[arch-commits] Commit in libwmf/repos (32 files)

Levente Polyak anthraxx at archlinux.org
Wed Dec 21 20:43:04 UTC 2016


    Date: Wednesday, December 21, 2016 @ 20:43:03
  Author: anthraxx
Revision: 284393

archrelease: copy trunk to staging-i686, staging-x86_64

Added:
  libwmf/repos/staging-i686/
  libwmf/repos/staging-i686/PKGBUILD
    (from rev 284392, libwmf/trunk/PKGBUILD)
  libwmf/repos/staging-i686/libwmf-0.2.8.4-CAN-2004-0941.patch
    (from rev 284392, libwmf/trunk/libwmf-0.2.8.4-CAN-2004-0941.patch)
  libwmf/repos/staging-i686/libwmf-0.2.8.4-CVE-2007-0455.patch
    (from rev 284392, libwmf/trunk/libwmf-0.2.8.4-CVE-2007-0455.patch)
  libwmf/repos/staging-i686/libwmf-0.2.8.4-CVE-2007-2756.patch
    (from rev 284392, libwmf/trunk/libwmf-0.2.8.4-CVE-2007-2756.patch)
  libwmf/repos/staging-i686/libwmf-0.2.8.4-CVE-2007-3472.patch
    (from rev 284392, libwmf/trunk/libwmf-0.2.8.4-CVE-2007-3472.patch)
  libwmf/repos/staging-i686/libwmf-0.2.8.4-CVE-2007-3473.patch
    (from rev 284392, libwmf/trunk/libwmf-0.2.8.4-CVE-2007-3473.patch)
  libwmf/repos/staging-i686/libwmf-0.2.8.4-CVE-2007-3477.patch
    (from rev 284392, libwmf/trunk/libwmf-0.2.8.4-CVE-2007-3477.patch)
  libwmf/repos/staging-i686/libwmf-0.2.8.4-CVE-2009-3546.patch
    (from rev 284392, libwmf/trunk/libwmf-0.2.8.4-CVE-2009-3546.patch)
  libwmf/repos/staging-i686/libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch
    (from rev 284392, libwmf/trunk/libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch)
  libwmf/repos/staging-i686/libwmf-0.2.8.4-CVE-2015-4695.patch
    (from rev 284392, libwmf/trunk/libwmf-0.2.8.4-CVE-2015-4695.patch)
  libwmf/repos/staging-i686/libwmf-0.2.8.4-CVE-2015-4696.patch
    (from rev 284392, libwmf/trunk/libwmf-0.2.8.4-CVE-2015-4696.patch)
  libwmf/repos/staging-i686/libwmf-0.2.8.4-CVE-2016-9011.patch
    (from rev 284392, libwmf/trunk/libwmf-0.2.8.4-CVE-2016-9011.patch)
  libwmf/repos/staging-i686/libwmf-0.2.8.4-intoverflow-CVE-2006-3376.patch
    (from rev 284392, libwmf/trunk/libwmf-0.2.8.4-intoverflow-CVE-2006-3376.patch)
  libwmf/repos/staging-i686/libwmf-0.2.8.4-libpng-1.5.patch
    (from rev 284392, libwmf/trunk/libwmf-0.2.8.4-libpng-1.5.patch)
  libwmf/repos/staging-i686/libwmf-0.2.8.4-useafterfree-CVE-2009-1364.patch
    (from rev 284392, libwmf/trunk/libwmf-0.2.8.4-useafterfree-CVE-2009-1364.patch)
  libwmf/repos/staging-x86_64/
  libwmf/repos/staging-x86_64/PKGBUILD
    (from rev 284392, libwmf/trunk/PKGBUILD)
  libwmf/repos/staging-x86_64/libwmf-0.2.8.4-CAN-2004-0941.patch
    (from rev 284392, libwmf/trunk/libwmf-0.2.8.4-CAN-2004-0941.patch)
  libwmf/repos/staging-x86_64/libwmf-0.2.8.4-CVE-2007-0455.patch
    (from rev 284392, libwmf/trunk/libwmf-0.2.8.4-CVE-2007-0455.patch)
  libwmf/repos/staging-x86_64/libwmf-0.2.8.4-CVE-2007-2756.patch
    (from rev 284392, libwmf/trunk/libwmf-0.2.8.4-CVE-2007-2756.patch)
  libwmf/repos/staging-x86_64/libwmf-0.2.8.4-CVE-2007-3472.patch
    (from rev 284392, libwmf/trunk/libwmf-0.2.8.4-CVE-2007-3472.patch)
  libwmf/repos/staging-x86_64/libwmf-0.2.8.4-CVE-2007-3473.patch
    (from rev 284392, libwmf/trunk/libwmf-0.2.8.4-CVE-2007-3473.patch)
  libwmf/repos/staging-x86_64/libwmf-0.2.8.4-CVE-2007-3477.patch
    (from rev 284392, libwmf/trunk/libwmf-0.2.8.4-CVE-2007-3477.patch)
  libwmf/repos/staging-x86_64/libwmf-0.2.8.4-CVE-2009-3546.patch
    (from rev 284392, libwmf/trunk/libwmf-0.2.8.4-CVE-2009-3546.patch)
  libwmf/repos/staging-x86_64/libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch
    (from rev 284392, libwmf/trunk/libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch)
  libwmf/repos/staging-x86_64/libwmf-0.2.8.4-CVE-2015-4695.patch
    (from rev 284392, libwmf/trunk/libwmf-0.2.8.4-CVE-2015-4695.patch)
  libwmf/repos/staging-x86_64/libwmf-0.2.8.4-CVE-2015-4696.patch
    (from rev 284392, libwmf/trunk/libwmf-0.2.8.4-CVE-2015-4696.patch)
  libwmf/repos/staging-x86_64/libwmf-0.2.8.4-CVE-2016-9011.patch
    (from rev 284392, libwmf/trunk/libwmf-0.2.8.4-CVE-2016-9011.patch)
  libwmf/repos/staging-x86_64/libwmf-0.2.8.4-intoverflow-CVE-2006-3376.patch
    (from rev 284392, libwmf/trunk/libwmf-0.2.8.4-intoverflow-CVE-2006-3376.patch)
  libwmf/repos/staging-x86_64/libwmf-0.2.8.4-libpng-1.5.patch
    (from rev 284392, libwmf/trunk/libwmf-0.2.8.4-libpng-1.5.patch)
  libwmf/repos/staging-x86_64/libwmf-0.2.8.4-useafterfree-CVE-2009-1364.patch
    (from rev 284392, libwmf/trunk/libwmf-0.2.8.4-useafterfree-CVE-2009-1364.patch)

-----------------------------------------------------------------+
 staging-i686/PKGBUILD                                           |   78 ++++++
 staging-i686/libwmf-0.2.8.4-CAN-2004-0941.patch                 |   17 +
 staging-i686/libwmf-0.2.8.4-CVE-2007-0455.patch                 |   11 
 staging-i686/libwmf-0.2.8.4-CVE-2007-2756.patch                 |   16 +
 staging-i686/libwmf-0.2.8.4-CVE-2007-3472.patch                 |   59 +++++
 staging-i686/libwmf-0.2.8.4-CVE-2007-3473.patch                 |   13 +
 staging-i686/libwmf-0.2.8.4-CVE-2007-3477.patch                 |   38 +++
 staging-i686/libwmf-0.2.8.4-CVE-2009-3546.patch                 |   13 +
 staging-i686/libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch   |  118 ++++++++++
 staging-i686/libwmf-0.2.8.4-CVE-2015-4695.patch                 |   56 ++++
 staging-i686/libwmf-0.2.8.4-CVE-2015-4696.patch                 |   23 +
 staging-i686/libwmf-0.2.8.4-CVE-2016-9011.patch                 |   36 +++
 staging-i686/libwmf-0.2.8.4-intoverflow-CVE-2006-3376.patch     |   27 ++
 staging-i686/libwmf-0.2.8.4-libpng-1.5.patch                    |   12 +
 staging-i686/libwmf-0.2.8.4-useafterfree-CVE-2009-1364.patch    |   10 
 staging-x86_64/PKGBUILD                                         |   78 ++++++
 staging-x86_64/libwmf-0.2.8.4-CAN-2004-0941.patch               |   17 +
 staging-x86_64/libwmf-0.2.8.4-CVE-2007-0455.patch               |   11 
 staging-x86_64/libwmf-0.2.8.4-CVE-2007-2756.patch               |   16 +
 staging-x86_64/libwmf-0.2.8.4-CVE-2007-3472.patch               |   59 +++++
 staging-x86_64/libwmf-0.2.8.4-CVE-2007-3473.patch               |   13 +
 staging-x86_64/libwmf-0.2.8.4-CVE-2007-3477.patch               |   38 +++
 staging-x86_64/libwmf-0.2.8.4-CVE-2009-3546.patch               |   13 +
 staging-x86_64/libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch |  118 ++++++++++
 staging-x86_64/libwmf-0.2.8.4-CVE-2015-4695.patch               |   56 ++++
 staging-x86_64/libwmf-0.2.8.4-CVE-2015-4696.patch               |   23 +
 staging-x86_64/libwmf-0.2.8.4-CVE-2016-9011.patch               |   36 +++
 staging-x86_64/libwmf-0.2.8.4-intoverflow-CVE-2006-3376.patch   |   27 ++
 staging-x86_64/libwmf-0.2.8.4-libpng-1.5.patch                  |   12 +
 staging-x86_64/libwmf-0.2.8.4-useafterfree-CVE-2009-1364.patch  |   10 
 30 files changed, 1054 insertions(+)

Copied: libwmf/repos/staging-i686/PKGBUILD (from rev 284392, libwmf/trunk/PKGBUILD)
===================================================================
--- staging-i686/PKGBUILD	                        (rev 0)
+++ staging-i686/PKGBUILD	2016-12-21 20:43:03 UTC (rev 284393)
@@ -0,0 +1,78 @@
+# $Id$
+# Maintainer: Eric Bélanger <eric at archlinux.org>
+
+pkgname=libwmf
+pkgver=0.2.8.4
+pkgrel=14
+pkgdesc="A library for reading vector images in Microsoft's native Windows Metafile Format (WMF)"
+arch=('i686' 'x86_64')
+url="http://wvware.sourceforge.net/libwmf.html"
+license=('LGPL')
+depends=('libx11' 'libjpeg' 'gsfonts')
+makedepends=('gtk2' 'libxt')
+optdepends=('gdk-pixbuf2: for pixbuf loader')
+options=('!docs' '!emptydirs')
+source=(http://downloads.sourceforge.net/sourceforge/wvware/${pkgname}-${pkgver}.tar.gz
+        libwmf-0.2.8.4-libpng-1.5.patch
+        libwmf-0.2.8.4-useafterfree-CVE-2009-1364.patch
+        libwmf-0.2.8.4-intoverflow-CVE-2006-3376.patch
+        libwmf-0.2.8.4-CAN-2004-0941.patch
+        libwmf-0.2.8.4-CVE-2007-0455.patch
+        libwmf-0.2.8.4-CVE-2007-2756.patch
+        libwmf-0.2.8.4-CVE-2007-3472.patch
+        libwmf-0.2.8.4-CVE-2007-3473.patch
+        libwmf-0.2.8.4-CVE-2007-3477.patch
+        libwmf-0.2.8.4-CVE-2009-3546.patch
+        libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch
+        libwmf-0.2.8.4-CVE-2015-4695.patch
+        libwmf-0.2.8.4-CVE-2015-4696.patch
+		libwmf-0.2.8.4-CVE-2016-9011.patch)
+sha1sums=('822ab3bd0f5e8f39ad732f2774a8e9f18fc91e89'
+          '42aa4c2a82e4e14044c875a7f439baea732a355a'
+          'ea6d28880840e86c96f9079bfd591da54dcffa5c'
+          '6f130ea9f639ccf88fef0fda74cf9fa3956f81b5'
+          '2f8a46698dac6d5f5c3109cb56ad675ff1efaee0'
+          '380d59744f174e12d4ba4f5cb63f14b6092850fa'
+          '45ae37f79b351fe738212caa3a3c61c9b6fa2d5b'
+          '1836f07750d3a8b4dd6354660875436b0e5c3b07'
+          'c778b89445f621fd5e44b0bbf9d441cceea90d6c'
+          'd0a6fefedd327f99c3ca1c2f7f19adddc2cef50a'
+          '83f32dac05c1492eef1e652c553a5ffc80a3e656'
+          '5608d0565890f2f89435bc13ad57279900ed83b4'
+          '408cfff29160b037b8baa26b4647e02f373b8b85'
+          'e250f5ecefde4bf5c06f7fbc562566ce64204f2a'
+          '9f8670ef0b4862bb84aecc582bfbec45573a8831')
+
+prepare() {
+  cd ${pkgname}-${pkgver}
+  patch -p1 -i "${srcdir}/libwmf-0.2.8.4-libpng-1.5.patch"
+  patch -p1 -i "${srcdir}/libwmf-0.2.8.4-useafterfree-CVE-2009-1364.patch"
+  patch -p1 -i "${srcdir}/libwmf-0.2.8.4-intoverflow-CVE-2006-3376.patch"
+  patch -p1 -i "${srcdir}/libwmf-0.2.8.4-CAN-2004-0941.patch"
+  patch -p1 -i "${srcdir}/libwmf-0.2.8.4-CVE-2007-0455.patch"
+  patch -p1 -i "${srcdir}/libwmf-0.2.8.4-CVE-2007-2756.patch"
+  patch -p1 -i "${srcdir}/libwmf-0.2.8.4-CVE-2007-3472.patch"
+  patch -p1 -i "${srcdir}/libwmf-0.2.8.4-CVE-2007-3473.patch"
+  patch -p1 -i "${srcdir}/libwmf-0.2.8.4-CVE-2007-3477.patch"
+  patch -p1 -i "${srcdir}/libwmf-0.2.8.4-CVE-2009-3546.patch"
+  patch -p1 -i "${srcdir}/libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch"
+  patch -p1 -i "${srcdir}/libwmf-0.2.8.4-CVE-2015-4695.patch"
+  patch -p1 -i "${srcdir}/libwmf-0.2.8.4-CVE-2015-4696.patch"
+  patch -p1 -i "${srcdir}/libwmf-0.2.8.4-CVE-2016-9011.patch"
+}
+
+build() {
+  cd ${pkgname}-${pkgver}
+  ./configure --prefix=/usr \
+              --with-gsfontdir=/usr/share/fonts/Type1 \
+	      --with-fontdir=/usr/share/fonts/Type1 \
+	      --with-gsfontmap=/usr/share/ghostscript/9.10/Resource/Init/Fontmap.GS
+  make
+}
+
+package() {
+  cd ${pkgname}-${pkgver}
+  make DESTDIR="${pkgdir}" install
+  #Remove fonts, these are in gsfonts
+  rm -rf "${pkgdir}/usr/share/fonts"
+}

Copied: libwmf/repos/staging-i686/libwmf-0.2.8.4-CAN-2004-0941.patch (from rev 284392, libwmf/trunk/libwmf-0.2.8.4-CAN-2004-0941.patch)
===================================================================
--- staging-i686/libwmf-0.2.8.4-CAN-2004-0941.patch	                        (rev 0)
+++ staging-i686/libwmf-0.2.8.4-CAN-2004-0941.patch	2016-12-21 20:43:03 UTC (rev 284393)
@@ -0,0 +1,17 @@
+--- libwmf-0.2.8.4/src/extra/gd/gd_png.c	2004-11-11 14:02:37.407589824 -0500
++++ libwmf-0.2.8.4/src/extra/gd/gd_png.c	2004-11-11 14:04:29.672522960 -0500
+@@ -188,6 +188,14 @@
+ 
+   png_get_IHDR (png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
+ 		&interlace_type, NULL, NULL);
++  if (overflow2(sizeof (int), width)) 
++    {
++      return NULL;
++    }
++  if (overflow2(sizeof (int) * width, height)) 
++    {
++      return NULL;
++    }  
+   if ((color_type == PNG_COLOR_TYPE_RGB) ||
+       (color_type == PNG_COLOR_TYPE_RGB_ALPHA))
+     {

Copied: libwmf/repos/staging-i686/libwmf-0.2.8.4-CVE-2007-0455.patch (from rev 284392, libwmf/trunk/libwmf-0.2.8.4-CVE-2007-0455.patch)
===================================================================
--- staging-i686/libwmf-0.2.8.4-CVE-2007-0455.patch	                        (rev 0)
+++ staging-i686/libwmf-0.2.8.4-CVE-2007-0455.patch	2016-12-21 20:43:03 UTC (rev 284393)
@@ -0,0 +1,11 @@
+--- libwmf-0.2.8.4/src/extra/gd/gdft.c	2010-12-06 11:18:26.000000000 +0000
++++ libwmf-0.2.8.4/src/extra/gd/gdft.c	2010-12-06 11:21:09.000000000 +0000
+@@ -811,7 +811,7 @@
+ 	    {
+ 	      ch = c & 0xFF;	/* don't extend sign */
+ 	    }
+-	  next++;
++	  if (*next) next++;
+ 	}
+       else
+ 	{

Copied: libwmf/repos/staging-i686/libwmf-0.2.8.4-CVE-2007-2756.patch (from rev 284392, libwmf/trunk/libwmf-0.2.8.4-CVE-2007-2756.patch)
===================================================================
--- staging-i686/libwmf-0.2.8.4-CVE-2007-2756.patch	                        (rev 0)
+++ staging-i686/libwmf-0.2.8.4-CVE-2007-2756.patch	2016-12-21 20:43:03 UTC (rev 284393)
@@ -0,0 +1,16 @@
+--- libwmf-0.2.8.4/src/extra/gd/gd_png.c	1 Apr 2007 20:41:01 -0000	1.21.2.1
++++ libwmf-0.2.8.4/src/extra/gd/gd_png.c	16 May 2007 19:06:11 -0000
+@@ -78,8 +78,11 @@
+ gdPngReadData (png_structp png_ptr,
+ 	       png_bytep data, png_size_t length)
+ {
+-  gdGetBuf (data, length, (gdIOCtx *)
+-	    png_get_io_ptr (png_ptr));
++  int check;
++  check = gdGetBuf (data, length, (gdIOCtx *) png_get_io_ptr (png_ptr));
++  if (check != length) {
++    png_error(png_ptr, "Read Error: truncated data");
++  }
+ }
+ 
+ static void

Copied: libwmf/repos/staging-i686/libwmf-0.2.8.4-CVE-2007-3472.patch (from rev 284392, libwmf/trunk/libwmf-0.2.8.4-CVE-2007-3472.patch)
===================================================================
--- staging-i686/libwmf-0.2.8.4-CVE-2007-3472.patch	                        (rev 0)
+++ staging-i686/libwmf-0.2.8.4-CVE-2007-3472.patch	2016-12-21 20:43:03 UTC (rev 284393)
@@ -0,0 +1,59 @@
+--- libwmf-0.2.8.4/src/extra/gd/gd.c
++++ libwmf-0.2.8.4/src/extra/gd/gd.c
+@@ -106,6 +106,18 @@
+   gdImagePtr im;
+   unsigned long cpa_size;
+ 
++  if (overflow2(sx, sy)) {
++    return NULL;
++  }
++
++  if (overflow2(sizeof (int *), sy)) {
++    return NULL;
++  }
++
++  if (overflow2(sizeof(int), sx)) {
++    return NULL;
++  }
++
+   im = (gdImage *) gdMalloc (sizeof (gdImage));
+   if (im == 0) return 0;
+   memset (im, 0, sizeof (gdImage));
+--- libwmf-0.2.8.4/src/extra/gd/gdhelpers.c	2010-12-06 11:47:31.000000000 +0000
++++ libwmf-0.2.8.4/src/extra/gd/gdhelpers.c	2010-12-06 11:48:04.000000000 +0000
+@@ -2,6 +2,7 @@
+ #include "gdhelpers.h"
+ #include <stdlib.h>
+ #include <string.h>
++#include <limits.h>
+ 
+ /* TBB: gd_strtok_r is not portable; provide an implementation */
+ 
+@@ -94,3 +95,18 @@
+ {
+   free (ptr);
+ }
++
++int overflow2(int a, int b)
++{
++	if(a < 0 || b < 0) {
++		fprintf(stderr, "gd warning: one parameter to a memory allocation multiplication is negative, failing operation gracefully\n");
++		return 1;
++	}
++	if(b == 0)
++		return 0;
++	if(a > INT_MAX / b) {
++		fprintf(stderr, "gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully\n");
++		return 1;
++	}
++	return 0;
++}
+--- libwmf-0.2.8.4/src/extra/gd/gdhelpers.h	2010-12-06 11:47:17.000000000 +0000
++++ libwmf-0.2.8.4/src/extra/gd/gdhelpers.h	2010-12-06 11:48:36.000000000 +0000
+@@ -15,4 +15,6 @@
+ void *gdMalloc(size_t size);
+ void *gdRealloc(void *ptr, size_t size);
+ 
++int overflow2(int a, int b);
++
+ #endif /* GDHELPERS_H */

Copied: libwmf/repos/staging-i686/libwmf-0.2.8.4-CVE-2007-3473.patch (from rev 284392, libwmf/trunk/libwmf-0.2.8.4-CVE-2007-3473.patch)
===================================================================
--- staging-i686/libwmf-0.2.8.4-CVE-2007-3473.patch	                        (rev 0)
+++ staging-i686/libwmf-0.2.8.4-CVE-2007-3473.patch	2016-12-21 20:43:03 UTC (rev 284393)
@@ -0,0 +1,13 @@
+--- libwmf-0.2.8.4/src/extra/gd/gd.c
++++ libwmf-0.2.8.4/src/extra/gd/gd.c
+@@ -2483,6 +2483,10 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromXbm (FILE * fd)
+     }
+   bytes = (w * h / 8) + 1;
+   im = gdImageCreate (w, h);
++  if (!im) {
++    return 0;
++  }
++
+   gdImageColorAllocate (im, 255, 255, 255);
+   gdImageColorAllocate (im, 0, 0, 0);
+   x = 0;

Copied: libwmf/repos/staging-i686/libwmf-0.2.8.4-CVE-2007-3477.patch (from rev 284392, libwmf/trunk/libwmf-0.2.8.4-CVE-2007-3477.patch)
===================================================================
--- staging-i686/libwmf-0.2.8.4-CVE-2007-3477.patch	                        (rev 0)
+++ staging-i686/libwmf-0.2.8.4-CVE-2007-3477.patch	2016-12-21 20:43:03 UTC (rev 284393)
@@ -0,0 +1,38 @@
+--- libwmf-0.2.8.4/src/extra/gd/gd.c
++++ libwmf-0.2.8.4/src/extra/gd/gd.c
+@@ -1335,10 +1335,31 @@
+   int w2, h2;
+   w2 = w / 2;
+   h2 = h / 2;
+-  while (e < s)
+-    {
+-      e += 360;
+-    }
++
++  if ((s % 360)  == (e % 360)) {
++         s = 0; e = 360;
++  } else {
++         if (s > 360) {
++                 s = s % 360;
++         }
++
++         if (e > 360) {
++                 e = e % 360;
++         }
++
++         while (s < 0) {
++                 s += 360;
++         }
++
++         while (e < s) {
++                 e += 360;
++         }
++
++         if (s == e) {
++                 s = 0; e = 360;
++         }
++  }
++
+   for (i = s; (i <= e); i++)
+     {
+       int x, y;

Copied: libwmf/repos/staging-i686/libwmf-0.2.8.4-CVE-2009-3546.patch (from rev 284392, libwmf/trunk/libwmf-0.2.8.4-CVE-2009-3546.patch)
===================================================================
--- staging-i686/libwmf-0.2.8.4-CVE-2009-3546.patch	                        (rev 0)
+++ staging-i686/libwmf-0.2.8.4-CVE-2009-3546.patch	2016-12-21 20:43:03 UTC (rev 284393)
@@ -0,0 +1,13 @@
+--- libwmf-0.2.8.4/src/extra/gd/gd_gd.c	2010-12-06 14:56:06.000000000 +0000
++++ libwmf-0.2.8.4/src/extra/gd/gd_gd.c	2010-12-06 14:57:04.000000000 +0000
+@@ -42,6 +42,10 @@
+ 	    {
+ 	      goto fail1;
+ 	    }
++	  if (&im->colorsTotal > gdMaxColors)
++	    {
++	      goto fail1;
++	    }
+ 	}
+       /* Int to accommodate truecolor single-color transparency */
+       if (!gdGetInt (&im->transparent, in))

Copied: libwmf/repos/staging-i686/libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch (from rev 284392, libwmf/trunk/libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch)
===================================================================
--- staging-i686/libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch	                        (rev 0)
+++ staging-i686/libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch	2016-12-21 20:43:03 UTC (rev 284393)
@@ -0,0 +1,118 @@
+--- libwmf-0.2.8.4/src/ipa/ipa/bmp.h	2015-06-08 14:46:24.591876404 +0100
++++ libwmf-0.2.8.4/src/ipa/ipa/bmp.h	2015-06-08 14:46:35.345993247 +0100
+@@ -859,7 +859,7 @@
+ %
+ %
+ */
+-static void DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels)
++static int DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels)
+ {	int byte;
+ 	int count;
+ 	int i;
+@@ -870,12 +870,14 @@
+ 	U32 u;
+ 
+ 	unsigned char* q;
++	unsigned char* end;
+ 
+ 	for (u = 0; u < ((U32) bmp->width * (U32) bmp->height); u++) pixels[u] = 0;
+ 
+ 	byte = 0;
+ 	x = 0;
+ 	q = pixels;
++	end = pixels + bmp->width * bmp->height;
+ 
+ 	for (y = 0; y < bmp->height; )
+ 	{	count = ReadBlobByte (src);
+@@ -884,7 +886,10 @@
+ 		{	/* Encoded mode. */
+ 			byte = ReadBlobByte (src);
+ 			for (i = 0; i < count; i++)
+-			{	if (compression == 1)
++			{	
++				if (q == end)
++					return 0;
++			 	if (compression == 1)
+ 				{	(*(q++)) = (unsigned char) byte;
+ 				}
+ 				else
+@@ -896,13 +901,15 @@
+ 		else
+ 		{	/* Escape mode. */
+ 			count = ReadBlobByte (src);
+-			if (count == 0x01) return;
++			if (count == 0x01) return 1;
+ 			switch (count)
+ 			{
+ 			case 0x00:
+ 			 {	/* End of line. */
+ 				x = 0;
+ 				y++;
++				if (y >= bmp->height)
++					return 0;
+ 				q = pixels + y * bmp->width;
+ 				break;
+ 			 }
+@@ -910,13 +917,20 @@
+ 			 {	/* Delta mode. */
+ 				x += ReadBlobByte (src);
+ 				y += ReadBlobByte (src);
++				if (y >= bmp->height)
++					return 0;
++				if (x >= bmp->width)
++					return 0;
+ 				q = pixels + y * bmp->width + x;
+ 				break;
+ 			 }
+ 			default:
+ 			 {	/* Absolute mode. */
+ 				for (i = 0; i < count; i++)
+-				{	if (compression == 1)
++				{
++					if (q == end)
++						return 0;
++					if (compression == 1)
+ 					{	(*(q++)) = ReadBlobByte (src);
+ 					}
+ 					else
+@@ -943,7 +957,7 @@
+ 	byte = ReadBlobByte (src);  /* end of line */
+ 	byte = ReadBlobByte (src);
+ 
+-	return;
++	return 1;
+ }
+ 
+ /*
+@@ -1143,8 +1157,18 @@
+ 		}
+ 	}
+ 	else
+-	{	/* Convert run-length encoded raster pixels. */
+-		DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image);
++	{
++		if (bmp_info.bits_per_pixel == 8)	/* Convert run-length encoded raster pixels. */
++		{
++			if (!DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image))
++			{	WMF_ERROR (API,"corrupt bmp");
++				API->err = wmf_E_BadFormat;
++			}
++		}
++		else
++		{	WMF_ERROR (API,"Unexpected pixel depth");
++			API->err = wmf_E_BadFormat;
++		}
+ 	}
+ 
+ 	if (ERR (API))
+--- libwmf-0.2.8.4/src/ipa/ipa.h	2015-06-08 14:46:24.590876393 +0100
++++ libwmf-0.2.8.4/src/ipa/ipa.h	2015-06-08 14:46:35.345993247 +0100
+@@ -48,7 +48,7 @@
+ static unsigned short ReadBlobLSBShort (BMPSource*);
+ static unsigned long  ReadBlobLSBLong (BMPSource*);
+ static long           TellBlob (BMPSource*);
+-static void           DecodeImage (wmfAPI*,wmfBMP*,BMPSource*,unsigned int,unsigned char*);
++static int            DecodeImage (wmfAPI*,wmfBMP*,BMPSource*,unsigned int,unsigned char*);
+ static void           ReadBMPImage (wmfAPI*,wmfBMP*,BMPSource*);
+ static int            ExtractColor (wmfAPI*,wmfBMP*,wmfRGB*,unsigned int,unsigned int);
+ static void           SetColor (wmfAPI*,wmfBMP*,wmfRGB*,unsigned char,unsigned int,unsigned int);

Copied: libwmf/repos/staging-i686/libwmf-0.2.8.4-CVE-2015-4695.patch (from rev 284392, libwmf/trunk/libwmf-0.2.8.4-CVE-2015-4695.patch)
===================================================================
--- staging-i686/libwmf-0.2.8.4-CVE-2015-4695.patch	                        (rev 0)
+++ staging-i686/libwmf-0.2.8.4-CVE-2015-4695.patch	2016-12-21 20:43:03 UTC (rev 284393)
@@ -0,0 +1,56 @@
+--- libwmf-0.2.8.4/src/player/meta.h
++++ libwmf-0.2.8.4/src/player/meta.h
+@@ -1565,7 +1565,7 @@ static int meta_rgn_create (wmfAPI* API,
+ 	objects = P->objects;
+ 
+ 	i = 0;
+-	while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
++	while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
+ 
+ 	if (i == NUM_OBJECTS (API))
+ 	{	WMF_ERROR (API,"Object out of range!");
+@@ -2142,7 +2142,7 @@ static int meta_dib_brush (wmfAPI* API,w
+ 	objects = P->objects;
+ 
+ 	i = 0;
+-	while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
++	while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
+ 
+ 	if (i == NUM_OBJECTS (API))
+ 	{	WMF_ERROR (API,"Object out of range!");
+@@ -3067,7 +3067,7 @@ static int meta_pen_create (wmfAPI* API,
+ 	objects = P->objects;
+ 
+ 	i = 0;
+-	while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
++	while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
+ 
+ 	if (i == NUM_OBJECTS (API))
+ 	{	WMF_ERROR (API,"Object out of range!");
+@@ -3181,7 +3181,7 @@ static int meta_brush_create (wmfAPI* AP
+ 	objects = P->objects;
+ 
+ 	i = 0;
+-	while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
++	while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
+ 
+ 	if (i == NUM_OBJECTS (API))
+ 	{	WMF_ERROR (API,"Object out of range!");
+@@ -3288,7 +3288,7 @@ static int meta_font_create (wmfAPI* API
+ 	objects = P->objects;
+ 
+ 	i = 0;
+-	while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
++	while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
+ 
+ 	if (i == NUM_OBJECTS (API))
+ 	{	WMF_ERROR (API,"Object out of range!");
+@@ -3396,7 +3396,7 @@ static int meta_palette_create (wmfAPI*
+ 	objects = P->objects;
+ 
+ 	i = 0;
+-	while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
++	while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
+ 
+ 	if (i == NUM_OBJECTS (API))
+ 	{	WMF_ERROR (API,"Object out of range!");

Copied: libwmf/repos/staging-i686/libwmf-0.2.8.4-CVE-2015-4696.patch (from rev 284392, libwmf/trunk/libwmf-0.2.8.4-CVE-2015-4696.patch)
===================================================================
--- staging-i686/libwmf-0.2.8.4-CVE-2015-4696.patch	                        (rev 0)
+++ staging-i686/libwmf-0.2.8.4-CVE-2015-4696.patch	2016-12-21 20:43:03 UTC (rev 284393)
@@ -0,0 +1,23 @@
+--- libwmf-0.2.8.4/src/player/meta.h
++++ libwmf-0.2.8.4/src/player/meta.h
+@@ -2585,6 +2585,8 @@
+ 			polyrect.BR[i] = clip->rects[i].BR;
+ 		}
+ 
++		if (FR->region_clip) FR->region_clip (API,&polyrect);
++
+ 		wmf_free (API,polyrect.TL);
+ 		wmf_free (API,polyrect.BR);
+ 	}
+@@ -2593,9 +2595,10 @@
+ 		polyrect.BR = 0;
+ 
+ 		polyrect.count = 0;
++	
++		if (FR->region_clip) FR->region_clip (API,&polyrect);
+ 	}
+ 
+-	if (FR->region_clip) FR->region_clip (API,&polyrect);
+ 
+ 	return (changed);
+ }

Copied: libwmf/repos/staging-i686/libwmf-0.2.8.4-CVE-2016-9011.patch (from rev 284392, libwmf/trunk/libwmf-0.2.8.4-CVE-2016-9011.patch)
===================================================================
--- staging-i686/libwmf-0.2.8.4-CVE-2016-9011.patch	                        (rev 0)
+++ staging-i686/libwmf-0.2.8.4-CVE-2016-9011.patch	2016-12-21 20:43:03 UTC (rev 284393)
@@ -0,0 +1,36 @@
+--- libwmf-0.2.8.4/src/player.c
++++ libwmf-0.2.8.4/src/player.c
+@@ -139,8 +139,31 @@
+ 		WMF_DEBUG (API,"bailing...");
+ 		return (API->err);
+ 	}
+-	
+- 	P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)  ) * 2 * sizeof (unsigned char));
++
++	U32 nMaxRecordSize = (MAX_REC_SIZE(API)  ) * 2 * sizeof (unsigned char);
++	if (nMaxRecordSize)
++	{
++		//before allocating memory do a sanity check on size by seeking
++		//to claimed end to see if its possible. We're constrained here
++		//by the api and existing implementations to not simply seeking
++		//to SEEK_END. So use what we have to skip to the last byte and
++		//try and read it.
++		const long nPos = WMF_TELL (API);
++		WMF_SEEK (API, nPos + nMaxRecordSize - 1);
++		if (ERR (API))
++		{	WMF_DEBUG (API,"bailing...");
++			return (API->err);
++		}
++		int byte = WMF_READ (API);
++		if (byte == (-1))
++		{	WMF_ERROR (API,"Unexpected EOF!");
++		       	API->err = wmf_E_EOF;
++		       	return (API->err);
++		}
++		WMF_SEEK (API, nPos);
++	}
++
++ 	P->Parameters = (unsigned char*) wmf_malloc (API, nMaxRecordSize);
+ 
+ 	if (ERR (API))
+ 	{	WMF_DEBUG (API,"bailing...");

Copied: libwmf/repos/staging-i686/libwmf-0.2.8.4-intoverflow-CVE-2006-3376.patch (from rev 284392, libwmf/trunk/libwmf-0.2.8.4-intoverflow-CVE-2006-3376.patch)
===================================================================
--- staging-i686/libwmf-0.2.8.4-intoverflow-CVE-2006-3376.patch	                        (rev 0)
+++ staging-i686/libwmf-0.2.8.4-intoverflow-CVE-2006-3376.patch	2016-12-21 20:43:03 UTC (rev 284393)
@@ -0,0 +1,27 @@
+--- libwmf-0.2.8.4.orig/src/player.c	2002-12-10 19:30:26.000000000 +0000
++++ libwmf-0.2.8.4/src/player.c	2006-07-12 15:12:52.000000000 +0100
+@@ -42,6 +42,7 @@
+ #include "player/defaults.h" /* Provides: default settings               */
+ #include "player/record.h"   /* Provides: parameter mechanism            */
+ #include "player/meta.h"     /* Provides: record interpreters            */
++#include <stdint.h>
+ 
+ /**
+  * @internal
+@@ -132,8 +134,14 @@
+ 		}
+ 	}
+ 
+-/*	P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)-3) * 2 * sizeof (unsigned char));
+- */	P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)  ) * 2 * sizeof (unsigned char));
++	if (MAX_REC_SIZE(API) > UINT32_MAX / 2)
++	{
++		API->err = wmf_E_InsMem;
++		WMF_DEBUG (API,"bailing...");
++		return (API->err);
++	}
++	
++ 	P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)  ) * 2 * sizeof (unsigned char));
+ 
+ 	if (ERR (API))
+ 	{	WMF_DEBUG (API,"bailing...");

Copied: libwmf/repos/staging-i686/libwmf-0.2.8.4-libpng-1.5.patch (from rev 284392, libwmf/trunk/libwmf-0.2.8.4-libpng-1.5.patch)
===================================================================
--- staging-i686/libwmf-0.2.8.4-libpng-1.5.patch	                        (rev 0)
+++ staging-i686/libwmf-0.2.8.4-libpng-1.5.patch	2016-12-21 20:43:03 UTC (rev 284393)
@@ -0,0 +1,12 @@
+diff -urN libwmf-0.2.8.4.old/src/ipa/ipa/bmp.h libwmf-0.2.8.4/src/ipa/ipa/bmp.h
+--- libwmf-0.2.8.4.old/src/ipa/ipa/bmp.h	2011-05-23 19:14:23.000000000 +0200
++++ libwmf-0.2.8.4/src/ipa/ipa/bmp.h	2011-05-23 19:15:11.000000000 +0200
+@@ -66,7 +66,7 @@
+ 		return;
+ 	}
+ 
+-	if (setjmp (png_ptr->jmpbuf))
++	if (setjmp(png_jmpbuf(png_ptr)))
+ 	{	WMF_DEBUG (API,"Failed to write bitmap as PNG! (setjmp failed)");
+ 		png_destroy_write_struct (&png_ptr,&info_ptr);
+ 		wmf_free (API,buffer);

Copied: libwmf/repos/staging-i686/libwmf-0.2.8.4-useafterfree-CVE-2009-1364.patch (from rev 284392, libwmf/trunk/libwmf-0.2.8.4-useafterfree-CVE-2009-1364.patch)
===================================================================
--- staging-i686/libwmf-0.2.8.4-useafterfree-CVE-2009-1364.patch	                        (rev 0)
+++ staging-i686/libwmf-0.2.8.4-useafterfree-CVE-2009-1364.patch	2016-12-21 20:43:03 UTC (rev 284393)
@@ -0,0 +1,10 @@
+--- libwmf-0.2.8.4/src/extra/gd/gd_clip.c.CVE-2009-1364-im-clip-list	2009-04-24 04:06:44.000000000 -0400
++++ libwmf-0.2.8.4/src/extra/gd/gd_clip.c	2009-04-24 04:08:30.000000000 -0400
+@@ -70,6 +70,7 @@ void gdClipSetAdd(gdImagePtr im,gdClipRe
+ 	{	more = gdRealloc (im->clip->list,(im->clip->max + 8) * sizeof (gdClipRectangle));
+ 		if (more == 0) return;
+ 		im->clip->max += 8;
++                im->clip->list = more;
+ 	}
+ 	im->clip->list[im->clip->count] = (*rect);
+ 	im->clip->count++;

Copied: libwmf/repos/staging-x86_64/PKGBUILD (from rev 284392, libwmf/trunk/PKGBUILD)
===================================================================
--- staging-x86_64/PKGBUILD	                        (rev 0)
+++ staging-x86_64/PKGBUILD	2016-12-21 20:43:03 UTC (rev 284393)
@@ -0,0 +1,78 @@
+# $Id$
+# Maintainer: Eric Bélanger <eric at archlinux.org>
+
+pkgname=libwmf
+pkgver=0.2.8.4
+pkgrel=14
+pkgdesc="A library for reading vector images in Microsoft's native Windows Metafile Format (WMF)"
+arch=('i686' 'x86_64')
+url="http://wvware.sourceforge.net/libwmf.html"
+license=('LGPL')
+depends=('libx11' 'libjpeg' 'gsfonts')
+makedepends=('gtk2' 'libxt')
+optdepends=('gdk-pixbuf2: for pixbuf loader')
+options=('!docs' '!emptydirs')
+source=(http://downloads.sourceforge.net/sourceforge/wvware/${pkgname}-${pkgver}.tar.gz
+        libwmf-0.2.8.4-libpng-1.5.patch
+        libwmf-0.2.8.4-useafterfree-CVE-2009-1364.patch
+        libwmf-0.2.8.4-intoverflow-CVE-2006-3376.patch
+        libwmf-0.2.8.4-CAN-2004-0941.patch
+        libwmf-0.2.8.4-CVE-2007-0455.patch
+        libwmf-0.2.8.4-CVE-2007-2756.patch
+        libwmf-0.2.8.4-CVE-2007-3472.patch
+        libwmf-0.2.8.4-CVE-2007-3473.patch
+        libwmf-0.2.8.4-CVE-2007-3477.patch
+        libwmf-0.2.8.4-CVE-2009-3546.patch
+        libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch
+        libwmf-0.2.8.4-CVE-2015-4695.patch
+        libwmf-0.2.8.4-CVE-2015-4696.patch
+		libwmf-0.2.8.4-CVE-2016-9011.patch)
+sha1sums=('822ab3bd0f5e8f39ad732f2774a8e9f18fc91e89'
+          '42aa4c2a82e4e14044c875a7f439baea732a355a'
+          'ea6d28880840e86c96f9079bfd591da54dcffa5c'
+          '6f130ea9f639ccf88fef0fda74cf9fa3956f81b5'
+          '2f8a46698dac6d5f5c3109cb56ad675ff1efaee0'
+          '380d59744f174e12d4ba4f5cb63f14b6092850fa'
+          '45ae37f79b351fe738212caa3a3c61c9b6fa2d5b'
+          '1836f07750d3a8b4dd6354660875436b0e5c3b07'
+          'c778b89445f621fd5e44b0bbf9d441cceea90d6c'
+          'd0a6fefedd327f99c3ca1c2f7f19adddc2cef50a'
+          '83f32dac05c1492eef1e652c553a5ffc80a3e656'
+          '5608d0565890f2f89435bc13ad57279900ed83b4'
+          '408cfff29160b037b8baa26b4647e02f373b8b85'
+          'e250f5ecefde4bf5c06f7fbc562566ce64204f2a'
+          '9f8670ef0b4862bb84aecc582bfbec45573a8831')
+
+prepare() {
+  cd ${pkgname}-${pkgver}
+  patch -p1 -i "${srcdir}/libwmf-0.2.8.4-libpng-1.5.patch"
+  patch -p1 -i "${srcdir}/libwmf-0.2.8.4-useafterfree-CVE-2009-1364.patch"
+  patch -p1 -i "${srcdir}/libwmf-0.2.8.4-intoverflow-CVE-2006-3376.patch"
+  patch -p1 -i "${srcdir}/libwmf-0.2.8.4-CAN-2004-0941.patch"
+  patch -p1 -i "${srcdir}/libwmf-0.2.8.4-CVE-2007-0455.patch"
+  patch -p1 -i "${srcdir}/libwmf-0.2.8.4-CVE-2007-2756.patch"
+  patch -p1 -i "${srcdir}/libwmf-0.2.8.4-CVE-2007-3472.patch"
+  patch -p1 -i "${srcdir}/libwmf-0.2.8.4-CVE-2007-3473.patch"
+  patch -p1 -i "${srcdir}/libwmf-0.2.8.4-CVE-2007-3477.patch"
+  patch -p1 -i "${srcdir}/libwmf-0.2.8.4-CVE-2009-3546.patch"
+  patch -p1 -i "${srcdir}/libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch"
+  patch -p1 -i "${srcdir}/libwmf-0.2.8.4-CVE-2015-4695.patch"
+  patch -p1 -i "${srcdir}/libwmf-0.2.8.4-CVE-2015-4696.patch"
+  patch -p1 -i "${srcdir}/libwmf-0.2.8.4-CVE-2016-9011.patch"
+}
+
+build() {
+  cd ${pkgname}-${pkgver}
+  ./configure --prefix=/usr \
+              --with-gsfontdir=/usr/share/fonts/Type1 \
+	      --with-fontdir=/usr/share/fonts/Type1 \
+	      --with-gsfontmap=/usr/share/ghostscript/9.10/Resource/Init/Fontmap.GS
+  make
+}
+
+package() {
+  cd ${pkgname}-${pkgver}
+  make DESTDIR="${pkgdir}" install
+  #Remove fonts, these are in gsfonts
+  rm -rf "${pkgdir}/usr/share/fonts"
+}

Copied: libwmf/repos/staging-x86_64/libwmf-0.2.8.4-CAN-2004-0941.patch (from rev 284392, libwmf/trunk/libwmf-0.2.8.4-CAN-2004-0941.patch)
===================================================================
--- staging-x86_64/libwmf-0.2.8.4-CAN-2004-0941.patch	                        (rev 0)
+++ staging-x86_64/libwmf-0.2.8.4-CAN-2004-0941.patch	2016-12-21 20:43:03 UTC (rev 284393)
@@ -0,0 +1,17 @@
+--- libwmf-0.2.8.4/src/extra/gd/gd_png.c	2004-11-11 14:02:37.407589824 -0500
++++ libwmf-0.2.8.4/src/extra/gd/gd_png.c	2004-11-11 14:04:29.672522960 -0500
+@@ -188,6 +188,14 @@
+ 
+   png_get_IHDR (png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
+ 		&interlace_type, NULL, NULL);
++  if (overflow2(sizeof (int), width)) 
++    {
++      return NULL;
++    }
++  if (overflow2(sizeof (int) * width, height)) 
++    {
++      return NULL;
++    }  
+   if ((color_type == PNG_COLOR_TYPE_RGB) ||
+       (color_type == PNG_COLOR_TYPE_RGB_ALPHA))
+     {

Copied: libwmf/repos/staging-x86_64/libwmf-0.2.8.4-CVE-2007-0455.patch (from rev 284392, libwmf/trunk/libwmf-0.2.8.4-CVE-2007-0455.patch)
===================================================================
--- staging-x86_64/libwmf-0.2.8.4-CVE-2007-0455.patch	                        (rev 0)
+++ staging-x86_64/libwmf-0.2.8.4-CVE-2007-0455.patch	2016-12-21 20:43:03 UTC (rev 284393)
@@ -0,0 +1,11 @@
+--- libwmf-0.2.8.4/src/extra/gd/gdft.c	2010-12-06 11:18:26.000000000 +0000
++++ libwmf-0.2.8.4/src/extra/gd/gdft.c	2010-12-06 11:21:09.000000000 +0000
+@@ -811,7 +811,7 @@
+ 	    {
+ 	      ch = c & 0xFF;	/* don't extend sign */
+ 	    }
+-	  next++;
++	  if (*next) next++;
+ 	}
+       else
+ 	{

Copied: libwmf/repos/staging-x86_64/libwmf-0.2.8.4-CVE-2007-2756.patch (from rev 284392, libwmf/trunk/libwmf-0.2.8.4-CVE-2007-2756.patch)
===================================================================
--- staging-x86_64/libwmf-0.2.8.4-CVE-2007-2756.patch	                        (rev 0)
+++ staging-x86_64/libwmf-0.2.8.4-CVE-2007-2756.patch	2016-12-21 20:43:03 UTC (rev 284393)
@@ -0,0 +1,16 @@
+--- libwmf-0.2.8.4/src/extra/gd/gd_png.c	1 Apr 2007 20:41:01 -0000	1.21.2.1
++++ libwmf-0.2.8.4/src/extra/gd/gd_png.c	16 May 2007 19:06:11 -0000
+@@ -78,8 +78,11 @@
+ gdPngReadData (png_structp png_ptr,
+ 	       png_bytep data, png_size_t length)
+ {
+-  gdGetBuf (data, length, (gdIOCtx *)
+-	    png_get_io_ptr (png_ptr));
++  int check;
++  check = gdGetBuf (data, length, (gdIOCtx *) png_get_io_ptr (png_ptr));
++  if (check != length) {
++    png_error(png_ptr, "Read Error: truncated data");
++  }
+ }
+ 
+ static void

Copied: libwmf/repos/staging-x86_64/libwmf-0.2.8.4-CVE-2007-3472.patch (from rev 284392, libwmf/trunk/libwmf-0.2.8.4-CVE-2007-3472.patch)
===================================================================
--- staging-x86_64/libwmf-0.2.8.4-CVE-2007-3472.patch	                        (rev 0)
+++ staging-x86_64/libwmf-0.2.8.4-CVE-2007-3472.patch	2016-12-21 20:43:03 UTC (rev 284393)
@@ -0,0 +1,59 @@
+--- libwmf-0.2.8.4/src/extra/gd/gd.c
++++ libwmf-0.2.8.4/src/extra/gd/gd.c
+@@ -106,6 +106,18 @@
+   gdImagePtr im;
+   unsigned long cpa_size;
+ 
++  if (overflow2(sx, sy)) {
++    return NULL;
++  }
++
++  if (overflow2(sizeof (int *), sy)) {
++    return NULL;
++  }
++
++  if (overflow2(sizeof(int), sx)) {
++    return NULL;
++  }
++
+   im = (gdImage *) gdMalloc (sizeof (gdImage));
+   if (im == 0) return 0;
+   memset (im, 0, sizeof (gdImage));
+--- libwmf-0.2.8.4/src/extra/gd/gdhelpers.c	2010-12-06 11:47:31.000000000 +0000
++++ libwmf-0.2.8.4/src/extra/gd/gdhelpers.c	2010-12-06 11:48:04.000000000 +0000
+@@ -2,6 +2,7 @@
+ #include "gdhelpers.h"
+ #include <stdlib.h>
+ #include <string.h>
++#include <limits.h>
+ 
+ /* TBB: gd_strtok_r is not portable; provide an implementation */
+ 
+@@ -94,3 +95,18 @@
+ {
+   free (ptr);
+ }
++
++int overflow2(int a, int b)
++{
++	if(a < 0 || b < 0) {
++		fprintf(stderr, "gd warning: one parameter to a memory allocation multiplication is negative, failing operation gracefully\n");
++		return 1;
++	}
++	if(b == 0)
++		return 0;
++	if(a > INT_MAX / b) {
++		fprintf(stderr, "gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully\n");
++		return 1;
++	}
++	return 0;
++}
+--- libwmf-0.2.8.4/src/extra/gd/gdhelpers.h	2010-12-06 11:47:17.000000000 +0000
++++ libwmf-0.2.8.4/src/extra/gd/gdhelpers.h	2010-12-06 11:48:36.000000000 +0000
+@@ -15,4 +15,6 @@
+ void *gdMalloc(size_t size);
+ void *gdRealloc(void *ptr, size_t size);
+ 
++int overflow2(int a, int b);
++
+ #endif /* GDHELPERS_H */

Copied: libwmf/repos/staging-x86_64/libwmf-0.2.8.4-CVE-2007-3473.patch (from rev 284392, libwmf/trunk/libwmf-0.2.8.4-CVE-2007-3473.patch)
===================================================================
--- staging-x86_64/libwmf-0.2.8.4-CVE-2007-3473.patch	                        (rev 0)
+++ staging-x86_64/libwmf-0.2.8.4-CVE-2007-3473.patch	2016-12-21 20:43:03 UTC (rev 284393)
@@ -0,0 +1,13 @@
+--- libwmf-0.2.8.4/src/extra/gd/gd.c
++++ libwmf-0.2.8.4/src/extra/gd/gd.c
+@@ -2483,6 +2483,10 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromXbm (FILE * fd)
+     }
+   bytes = (w * h / 8) + 1;
+   im = gdImageCreate (w, h);
++  if (!im) {
++    return 0;
++  }
++
+   gdImageColorAllocate (im, 255, 255, 255);
+   gdImageColorAllocate (im, 0, 0, 0);
+   x = 0;

Copied: libwmf/repos/staging-x86_64/libwmf-0.2.8.4-CVE-2007-3477.patch (from rev 284392, libwmf/trunk/libwmf-0.2.8.4-CVE-2007-3477.patch)
===================================================================
--- staging-x86_64/libwmf-0.2.8.4-CVE-2007-3477.patch	                        (rev 0)
+++ staging-x86_64/libwmf-0.2.8.4-CVE-2007-3477.patch	2016-12-21 20:43:03 UTC (rev 284393)
@@ -0,0 +1,38 @@
+--- libwmf-0.2.8.4/src/extra/gd/gd.c
++++ libwmf-0.2.8.4/src/extra/gd/gd.c
+@@ -1335,10 +1335,31 @@
+   int w2, h2;
+   w2 = w / 2;
+   h2 = h / 2;
+-  while (e < s)
+-    {
+-      e += 360;
+-    }
++
++  if ((s % 360)  == (e % 360)) {
++         s = 0; e = 360;
++  } else {
++         if (s > 360) {
++                 s = s % 360;
++         }
++
++         if (e > 360) {
++                 e = e % 360;
++         }
++
++         while (s < 0) {
++                 s += 360;
++         }
++
++         while (e < s) {
++                 e += 360;
++         }
++
++         if (s == e) {
++                 s = 0; e = 360;
++         }
++  }
++
+   for (i = s; (i <= e); i++)
+     {
+       int x, y;

Copied: libwmf/repos/staging-x86_64/libwmf-0.2.8.4-CVE-2009-3546.patch (from rev 284392, libwmf/trunk/libwmf-0.2.8.4-CVE-2009-3546.patch)
===================================================================
--- staging-x86_64/libwmf-0.2.8.4-CVE-2009-3546.patch	                        (rev 0)
+++ staging-x86_64/libwmf-0.2.8.4-CVE-2009-3546.patch	2016-12-21 20:43:03 UTC (rev 284393)
@@ -0,0 +1,13 @@
+--- libwmf-0.2.8.4/src/extra/gd/gd_gd.c	2010-12-06 14:56:06.000000000 +0000
++++ libwmf-0.2.8.4/src/extra/gd/gd_gd.c	2010-12-06 14:57:04.000000000 +0000
+@@ -42,6 +42,10 @@
+ 	    {
+ 	      goto fail1;
+ 	    }
++	  if (&im->colorsTotal > gdMaxColors)
++	    {
++	      goto fail1;
++	    }
+ 	}
+       /* Int to accommodate truecolor single-color transparency */
+       if (!gdGetInt (&im->transparent, in))

Copied: libwmf/repos/staging-x86_64/libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch (from rev 284392, libwmf/trunk/libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch)
===================================================================
--- staging-x86_64/libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch	                        (rev 0)
+++ staging-x86_64/libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch	2016-12-21 20:43:03 UTC (rev 284393)
@@ -0,0 +1,118 @@
+--- libwmf-0.2.8.4/src/ipa/ipa/bmp.h	2015-06-08 14:46:24.591876404 +0100
++++ libwmf-0.2.8.4/src/ipa/ipa/bmp.h	2015-06-08 14:46:35.345993247 +0100
+@@ -859,7 +859,7 @@
+ %
+ %
+ */
+-static void DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels)
++static int DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels)
+ {	int byte;
+ 	int count;
+ 	int i;
+@@ -870,12 +870,14 @@
+ 	U32 u;
+ 
+ 	unsigned char* q;
++	unsigned char* end;
+ 
+ 	for (u = 0; u < ((U32) bmp->width * (U32) bmp->height); u++) pixels[u] = 0;
+ 
+ 	byte = 0;
+ 	x = 0;
+ 	q = pixels;
++	end = pixels + bmp->width * bmp->height;
+ 
+ 	for (y = 0; y < bmp->height; )
+ 	{	count = ReadBlobByte (src);
+@@ -884,7 +886,10 @@
+ 		{	/* Encoded mode. */
+ 			byte = ReadBlobByte (src);
+ 			for (i = 0; i < count; i++)
+-			{	if (compression == 1)
++			{	
++				if (q == end)
++					return 0;
++			 	if (compression == 1)
+ 				{	(*(q++)) = (unsigned char) byte;
+ 				}
+ 				else
+@@ -896,13 +901,15 @@
+ 		else
+ 		{	/* Escape mode. */
+ 			count = ReadBlobByte (src);
+-			if (count == 0x01) return;
++			if (count == 0x01) return 1;
+ 			switch (count)
+ 			{
+ 			case 0x00:
+ 			 {	/* End of line. */
+ 				x = 0;
+ 				y++;
++				if (y >= bmp->height)
++					return 0;
+ 				q = pixels + y * bmp->width;
+ 				break;
+ 			 }
+@@ -910,13 +917,20 @@
+ 			 {	/* Delta mode. */
+ 				x += ReadBlobByte (src);
+ 				y += ReadBlobByte (src);
++				if (y >= bmp->height)
++					return 0;
++				if (x >= bmp->width)
++					return 0;
+ 				q = pixels + y * bmp->width + x;
+ 				break;
+ 			 }
+ 			default:
+ 			 {	/* Absolute mode. */
+ 				for (i = 0; i < count; i++)
+-				{	if (compression == 1)
++				{
++					if (q == end)
++						return 0;
++					if (compression == 1)
+ 					{	(*(q++)) = ReadBlobByte (src);
+ 					}
+ 					else
+@@ -943,7 +957,7 @@
+ 	byte = ReadBlobByte (src);  /* end of line */
+ 	byte = ReadBlobByte (src);
+ 
+-	return;
++	return 1;
+ }
+ 
+ /*
+@@ -1143,8 +1157,18 @@
+ 		}
+ 	}
+ 	else
+-	{	/* Convert run-length encoded raster pixels. */
+-		DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image);
++	{
++		if (bmp_info.bits_per_pixel == 8)	/* Convert run-length encoded raster pixels. */
++		{
++			if (!DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image))
++			{	WMF_ERROR (API,"corrupt bmp");
++				API->err = wmf_E_BadFormat;
++			}
++		}
++		else
++		{	WMF_ERROR (API,"Unexpected pixel depth");
++			API->err = wmf_E_BadFormat;
++		}
+ 	}
+ 
+ 	if (ERR (API))
+--- libwmf-0.2.8.4/src/ipa/ipa.h	2015-06-08 14:46:24.590876393 +0100
++++ libwmf-0.2.8.4/src/ipa/ipa.h	2015-06-08 14:46:35.345993247 +0100
+@@ -48,7 +48,7 @@
+ static unsigned short ReadBlobLSBShort (BMPSource*);
+ static unsigned long  ReadBlobLSBLong (BMPSource*);
+ static long           TellBlob (BMPSource*);
+-static void           DecodeImage (wmfAPI*,wmfBMP*,BMPSource*,unsigned int,unsigned char*);
++static int            DecodeImage (wmfAPI*,wmfBMP*,BMPSource*,unsigned int,unsigned char*);
+ static void           ReadBMPImage (wmfAPI*,wmfBMP*,BMPSource*);
+ static int            ExtractColor (wmfAPI*,wmfBMP*,wmfRGB*,unsigned int,unsigned int);
+ static void           SetColor (wmfAPI*,wmfBMP*,wmfRGB*,unsigned char,unsigned int,unsigned int);

Copied: libwmf/repos/staging-x86_64/libwmf-0.2.8.4-CVE-2015-4695.patch (from rev 284392, libwmf/trunk/libwmf-0.2.8.4-CVE-2015-4695.patch)
===================================================================
--- staging-x86_64/libwmf-0.2.8.4-CVE-2015-4695.patch	                        (rev 0)
+++ staging-x86_64/libwmf-0.2.8.4-CVE-2015-4695.patch	2016-12-21 20:43:03 UTC (rev 284393)
@@ -0,0 +1,56 @@
+--- libwmf-0.2.8.4/src/player/meta.h
++++ libwmf-0.2.8.4/src/player/meta.h
+@@ -1565,7 +1565,7 @@ static int meta_rgn_create (wmfAPI* API,
+ 	objects = P->objects;
+ 
+ 	i = 0;
+-	while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
++	while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
+ 
+ 	if (i == NUM_OBJECTS (API))
+ 	{	WMF_ERROR (API,"Object out of range!");
+@@ -2142,7 +2142,7 @@ static int meta_dib_brush (wmfAPI* API,w
+ 	objects = P->objects;
+ 
+ 	i = 0;
+-	while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
++	while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
+ 
+ 	if (i == NUM_OBJECTS (API))
+ 	{	WMF_ERROR (API,"Object out of range!");
+@@ -3067,7 +3067,7 @@ static int meta_pen_create (wmfAPI* API,
+ 	objects = P->objects;
+ 
+ 	i = 0;
+-	while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
++	while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
+ 
+ 	if (i == NUM_OBJECTS (API))
+ 	{	WMF_ERROR (API,"Object out of range!");
+@@ -3181,7 +3181,7 @@ static int meta_brush_create (wmfAPI* AP
+ 	objects = P->objects;
+ 
+ 	i = 0;
+-	while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
++	while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
+ 
+ 	if (i == NUM_OBJECTS (API))
+ 	{	WMF_ERROR (API,"Object out of range!");
+@@ -3288,7 +3288,7 @@ static int meta_font_create (wmfAPI* API
+ 	objects = P->objects;
+ 
+ 	i = 0;
+-	while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
++	while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
+ 
+ 	if (i == NUM_OBJECTS (API))
+ 	{	WMF_ERROR (API,"Object out of range!");
+@@ -3396,7 +3396,7 @@ static int meta_palette_create (wmfAPI*
+ 	objects = P->objects;
+ 
+ 	i = 0;
+-	while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
++	while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
+ 
+ 	if (i == NUM_OBJECTS (API))
+ 	{	WMF_ERROR (API,"Object out of range!");

Copied: libwmf/repos/staging-x86_64/libwmf-0.2.8.4-CVE-2015-4696.patch (from rev 284392, libwmf/trunk/libwmf-0.2.8.4-CVE-2015-4696.patch)
===================================================================
--- staging-x86_64/libwmf-0.2.8.4-CVE-2015-4696.patch	                        (rev 0)
+++ staging-x86_64/libwmf-0.2.8.4-CVE-2015-4696.patch	2016-12-21 20:43:03 UTC (rev 284393)
@@ -0,0 +1,23 @@
+--- libwmf-0.2.8.4/src/player/meta.h
++++ libwmf-0.2.8.4/src/player/meta.h
+@@ -2585,6 +2585,8 @@
+ 			polyrect.BR[i] = clip->rects[i].BR;
+ 		}
+ 
++		if (FR->region_clip) FR->region_clip (API,&polyrect);
++
+ 		wmf_free (API,polyrect.TL);
+ 		wmf_free (API,polyrect.BR);
+ 	}
+@@ -2593,9 +2595,10 @@
+ 		polyrect.BR = 0;
+ 
+ 		polyrect.count = 0;
++	
++		if (FR->region_clip) FR->region_clip (API,&polyrect);
+ 	}
+ 
+-	if (FR->region_clip) FR->region_clip (API,&polyrect);
+ 
+ 	return (changed);
+ }

Copied: libwmf/repos/staging-x86_64/libwmf-0.2.8.4-CVE-2016-9011.patch (from rev 284392, libwmf/trunk/libwmf-0.2.8.4-CVE-2016-9011.patch)
===================================================================
--- staging-x86_64/libwmf-0.2.8.4-CVE-2016-9011.patch	                        (rev 0)
+++ staging-x86_64/libwmf-0.2.8.4-CVE-2016-9011.patch	2016-12-21 20:43:03 UTC (rev 284393)
@@ -0,0 +1,36 @@
+--- libwmf-0.2.8.4/src/player.c
++++ libwmf-0.2.8.4/src/player.c
+@@ -139,8 +139,31 @@
+ 		WMF_DEBUG (API,"bailing...");
+ 		return (API->err);
+ 	}
+-	
+- 	P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)  ) * 2 * sizeof (unsigned char));
++
++	U32 nMaxRecordSize = (MAX_REC_SIZE(API)  ) * 2 * sizeof (unsigned char);
++	if (nMaxRecordSize)
++	{
++		//before allocating memory do a sanity check on size by seeking
++		//to claimed end to see if its possible. We're constrained here
++		//by the api and existing implementations to not simply seeking
++		//to SEEK_END. So use what we have to skip to the last byte and
++		//try and read it.
++		const long nPos = WMF_TELL (API);
++		WMF_SEEK (API, nPos + nMaxRecordSize - 1);
++		if (ERR (API))
++		{	WMF_DEBUG (API,"bailing...");
++			return (API->err);
++		}
++		int byte = WMF_READ (API);
++		if (byte == (-1))
++		{	WMF_ERROR (API,"Unexpected EOF!");
++		       	API->err = wmf_E_EOF;
++		       	return (API->err);
++		}
++		WMF_SEEK (API, nPos);
++	}
++
++ 	P->Parameters = (unsigned char*) wmf_malloc (API, nMaxRecordSize);
+ 
+ 	if (ERR (API))
+ 	{	WMF_DEBUG (API,"bailing...");

Copied: libwmf/repos/staging-x86_64/libwmf-0.2.8.4-intoverflow-CVE-2006-3376.patch (from rev 284392, libwmf/trunk/libwmf-0.2.8.4-intoverflow-CVE-2006-3376.patch)
===================================================================
--- staging-x86_64/libwmf-0.2.8.4-intoverflow-CVE-2006-3376.patch	                        (rev 0)
+++ staging-x86_64/libwmf-0.2.8.4-intoverflow-CVE-2006-3376.patch	2016-12-21 20:43:03 UTC (rev 284393)
@@ -0,0 +1,27 @@
+--- libwmf-0.2.8.4.orig/src/player.c	2002-12-10 19:30:26.000000000 +0000
++++ libwmf-0.2.8.4/src/player.c	2006-07-12 15:12:52.000000000 +0100
+@@ -42,6 +42,7 @@
+ #include "player/defaults.h" /* Provides: default settings               */
+ #include "player/record.h"   /* Provides: parameter mechanism            */
+ #include "player/meta.h"     /* Provides: record interpreters            */
++#include <stdint.h>
+ 
+ /**
+  * @internal
+@@ -132,8 +134,14 @@
+ 		}
+ 	}
+ 
+-/*	P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)-3) * 2 * sizeof (unsigned char));
+- */	P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)  ) * 2 * sizeof (unsigned char));
++	if (MAX_REC_SIZE(API) > UINT32_MAX / 2)
++	{
++		API->err = wmf_E_InsMem;
++		WMF_DEBUG (API,"bailing...");
++		return (API->err);
++	}
++	
++ 	P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)  ) * 2 * sizeof (unsigned char));
+ 
+ 	if (ERR (API))
+ 	{	WMF_DEBUG (API,"bailing...");

Copied: libwmf/repos/staging-x86_64/libwmf-0.2.8.4-libpng-1.5.patch (from rev 284392, libwmf/trunk/libwmf-0.2.8.4-libpng-1.5.patch)
===================================================================
--- staging-x86_64/libwmf-0.2.8.4-libpng-1.5.patch	                        (rev 0)
+++ staging-x86_64/libwmf-0.2.8.4-libpng-1.5.patch	2016-12-21 20:43:03 UTC (rev 284393)
@@ -0,0 +1,12 @@
+diff -urN libwmf-0.2.8.4.old/src/ipa/ipa/bmp.h libwmf-0.2.8.4/src/ipa/ipa/bmp.h
+--- libwmf-0.2.8.4.old/src/ipa/ipa/bmp.h	2011-05-23 19:14:23.000000000 +0200
++++ libwmf-0.2.8.4/src/ipa/ipa/bmp.h	2011-05-23 19:15:11.000000000 +0200
+@@ -66,7 +66,7 @@
+ 		return;
+ 	}
+ 
+-	if (setjmp (png_ptr->jmpbuf))
++	if (setjmp(png_jmpbuf(png_ptr)))
+ 	{	WMF_DEBUG (API,"Failed to write bitmap as PNG! (setjmp failed)");
+ 		png_destroy_write_struct (&png_ptr,&info_ptr);
+ 		wmf_free (API,buffer);

Copied: libwmf/repos/staging-x86_64/libwmf-0.2.8.4-useafterfree-CVE-2009-1364.patch (from rev 284392, libwmf/trunk/libwmf-0.2.8.4-useafterfree-CVE-2009-1364.patch)
===================================================================
--- staging-x86_64/libwmf-0.2.8.4-useafterfree-CVE-2009-1364.patch	                        (rev 0)
+++ staging-x86_64/libwmf-0.2.8.4-useafterfree-CVE-2009-1364.patch	2016-12-21 20:43:03 UTC (rev 284393)
@@ -0,0 +1,10 @@
+--- libwmf-0.2.8.4/src/extra/gd/gd_clip.c.CVE-2009-1364-im-clip-list	2009-04-24 04:06:44.000000000 -0400
++++ libwmf-0.2.8.4/src/extra/gd/gd_clip.c	2009-04-24 04:08:30.000000000 -0400
+@@ -70,6 +70,7 @@ void gdClipSetAdd(gdImagePtr im,gdClipRe
+ 	{	more = gdRealloc (im->clip->list,(im->clip->max + 8) * sizeof (gdClipRectangle));
+ 		if (more == 0) return;
+ 		im->clip->max += 8;
++                im->clip->list = more;
+ 	}
+ 	im->clip->list[im->clip->count] = (*rect);
+ 	im->clip->count++;



More information about the arch-commits mailing list