value"); - return (0); - } -+ if( td->td_bitspersample > 16 ) -+ { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "BitsPerSample %d not allowed for JPEG", -+ td->td_bitspersample); -+ return (0); -+ } - - /* - * A ReferenceBlackWhite field *must* be present since the -Index: libtiff/libtiff/tif_read.c -=================================================================== -RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_read.c,v -retrieving revision 1.50 -retrieving revision 1.51 -diff -u -r1.50 -r1.51 ---- libtiff/libtiff/tif_read.c 2 Dec 2016 21:56:56 -0000 1.50 -+++ libtiff/libtiff/tif_read.c 11 Jan 2017 16:33:34 -0000 1.51 -@@ -420,16 +420,25 @@ - return ((tmsize_t)(-1)); - } - } else { -- tmsize_t ma,mb; -+ tmsize_t ma; - tmsize_t n; -- ma=(tmsize_t)td->td_stripoffset[strip]; -- mb=ma+size; -- if ((td->td_stripoffset[strip] > (uint64)TIFF_TMSIZE_T_MAX)||(ma>tif->tif_size)) -- n=0; -- else if ((mb<ma)||(mb<size)||(mb>tif->tif_size)) -- n=tif->tif_size-ma; -- else -- n=size; -+ if ((td->td_stripoffset[strip] > (uint64)TIFF_TMSIZE_T_MAX)|| -+ ((ma=(tmsize_t)td->td_stripoffset[strip])>tif->tif_size)) -+ { -+ n=0; -+ } -+ else if( ma > TIFF_TMSIZE_T_MAX - size ) -+ { -+ n=0; -+ } -+ else -+ { -+ tmsize_t mb=ma+size; -+ if (mb>tif->tif_size) -+ n=tif->tif_size-ma; -+ else -+ n=size; -+ } - if (n!=size) { - #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) - TIFFErrorExt(tif->tif_clientdata, module, diff --git a/gnu/packages/patches/libtiff-null-dereference.patch b/gnu/packages/patches/libtiff-null-dereference.patch deleted file mode 100644 index 8c6345b804..0000000000 --- a/gnu/packages/patches/libtiff-null-dereference.patch +++ /dev/null @@ -1,42 +0,0 @@ -Fix NULL pointer dereference in TIFFReadRawData(): - -http://bugzilla.maptools.org/show_bug.cgi?id=2594 - - -2016-12-03 Even Rouault <even.rouault at spatialys.com> - - * tools/tiffinfo.c: fix null pointer dereference in -r mode when - * the -image has - no StripByteCount tag. - Reported by Agostino Sarubbo. - Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2594 - -/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog -new revision: 1.1182; previous revision: 1.1181 -/cvs/maptools/cvsroot/libtiff/tools/tiffinfo.c,v <-- tools/tiffinfo.c -new revision: 1.26; previous revision: 1.25 - -Index: libtiff/tools/tiffinfo.c -=================================================================== -RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffinfo.c,v -retrieving revision 1.25 -retrieving revision 1.26 -diff -u -r1.25 -r1.26 ---- libtiff/tools/tiffinfo.c 12 Nov 2016 20:06:05 -0000 1.25 -+++ libtiff/tools/tiffinfo.c 3 Dec 2016 14:18:49 -0000 1.26 -@@ -1,4 +1,4 @@ --/* $Id: tiffinfo.c,v 1.25 2016-11-12 20:06:05 bfriesen Exp $ */ -+/* $Id: tiffinfo.c,v 1.26 2016-12-03 14:18:49 erouault Exp $ */ - - /* - * Copyright (c) 1988-1997 Sam Leffler -@@ -417,7 +417,7 @@ - uint64* stripbc=NULL; - - TIFFGetField(tif, TIFFTAG_STRIPBYTECOUNTS, &stripbc); -- if (nstrips > 0) { -+ if (stripbc != NULL && nstrips > 0) { - uint32 bufsize = (uint32) stripbc[0]; - tdata_t buf = _TIFFmalloc(bufsize); - tstrip_t s; diff --git a/gnu/packages/patches/libtiff-tiffcp-underflow.patch b/gnu/packages/patches/libtiff-tiffcp-underflow.patch deleted file mode 100644 index 5615cbb3e1..0000000000 --- a/gnu/packages/patches/libtiff-tiffcp-underflow.patch +++ /dev/null @@ -1,41 +0,0 @@ -Fix a integer underflow in tiffcp that led to heap overflows in -TIFFReverseBits(): - -http://bugzilla.maptools.org/show_bug.cgi?id=2598 - -2016-12-02 Even Rouault <even.rouault at spatialys.com> - - * tools/tiffcp.c: avoid uint32 underflow in cpDecodedStrips that - can cause various issues, such as buffer overflows in the library. - Reported by Agostino Sarubbo. - Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2598 - - -/cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog -new revision: 1.1174; previous revision: 1.1173 -/cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v <-- tools/tiffcp.c -new revision: 1.56; previous revision: 1.55 - -Index: libtiff/tools/tiffcp.c -=================================================================== -RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcp.c,v -retrieving revision 1.55 -retrieving revision 1.56 -diff -u -r1.55 -r1.56 ---- libtiff/tools/tiffcp.c 8 Oct 2016 15:54:57 -0000 1.55 -+++ libtiff/tools/tiffcp.c 2 Dec 2016 22:13:32 -0000 1.56 -@@ -1,4 +1,4 @@ --/* $Id: tiffcp.c,v 1.55 2016-10-08 15:54:57 erouault Exp $ */ -+/* $Id: tiffcp.c,v 1.56 2016-12-02 22:13:32 erouault Exp $ */ - - /* - * Copyright (c) 1988-1997 Sam Leffler -@@ -985,7 +985,7 @@ - tstrip_t s, ns = TIFFNumberOfStrips(in); - uint32 row = 0; - _TIFFmemset(buf, 0, stripsize); -- for (s = 0; s < ns; s++) { -+ for (s = 0; s < ns && row < imagelength; s++) { - tsize_t cc = (row + rowsperstrip > imagelength) ? - TIFFVStripSize(in, imagelength - row) : stripsize; - if (TIFFReadEncodedStrip(in, s, buf, cc) < 0 diff --git a/gnu/packages/patches/openldap-CVE-2017-9287.patch b/gnu/packages/patches/openldap-CVE-2017-9287.patch new file mode 100644 index 0000000000..5ca2a60c60 --- /dev/null +++ b/gnu/packages/patches/openldap-CVE-2017-9287.patch @@ -0,0 +1,37 @@ +Fix CVE-2017-9287: + +https://www.openldap.org/its/?findid=8655 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9287 + +Patch copied from upstream source repository: + +https://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=0cee1ffb6021b1aae3fcc9581699da1c85a6dd6e + +From 0cee1ffb6021b1aae3fcc9581699da1c85a6dd6e Mon Sep 17 00:00:00 2001 +From: Ryan Tandy <ryan@nardis.ca> +Date: Wed, 17 May 2017 20:07:39 -0700 +Subject: [PATCH] ITS#8655 fix double free on paged search with pagesize 0 + +Fixes a double free when a search includes the Paged Results control +with a page size of 0 and the search base matches the filter. +--- + servers/slapd/back-mdb/search.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/servers/slapd/back-mdb/search.c b/servers/slapd/back-mdb/search.c +index 301d1a498c..43442aa242 100644 +--- a/servers/slapd/back-mdb/search.c ++++ b/servers/slapd/back-mdb/search.c +@@ -1066,7 +1066,8 @@ notfound: + /* check size limit */ + if ( get_pagedresults(op) > SLAP_CONTROL_IGNORED ) { + if ( rs->sr_nentries >= ((PagedResultsState *)op->o_pagedresults_state)->ps_size ) { +- mdb_entry_return( op, e ); ++ if (e != base) ++ mdb_entry_return( op, e ); + e = NULL; + send_paged_response( op, rs, &lastid, tentries ); + goto done; +-- +2.13.0 + diff --git a/gnu/packages/patches/python-genshi-add-support-for-python-3.4-AST.patch b/gnu/packages/patches/python-genshi-add-support-for-python-3.4-AST.patch new file mode 100644 index 0000000000..4e40c1daa1 --- /dev/null +++ b/gnu/packages/patches/python-genshi-add-support-for-python-3.4-AST.patch @@ -0,0 +1,151 @@ +From 86b98a11559da7d1b21dc9b4c6b10511b9095bc4 Mon Sep 17 00:00:00 2001 +From: Simon Cross <hodgestar@gmail.com> +Date: Sun, 16 Feb 2014 18:46:15 +0000 +Subject: [PATCH 05/16] Add support for Python 3.4 AST (support for + NameConstants and changes to existing to arguments node attributes). + +--- + genshi/template/astutil.py | 31 ++++++++++++++++++++++++++++--- + genshi/template/eval.py | 34 +++++++++++++++++++--------------- + 2 files changed, 47 insertions(+), 18 deletions(-) + +diff --git a/genshi/template/astutil.py b/genshi/template/astutil.py +index a4c21c8..a3946b4 100644 +--- a/genshi/template/astutil.py ++++ b/genshi/template/astutil.py +@@ -21,7 +21,7 @@ else: + def parse(source, mode): + return compile(source, '', mode, _ast.PyCF_ONLY_AST) + +-from genshi.compat import IS_PYTHON2 ++from genshi.compat import IS_PYTHON2, isstring + + __docformat__ = 'restructuredtext en' + +@@ -103,8 +103,13 @@ class ASTCodeGenerator(object): + self._new_line() + return self.visit(node.body) + ++ # Python < 3.4 + # arguments = (expr* args, identifier? vararg, + # identifier? kwarg, expr* defaults) ++ # ++ # Python >= 3.4 ++ # arguments = (arg* args, arg? vararg, arg* kwonlyargs, expr* kw_defaults, ++ # arg? kwarg, expr* defaults) + def visit_arguments(self, node): + first = True + no_default_count = len(node.args) - len(node.defaults) +@@ -122,13 +127,21 @@ class ASTCodeGenerator(object): + self._write(', ') + else: + first = False +- self._write('*' + node.vararg) ++ self._write('*') ++ if isstring(node.vararg): ++ self._write(node.vararg) ++ else: ++ self.visit(node.vararg) + if getattr(node, 'kwarg', None): + if not first: + self._write(', ') + else: + first = False +- self._write('**' + node.kwarg) ++ self._write('**') ++ if isstring(node.kwarg): ++ self._write(node.kwarg) ++ else: ++ self.visit(node.kwarg) + + if not IS_PYTHON2: + # In Python 3 arguments get a special node +@@ -724,6 +737,17 @@ class ASTCodeGenerator(object): + def visit_Name(self, node): + self._write(node.id) + ++ # NameConstant(singleton value) ++ def visit_NameConstant(self, node): ++ if node.value is None: ++ self._write('None') ++ elif node.value is True: ++ self._write('True') ++ elif node.value is False: ++ self._write('False') ++ else: ++ raise Exception("Unknown NameConstant %r" % (node.value,)) ++ + # List(expr* elts, expr_context ctx) + def visit_List(self, node): + self._write('[') +@@ -829,6 +853,7 @@ class ASTTransformer(object): + visit_Attribute = _clone + visit_Subscript = _clone + visit_Name = _clone ++ visit_NameConstant = _clone + visit_List = _clone + visit_Tuple = _clone + +diff --git a/genshi/template/eval.py b/genshi/template/eval.py +index 89aec49..de4bc86 100644 +--- a/genshi/template/eval.py ++++ b/genshi/template/eval.py +@@ -24,7 +24,8 @@ from genshi.template.astutil import ASTTransformer, ASTCodeGenerator, \ + from genshi.template.base import TemplateRuntimeError + from genshi.util import flatten + +-from genshi.compat import get_code_params, build_code_chunk, IS_PYTHON2 ++from genshi.compat import get_code_params, build_code_chunk, isstring, \ ++ IS_PYTHON2 + + __all__ = ['Code', 'Expression', 'Suite', 'LenientLookup', 'StrictLookup', + 'Undefined', 'UndefinedError'] +@@ -495,28 +496,31 @@ class TemplateASTTransformer(ASTTransformer): + def __init__(self): + self.locals = [CONSTANTS] + ++ def _process(self, names, node): ++ if not IS_PYTHON2 and isinstance(node, _ast.arg): ++ names.add(node.arg) ++ elif isstring(node): ++ names.add(node) ++ elif isinstance(node, _ast.Name): ++ names.add(node.id) ++ elif isinstance(node, _ast.alias): ++ names.add(node.asname or node.name) ++ elif isinstance(node, _ast.Tuple): ++ for elt in node.elts: ++ self._process(names, elt) ++ + def _extract_names(self, node): + names = set() +- def _process(node): +- if not IS_PYTHON2 and isinstance(node, _ast.arg): +- names.add(node.arg) +- if isinstance(node, _ast.Name): +- names.add(node.id) +- elif isinstance(node, _ast.alias): +- names.add(node.asname or node.name) +- elif isinstance(node, _ast.Tuple): +- for elt in node.elts: +- _process(elt) + if hasattr(node, 'args'): + for arg in node.args: +- _process(arg) ++ self._process(names, arg) + if hasattr(node, 'vararg'): +- names.add(node.vararg) ++ self._process(names, node.vararg) + if hasattr(node, 'kwarg'): +- names.add(node.kwarg) ++ self._process(names, node.kwarg) + elif hasattr(node, 'names'): + for elt in node.names: +- _process(elt) ++ self._process(names, elt) + return names + + def visit_Str(self, node): +-- +2.12.0 + diff --git a/gnu/packages/patches/python-genshi-buildable-on-python-2.7.patch b/gnu/packages/patches/python-genshi-buildable-on-python-2.7.patch new file mode 100644 index 0000000000..2bc516c697 --- /dev/null +++ b/gnu/packages/patches/python-genshi-buildable-on-python-2.7.patch @@ -0,0 +1,25 @@ +From 32bfaa7cc1c736fd62fcbb6414de9498dc20ed07 Mon Sep 17 00:00:00 2001 +From: Adriano Peluso <catonano@gmail.com> +Date: Wed, 5 Apr 2017 15:13:06 +0200 +Subject: [PATCH 2/2] buildable on python27 too + +--- + genshi/template/directives.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/genshi/template/directives.py b/genshi/template/directives.py +index 6fd0f28..1f70ef6 100644 +--- a/genshi/template/directives.py ++++ b/genshi/template/directives.py +@@ -266,7 +266,7 @@ class DefDirective(Directive): + if isinstance(ast, _ast.Call): + self.name = ast.func.id + for arg in ast.args: +- if isinstance(arg, _ast.Starred): ++ if hasattr(_ast, 'Starred') and isinstance(arg, _ast.Starred): + # Python 3.5+ + self.star_args = arg.value.id + else: +-- +2.12.0 + diff --git a/gnu/packages/patches/python-genshi-disable-speedups-on-python-3.3.patch b/gnu/packages/patches/python-genshi-disable-speedups-on-python-3.3.patch new file mode 100644 index 0000000000..c25c3bd7a9 --- /dev/null +++ b/gnu/packages/patches/python-genshi-disable-speedups-on-python-3.3.patch @@ -0,0 +1,32 @@ +From cef2c8df44166195e1705638f9f17033a4943bb7 Mon Sep 17 00:00:00 2001 +From: Simon Cross <hodgestar@gmail.com> +Date: Sun, 16 Feb 2014 18:32:21 +0000 +Subject: [PATCH 02/15] Disable the speedups C extension on CPython >= 3.3 + since Genshi doesn't support the new Unicode C API yet. + +--- + setup.py | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/setup.py b/setup.py +index 123a2cb..a3d748c 100755 +--- a/setup.py ++++ b/setup.py +@@ -65,9 +65,13 @@ available.""") + + + if Feature: ++ # Optional C extension module for speeding up Genshi: ++ # Not activated by default on: ++ # - PyPy (where it harms performance) ++ # - CPython >= 3.3 (the new Unicode C API is not supported yet) + speedups = Feature( + "optional C speed-enhancements", +- standard = not is_pypy, ++ standard = not is_pypy and sys.version_info < (3, 3), + ext_modules = [ + Extension('genshi._speedups', ['genshi/_speedups.c']), + ], +-- +2.12.0 + diff --git a/gnu/packages/patches/python-genshi-fix-tests-on-python-3.5.patch b/gnu/packages/patches/python-genshi-fix-tests-on-python-3.5.patch new file mode 100644 index 0000000000..05be080cdf --- /dev/null +++ b/gnu/packages/patches/python-genshi-fix-tests-on-python-3.5.patch @@ -0,0 +1,112 @@ +From ce796ad4bae5c47011876778674ad036357febdf Mon Sep 17 00:00:00 2001 +From: Adriano Peluso <catonano@gmail.com> +Date: Wed, 5 Apr 2017 15:10:06 +0200 +Subject: [PATCH 1/2] fixing the tests on python35 + +--- + genshi/filters/i18n.py | 6 ++++-- + genshi/template/astutil.py | 14 +++++++++++--- + genshi/template/directives.py | 20 ++++++++++++++------ + genshi/template/eval.py | 5 +++++ + 4 files changed, 34 insertions(+), 11 deletions(-) + +diff --git a/genshi/filters/i18n.py b/genshi/filters/i18n.py +index 526fda4..5387fcf 100644 +--- a/genshi/filters/i18n.py ++++ b/genshi/filters/i18n.py +@@ -1194,8 +1194,10 @@ def extract_from_code(code, gettext_functions): + elif arg: + strings.append(None) + [_add(arg) for arg in node.args] +- _add(node.starargs) +- _add(node.kwargs) ++ if hasattr(node, 'starargs'): ++ _add(node.starargs) ++ if hasattr(node, 'kwargs'): ++ _add(node.kwargs) + if len(strings) == 1: + strings = strings[0] + else: +diff --git a/genshi/template/astutil.py b/genshi/template/astutil.py +index f4e1edd..e561846 100644 +--- a/genshi/template/astutil.py ++++ b/genshi/template/astutil.py +@@ -151,6 +151,10 @@ class ASTCodeGenerator(object): + def visit_arg(self, node): + self._write(node.arg) + ++ def visit_Starred(self, node): ++ self._write('*') ++ self.visit(node.value) ++ + # FunctionDef(identifier name, arguments args, + # stmt* body, expr* decorator_list) + def visit_FunctionDef(self, node): +@@ -664,9 +668,13 @@ class ASTCodeGenerator(object): + if not first: + self._write(', ') + first = False +- # keyword = (identifier arg, expr value) +- self._write(keyword.arg) +- self._write('=') ++ if not keyword.arg: ++ # Python 3.5+ star-star args ++ self._write('**') ++ else: ++ # keyword = (identifier arg, expr value) ++ self._write(keyword.arg) ++ self._write('=') + self.visit(keyword.value) + if getattr(node, 'starargs', None): + if not first: +diff --git a/genshi/template/directives.py b/genshi/template/directives.py +index 7301c2d..6fd0f28 100644 +--- a/genshi/template/directives.py ++++ b/genshi/template/directives.py +@@ -266,13 +266,21 @@ class DefDirective(Directive): + if isinstance(ast, _ast.Call): + self.name = ast.func.id + for arg in ast.args: +- # only names +- self.args.append(arg.id) ++ if isinstance(arg, _ast.Starred): ++ # Python 3.5+ ++ self.star_args = arg.value.id ++ else: ++ # only names ++ self.args.append(arg.id) + for kwd in ast.keywords: +- self.args.append(kwd.arg) +- exp = Expression(kwd.value, template.filepath, +- lineno, lookup=template.lookup) +- self.defaults[kwd.arg] = exp ++ if kwd.arg is None: ++ # Python 3.5+ ++ self.dstar_args = kwd.value.id ++ else: ++ self.args.append(kwd.arg) ++ exp = Expression(kwd.value, template.filepath, ++ lineno, lookup=template.lookup) ++ self.defaults[kwd.arg] = exp + if getattr(ast, 'starargs', None): + self.star_args = ast.starargs.id + if getattr(ast, 'kwargs', None): +diff --git a/genshi/template/eval.py b/genshi/template/eval.py +index d378419..81644a7 100644 +--- a/genshi/template/eval.py ++++ b/genshi/template/eval.py +@@ -600,6 +600,11 @@ class TemplateASTTransformer(ASTTransformer): + finally: + self.locals.pop() + ++ # Only used in Python 3.5+ ++ def visit_Starred(self, node): ++ node.value = self.visit(node.value) ++ return node ++ + def visit_Name(self, node): + # If the name refers to a local inside a lambda, list comprehension, or + # generator expression, leave it alone +-- +2.12.0 + diff --git a/gnu/packages/patches/python-genshi-isstring-helper.patch b/gnu/packages/patches/python-genshi-isstring-helper.patch new file mode 100644 index 0000000000..4f6c19bba9 --- /dev/null +++ b/gnu/packages/patches/python-genshi-isstring-helper.patch @@ -0,0 +1,37 @@ +From cc5e07284f44cdd9beec178c69070a53f55d1323 Mon Sep 17 00:00:00 2001 +From: Simon Cross <hodgestar@gmail.com> +Date: Sun, 16 Feb 2014 18:43:20 +0000 +Subject: [PATCH 03/15] Add isstring helper. + +--- + genshi/compat.py | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/genshi/compat.py b/genshi/compat.py +index 9787325..6574e39 100644 +--- a/genshi/compat.py ++++ b/genshi/compat.py +@@ -35,6 +35,15 @@ else: + 'Python 2 compatibility function. Not usable in Python 3.') + + ++# We need to test if an object is an instance of a string type in places ++ ++if IS_PYTHON2: ++ def isstring(obj): ++ return isinstance(obj, basestring) ++else: ++ def isstring(obj): ++ return isinstance(obj, str) ++ + # We need to differentiate between StringIO and BytesIO in places + + if IS_PYTHON2: +@@ -112,4 +121,3 @@ except NameError: + if not x: + return False + return True +- +-- +2.12.0 + diff --git a/gnu/packages/patches/python-genshi-stripping-of-unsafe-script-tags.patch b/gnu/packages/patches/python-genshi-stripping-of-unsafe-script-tags.patch new file mode 100644 index 0000000000..29951a6149 --- /dev/null +++ b/gnu/packages/patches/python-genshi-stripping-of-unsafe-script-tags.patch @@ -0,0 +1,51 @@ +From 0769be04c3891ae5c724c6779ba13d1d0f53b4ae Mon Sep 17 00:00:00 2001 +From: Simon Cross <hodgestar@gmail.com> +Date: Sun, 16 Feb 2014 18:25:17 +0000 +Subject: [PATCH 01/15] Also allow stripping of unsafe script tags (Python 3.4 + parses the second example as a tag whose name is script&xyz). + +--- + genshi/filters/tests/test_html.py | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/genshi/filters/tests/test_html.py b/genshi/filters/tests/test_html.py +index 0c6cfe1..45ec0da 100644 +--- a/genshi/filters/tests/test_html.py ++++ b/genshi/filters/tests/test_html.py +@@ -368,12 +368,16 @@ def StyleSanitizer(): + + class HTMLSanitizerTestCase(unittest.TestCase): + +- def assert_parse_error_or_equal(self, expected, exploit): ++ def assert_parse_error_or_equal(self, expected, exploit, ++ allow_strip=False): + try: + html = HTML(exploit) + except ParseError: + return +- self.assertEquals(expected, (html | HTMLSanitizer()).render()) ++ sanitized_html = (html | HTMLSanitizer()).render() ++ if not sanitized_html and allow_strip: ++ return ++ self.assertEquals(expected, sanitized_html) + + def test_sanitize_unchanged(self): + html = HTML(u'<a href="#">fo<br />o</a>') +@@ -416,10 +420,12 @@ class HTMLSanitizerTestCase(unittest.TestCase): + html = HTML(u'<SCRIPT SRC="http://example.com/"></SCRIPT>') + self.assertEquals('', (html | HTMLSanitizer()).render()) + src = u'<SCR\0IPT>alert("foo")</SCR\0IPT>' +- self.assert_parse_error_or_equal('<SCR\x00IPT>alert("foo")', src) ++ self.assert_parse_error_or_equal('<SCR\x00IPT>alert("foo")', src, ++ allow_strip=True) + src = u'<SCRIPT&XYZ SRC="http://example.com/"></SCRIPT>' + self.assert_parse_error_or_equal('<SCRIPT&XYZ; ' +- 'SRC="http://example.com/">', src) ++ 'SRC="http://example.com/">', src, ++ allow_strip=True) + + def test_sanitize_remove_onclick_attr(self): + html = HTML(u'<div onclick=\'alert("foo")\' />') +-- +2.12.0 + diff --git a/gnu/packages/patches/rxvt-unicode-escape-sequences.patch b/gnu/packages/patches/rxvt-unicode-escape-sequences.patch new file mode 100644 index 0000000000..064dd51e2d --- /dev/null +++ b/gnu/packages/patches/rxvt-unicode-escape-sequences.patch @@ -0,0 +1,35 @@ +This patch prevents a code execution vector involving terminal escape +sequences when rxvt-unicode is in "secure mode". + +This change was spurred by the following conversation on the +oss-security mailing list: + +Problem description and proof of concept: +http://seclists.org/oss-sec/2017/q2/190 + +Upstream response: +http://seclists.org/oss-sec/2017/q2/291 + +Patch copied from upstream source repository: +http://cvs.schmorp.de/rxvt-unicode/src/command.C?r1=1.582&r2=1.583 + +--- rxvt-unicode/src/command.C 2016/07/14 05:33:26 1.582 ++++ rxvt-unicode/src/command.C 2017/05/18 02:43:18 1.583 +@@ -2695,7 +2695,7 @@ + /* kidnapped escape sequence: Should be 8.3.48 */ + case C1_ESA: /* ESC G */ + // used by original rxvt for rob nations own graphics mode +- if (cmd_getc () == 'Q') ++ if (cmd_getc () == 'Q' && option (Opt_insecure)) + tt_printf ("\033G0\012"); /* query graphics - no graphics */ + break; + +@@ -2914,7 +2914,7 @@ + break; + + case CSI_CUB: /* 8.3.18: (1) CURSOR LEFT */ +- case CSI_HPB: /* 8.3.59: (1) CHARACTER POSITION BACKWARD */ ++ case CSI_HPB: /* 8.3.59: (1) CHARACTER POSITION BACKWARD */ + #ifdef ISO6429 + arg[0] = -arg[0]; + #else /* emulate common DEC VTs */ diff --git a/gnu/packages/patches/synfig-build-fix.patch b/gnu/packages/patches/synfig-build-fix.patch deleted file mode 100644 index 3f6168e0fb..0000000000 --- a/gnu/packages/patches/synfig-build-fix.patch +++ /dev/null @@ -1,61 +0,0 @@ -Allow Synfig to build in C++11 mode. - -Taken from here: -https://projects.archlinux.org/svntogit/community.git/plain/trunk/build-fix.patch?h=packages/synfig - -diff -wbBur synfig-1.0-RC5/src/modules/mod_libavcodec/mptr.cpp synfig-1.0-RC5.my/src/modules/mod_libavcodec/mptr.cpp ---- synfig-1.0-RC5/src/modules/mod_libavcodec/mptr.cpp 2015-03-28 13:15:00.000000000 +0300 -+++ synfig-1.0-RC5.my/src/modules/mod_libavcodec/mptr.cpp 2015-04-28 16:56:11.568749053 +0300 -@@ -56,8 +56,8 @@ - /* === M E T H O D S ======================================================= */ - - --Importer_LibAVCodec::Importer_LibAVCodec(const char *file): -- filename(file) -+Importer_LibAVCodec::Importer_LibAVCodec(const synfig::FileSystem::Identifier &identifier): -+ Importer(identifier) - { - } - -diff -wbBur synfig-1.0-RC5/src/modules/mod_libavcodec/mptr.h synfig-1.0-RC5.my/src/modules/mod_libavcodec/mptr.h ---- synfig-1.0-RC5/src/modules/mod_libavcodec/mptr.h 2015-03-28 13:15:00.000000000 +0300 -+++ synfig-1.0-RC5.my/src/modules/mod_libavcodec/mptr.h 2015-04-28 16:55:18.699192946 +0300 -@@ -46,7 +46,7 @@ - synfig::String filename; - - public: -- Importer_LibAVCodec(const char *filename); -+ Importer_LibAVCodec(const synfig::FileSystem::Identifier &identifier); - ~Importer_LibAVCodec(); - - virtual bool get_frame(synfig::Surface &surface, const synfig::RendDesc &renddesc, synfig::Time time, synfig::ProgressCallback *callback); -diff -wbBur synfig-1.0-RC5/src/modules/mod_libavcodec/trgt_av.cpp synfig-1.0-RC5.my/src/modules/mod_libavcodec/trgt_av.cpp ---- synfig-1.0-RC5/src/modules/mod_libavcodec/trgt_av.cpp 2015-03-28 13:15:00.000000000 +0300 -+++ synfig-1.0-RC5.my/src/modules/mod_libavcodec/trgt_av.cpp 2015-04-28 16:46:54.720091106 +0300 -@@ -121,14 +121,14 @@ - picture = avcodec_alloc_frame(); - if (!picture) - return NULL; -- size = avpicture_get_size(pix_fmt, width, height); -+ size = avpicture_get_size((::PixelFormat)pix_fmt, width, height); - picture_buf = (uint8_t *)malloc(size); - if (!picture_buf) { - av_free(picture); - return NULL; - } - avpicture_fill((AVPicture *)picture, picture_buf, -- pix_fmt, width, height); -+ (::PixelFormat)pix_fmt, width, height); - return picture; - } - -diff -wbBur synfig-1.0.2/src/synfig/time.cpp synfig-1.0.2.my/src/synfig/time.cpp ---- synfig-1.0.2/src/synfig/time.cpp 2015-07-09 10:33:03.000000000 +0300 -+++ synfig-1.0.2.my/src/synfig/time.cpp 2015-10-12 13:54:58.382313903 +0300 -@@ -319,5 +319,5 @@ - bool - Time::is_valid()const - { -- return !isnan(value_); -+ return !::isnan(value_); - } diff --git a/gnu/packages/patches/synfigstudio-fix-ui-with-gtk3.patch b/gnu/packages/patches/synfigstudio-fix-ui-with-gtk3.patch new file mode 100644 index 0000000000..d7b3e92507 --- /dev/null +++ b/gnu/packages/patches/synfigstudio-fix-ui-with-gtk3.patch @@ -0,0 +1,55 @@ +Downloaded from +https://github.com/synfig/synfig/commit/b9c3b73ee35b83c4d9183c800809040cef98b2f2.patch + +Without this patch the UI of Synfig Studio (when built with the latest version +of GTK) displays very large buttons in the header of every frame. + +This patch can be removed with the next release. + + +From b9c3b73ee35b83c4d9183c800809040cef98b2f2 Mon Sep 17 00:00:00 2001 +From: caryoscelus <caryoscelus@gmx.com> +Date: Wed, 25 Jan 2017 18:34:39 +0300 +Subject: [PATCH] Fix dock drop area size + +Fixes #227 + +By using Frame instead of Button we avoid intrusive Gtk themes +from forcing huge drop area size. +--- + synfig-studio/src/gui/docks/dockdroparea.cpp | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/src/gui/docks/dockdroparea.cpp b/synfig-studio/src/gui/docks/dockdroparea.cpp +index 0f8936fdb..e012282f0 100644 +--- a/src/gui/docks/dockdroparea.cpp ++++ b/src/gui/docks/dockdroparea.cpp +@@ -35,7 +35,7 @@ + #include "app.h" + #include "docks/dockdroparea.h" + #include "docks/dockmanager.h" +-#include <gtkmm/button.h> ++#include <gtkmm/frame.h> + + #endif + +@@ -61,10 +61,15 @@ DockDropArea::DockDropArea(Gtk::Widget *target): + std::vector<Gtk::TargetEntry> listTargets; + listTargets.push_back( Gtk::TargetEntry("SYNFIG_DOCK") ); + +- Gtk::Button *button_left = manage(new Gtk::Button()); +- Gtk::Button *button_right = manage(new Gtk::Button()); +- Gtk::Button *button_top = manage(new Gtk::Button()); +- Gtk::Button *button_bottom = manage(new Gtk::Button()); ++ Gtk::Frame *button_left = manage(new Gtk::Frame()); ++ Gtk::Frame *button_right = manage(new Gtk::Frame()); ++ Gtk::Frame *button_top = manage(new Gtk::Frame()); ++ Gtk::Frame *button_bottom = manage(new Gtk::Frame()); ++ ++ button_left->set_size_request(20, 10); ++ button_right->set_size_request(20, 10); ++ button_top->set_size_request(20, 10); ++ button_bottom->set_size_request(20, 10); + + button_left->drag_dest_set(listTargets); + button_right->drag_dest_set(listTargets); |