Merge branch 'staging'

This commit is contained in:
Leo Famulari 2016-12-11 15:03:52 -05:00
commit 4a990395d7
No known key found for this signature in database
GPG key ID: 2646FA30BACA7F08
39 changed files with 118 additions and 1564 deletions

View file

@ -661,6 +661,7 @@ dist_patch_DATA = \
%D%/packages/patches/libcanberra-sound-theme-freedesktop.patch \
%D%/packages/patches/libcmis-fix-test-onedrive.patch \
%D%/packages/patches/libdrm-symbol-check.patch \
%D%/packages/patches/libepoxy-gl-null-checks.patch \
%D%/packages/patches/libevent-dns-tests.patch \
%D%/packages/patches/libextractor-ffmpeg-3.patch \
%D%/packages/patches/libjxr-fix-function-signature.patch \
@ -675,16 +676,6 @@ dist_patch_DATA = \
%D%/packages/patches/libssh-0.6.5-CVE-2016-0739.patch \
%D%/packages/patches/libtar-CVE-2013-4420.patch \
%D%/packages/patches/libtheora-config-guess.patch \
%D%/packages/patches/libtiff-CVE-2015-8665+CVE-2015-8683.patch \
%D%/packages/patches/libtiff-CVE-2016-3623.patch \
%D%/packages/patches/libtiff-CVE-2016-3945.patch \
%D%/packages/patches/libtiff-CVE-2016-3990.patch \
%D%/packages/patches/libtiff-CVE-2016-3991.patch \
%D%/packages/patches/libtiff-CVE-2016-5314.patch \
%D%/packages/patches/libtiff-CVE-2016-5321.patch \
%D%/packages/patches/libtiff-CVE-2016-5323.patch \
%D%/packages/patches/libtiff-oob-accesses-in-decode.patch \
%D%/packages/patches/libtiff-oob-write-in-nextdecode.patch \
%D%/packages/patches/libtool-skip-tests2.patch \
%D%/packages/patches/libunwind-CVE-2015-3239.patch \
%D%/packages/patches/libupnp-CVE-2016-6255.patch \
@ -735,16 +726,6 @@ dist_patch_DATA = \
%D%/packages/patches/module-init-tools-moduledir.patch \
%D%/packages/patches/mumps-build-parallelism.patch \
%D%/packages/patches/mupdf-build-with-openjpeg-2.1.patch \
%D%/packages/patches/mupdf-CVE-2016-6265.patch \
%D%/packages/patches/mupdf-CVE-2016-6525.patch \
%D%/packages/patches/mupdf-CVE-2016-7504.patch \
%D%/packages/patches/mupdf-CVE-2016-7505.patch \
%D%/packages/patches/mupdf-CVE-2016-7506.patch \
%D%/packages/patches/mupdf-CVE-2016-7563.patch \
%D%/packages/patches/mupdf-CVE-2016-7564.patch \
%D%/packages/patches/mupdf-CVE-2016-8674.patch \
%D%/packages/patches/mupdf-CVE-2016-9017.patch \
%D%/packages/patches/mupdf-CVE-2016-9136.patch \
%D%/packages/patches/mupen64plus-ui-console-notice.patch \
%D%/packages/patches/musl-CVE-2016-8859.patch \
%D%/packages/patches/mutt-store-references.patch \
@ -854,7 +835,6 @@ dist_patch_DATA = \
%D%/packages/patches/ruby-concurrent-ignore-broken-test.patch \
%D%/packages/patches/ruby-puma-ignore-broken-test.patch \
%D%/packages/patches/ruby-rack-ignore-failing-test.patch \
%D%/packages/patches/ruby-symlinkfix.patch \
%D%/packages/patches/ruby-tzinfo-data-ignore-broken-test.patch\
%D%/packages/patches/ruby-yard-fix-skip-of-markdown-tests.patch \
%D%/packages/patches/sed-hurd-path-max.patch \

View file

@ -544,7 +544,8 @@ (define-public fftw
"1kwbx92ps0r7s2mqy7lxbxanslxdzj7dp7r7gmdkzv1j8yqf3kwf"))))
(build-system gnu-build-system)
(arguments
'(#:configure-flags '("--enable-shared" "--enable-openmp")
'(#:configure-flags
'("--enable-shared" "--enable-openmp" "--enable-threads")
#:phases (alist-cons-before
'build 'no-native
(lambda _

View file

@ -940,15 +940,15 @@ (define-public glibc/hurd-headers
(define-public tzdata
(package
(name "tzdata")
(version "2016g")
(version "2016j")
(source (origin
(method url-fetch)
(uri (string-append
"http://www.iana.org/time-zones/repository/releases/tzdata"
"https://www.iana.org/time-zones/repository/releases/tzdata"
version ".tar.gz"))
(sha256
(base32
"1lgbh49bsbysibzr7imjsh1xa7pqmimphxvvwh6kncj7pjr3fw9w"))))
"1j4xycpwhs57qnkcxwh3np8wnf3km69n3cf4w6p2yv2z247lxvpm"))))
(build-system gnu-build-system)
(arguments
'(#:tests? #f
@ -996,8 +996,8 @@ (define-public tzdata
version ".tar.gz"))
(sha256
(base32
"0azsz436vd65bkdkdmjgsh7zhh0whnqqfliva45191krmm3hpy8z"))))))
(home-page "http://www.iana.org/time-zones")
"1dxhrk4z0n2di8p0yd6q00pa6bwyz5xqbrfbasiz8785ni7zrvxr"))))))
(home-page "https://www.iana.org/time-zones")
(synopsis "Database of current and historical time zones")
(description "The Time Zone Database (often called tz or zoneinfo)
contains code and data that represent the history of local time for many

View file

@ -132,14 +132,14 @@ (define-public docbook-xml-4.1.2
(define-public docbook-xsl
(package
(name "docbook-xsl")
(version "1.78.1")
(version "1.79.1")
(source (origin
(method url-fetch)
(uri (string-append "mirror://sourceforge/docbook/docbook-xsl/"
version "/docbook-xsl-" version ".tar.bz2"))
(sha256
(base32
"0rxl013ncmz1n6ymk2idvx3hix9pdabk8xn01cpcv32wmfb753y9"))))
"0s59lihif2fr7rznckxr2kfyrvkirv76r1zvidp9b5mj28p4apvj"))))
(build-system trivial-build-system)
(arguments
`(#:builder (let ((name-version (string-append ,name "-" ,version)))

View file

@ -196,7 +196,7 @@ (define libva-without-mesa
(define-public mesa
(package
(name "mesa")
(version "12.0.1")
(version "13.0.2")
(source
(origin
(method url-fetch)
@ -204,7 +204,9 @@ (define-public mesa
version "/mesa-" version ".tar.xz"))
(sha256
(base32
"12b3i59xdn2in2hchrkgh4fwij8zhznibx976l3pdj3qkyvlzcms"))))
"1m8n8kd8kcs5ddyvldiw09wvpi5wwpfmmxlb87d63vgl8lk65vd6"))
(patches
(search-patches "mesa-wayland-egl-symbols-check-mips.patch"))))
(build-system gnu-build-system)
(propagated-inputs
`(("glproto" ,glproto)
@ -227,20 +229,10 @@ (define-public mesa
("makedepend" ,makedepend)
("presentproto" ,presentproto)
("s2tc" ,s2tc)
("udev" ,eudev)
("wayland" ,wayland)))
(native-inputs
`(("pkg-config" ,pkg-config)
("python" ,python-2)
;; XXX To prevent a large number of rebuilds on other systems,
;; apply the following patch on MIPS systems only. In the next
;; core-updates cycle, this patch could be applied on all platforms.
,@(if (string-prefix? "mips" (or (%current-target-system)
(%current-system)))
`(("mips-patch"
,(search-patch "mesa-wayland-egl-symbols-check-mips.patch")))
'())))
("python" ,python-2)))
(arguments
`(#:configure-flags
'(;; drop r300 from default gallium drivers, as it requires llvm
@ -267,16 +259,6 @@ (define-public mesa
'("--with-dri-drivers=nouveau,r200,radeon,swrast"))))
#:phases
(modify-phases %standard-phases
;; Add an 'apply-mips-patch' phase conditionally (see above.)
,@(if (string-prefix? "mips" (or (%current-target-system)
(%current-system)))
`((add-after 'unpack 'apply-mips-patch
(lambda* (#:key inputs #:allow-other-keys)
(let ((patch (assoc-ref inputs "mips-patch")))
(zero? (system* "patch" "-p1" "--force"
"--input" patch))))))
'())
(add-after
'unpack 'patch-create_test_cases
(lambda _
@ -288,7 +270,6 @@ (define-public mesa
'build 'fix-dlopen-libnames
(lambda* (#:key inputs outputs #:allow-other-keys)
(let ((s2tc (assoc-ref inputs "s2tc"))
(udev (assoc-ref inputs "udev"))
(out (assoc-ref outputs "out")))
;; Remain agnostic to .so.X.Y.Z versions while doing
;; the substitutions so we're future-safe.
@ -297,10 +278,6 @@ (define-public mesa
"src/mesa/main/texcompress_s3tc.c")
(("\"libtxc_dxtn\\.so")
(string-append "\"" s2tc "/lib/libtxc_dxtn.so")))
(substitute* "src/loader/loader.c"
(("udev_handle = dlopen\\(name")
(string-append "udev_handle = dlopen(\""
udev "/lib/libudev.so\"")))
(substitute* "src/glx/dri_common.c"
(("dlopen\\(\"libGL\\.so")
(string-append "dlopen(\"" out "/lib/libGL.so")))
@ -485,7 +462,8 @@ (define-public libepoxy
(file-name (string-append name "-" version ".tar.gz"))
(sha256
(base32
"1d1brhwfmlzgnphmdwlvn5wbcrxsdyzf1qfcf8nb89xqzznxs037"))))
"1d1brhwfmlzgnphmdwlvn5wbcrxsdyzf1qfcf8nb89xqzznxs037"))
(patches (search-patches "libepoxy-gl-null-checks.patch"))))
(arguments
`(#:phases
(modify-phases %standard-phases

View file

@ -64,8 +64,7 @@ (define-module (gnu packages glib)
(define dbus
(package
(name "dbus")
(replacement dbus-1.10.12)
(version "1.10.10")
(version "1.10.14")
(source (origin
(method url-fetch)
(uri (string-append
@ -73,7 +72,7 @@ (define dbus
version ".tar.gz"))
(sha256
(base32
"0hwsfczhx2djmc9116vj5v230i7gpjihwh3vbljs1ldlk831v3wx"))
"10x0wvv2ly4lyyfd42k4xw0ar5qdbi9cksw3l5fcwf1y6mq8y8r3"))
(patches (search-patches "dbus-helper-search-path.patch"))))
(build-system gnu-build-system)
(arguments
@ -132,21 +131,6 @@ (define dbus
shared NFS home directories.")
(license license:gpl2+))) ; or Academic Free License 2.1
(define dbus-1.10.12
(package
(inherit dbus)
(name "dbus")
(source
(let ((version "1.10.12"))
(origin
(inherit (package-source dbus))
(uri (string-append
"https://dbus.freedesktop.org/releases/dbus/dbus-"
version ".tar.gz"))
(sha256
(base32
"0pa71vf5c0d7k3gni06iascmplj0j5g70wbc833ayvi71d1pj2i1")))))))
(define glib
(package
(name "glib")

View file

@ -681,14 +681,14 @@ (define-public adwaita-icon-theme
(define-public shared-mime-info
(package
(name "shared-mime-info")
(version "1.6")
(version "1.7")
(source (origin
(method url-fetch)
(uri (string-append "https://freedesktop.org/~hadess/"
"shared-mime-info-" version ".tar.xz"))
(sha256
(base32
"0k637g047gci8g69bg4g19akylpfraxm40hd30j3i4v7cidziy5j"))))
"0bjd2j1rqrj150mr04j7ib71lfdlgbf235fg8d70g8mszqf7ik7a"))))
(build-system gnu-build-system)
(arguments
;; The build system appears not to be parallel-safe.
@ -2140,7 +2140,7 @@ (define-public rest
(define-public libsoup
(package
(name "libsoup")
(version "2.54.1")
(version "2.56.0")
(source (origin
(method url-fetch)
(uri (string-append "mirror://gnome/sources/libsoup/"
@ -2148,7 +2148,7 @@ (define-public libsoup
name "-" version ".tar.xz"))
(sha256
(base32
"0cyn5pq4xl1gb8413h2p4d5wrn558dc054zhwmk4swrl40ijrd27"))))
"1r8zz270qdg92gbsvy61d51y1cj7hp059h2f4xpvqiw2vrqnn8fq"))))
(build-system gnu-build-system)
(outputs '("out" "doc"))
(arguments

View file

@ -102,7 +102,6 @@ (define-public atk
(define-public cairo
(package
(name "cairo")
(replacement cairo/fixed)
(version "1.14.6")
(source (origin
(method url-fetch)
@ -110,7 +109,8 @@ (define-public cairo
version ".tar.xz"))
(sha256
(base32
"0lmjlzmghmr27y615px9hkm552x7ap6pmq9mfbzr6smp8y2b6g31"))))
"0lmjlzmghmr27y615px9hkm552x7ap6pmq9mfbzr6smp8y2b6g31"))
(patches (search-patches "cairo-CVE-2016-9082.patch"))))
(build-system gnu-build-system)
(propagated-inputs
`(("fontconfig" ,fontconfig)
@ -156,10 +156,6 @@ (define-public cairo-xcb
(package
(inherit cairo)
(name "cairo-xcb")
(source (origin
(inherit (package-source cairo))
(patches (search-patches "cairo-CVE-2016-9082.patch"))))
(replacement #f)
(inputs
`(("mesa" ,mesa)
,@(package-inputs cairo)))
@ -169,17 +165,10 @@ (define-public cairo-xcb
'("--enable-xlib-xcb" "--enable-gl" "--enable-egl")))
(synopsis "2D graphics library (with X11 support)")))
(define cairo/fixed
(package
(inherit cairo)
(source (origin
(inherit (package-source cairo))
(patches (search-patches "cairo-CVE-2016-9082.patch"))))))
(define-public harfbuzz
(package
(name "harfbuzz")
(version "1.2.4")
(version "1.3.3")
(source (origin
(method url-fetch)
(uri (string-append "https://www.freedesktop.org/software/"
@ -187,7 +176,7 @@ (define-public harfbuzz
version ".tar.bz2"))
(sha256
(base32
"14g4kpph8hgplkm954daxiymxx0vicfq7b7svvdsx54g5bqvv7a4"))))
"1jdkdjvci5d6r26vimsz24hz3xqqrk5xq40n693jn4m42mqrh816"))))
(build-system gnu-build-system)
(outputs '("out"
"bin")) ; 160K, only hb-view depend on cairo
@ -212,7 +201,7 @@ (define-public harfbuzz
"HarfBuzz is an OpenType text shaping engine.")
(license (license:x11-style "file://COPYING"
"See 'COPYING' in the distribution."))
(home-page "http://www.freedesktop.org/wiki/Software/HarfBuzz/")))
(home-page "https://www.freedesktop.org/wiki/Software/HarfBuzz/")))
(define-public pango
(package

View file

@ -38,6 +38,8 @@ (define-module (gnu packages image)
#:use-module (gnu packages compression)
#:use-module (gnu packages documentation)
#:use-module (gnu packages fontutils)
;; To provide gcc@5 and gcc@6, to work around <http://bugs.gnu.org/24703>.
#:use-module (gnu packages gcc)
#:use-module (gnu packages gettext)
#:use-module (gnu packages ghostscript)
#:use-module (gnu packages gl)
@ -246,25 +248,14 @@ (define-public libicns
(define-public libtiff
(package
(name "libtiff")
(replacement libtiff-4.0.7)
(version "4.0.6")
(version "4.0.7")
(source (origin
(method url-fetch)
(uri (string-append "ftp://ftp.remotesensing.org/pub/libtiff/tiff-"
version ".tar.gz"))
(sha256 (base32
"136nf1rj9dp5jgv1p7z4dk0xy3wki1w0vfjbk82f645m0w4samsd"))
(patches (search-patches
"libtiff-oob-accesses-in-decode.patch"
"libtiff-oob-write-in-nextdecode.patch"
"libtiff-CVE-2015-8665+CVE-2015-8683.patch"
"libtiff-CVE-2016-3623.patch"
"libtiff-CVE-2016-3945.patch"
"libtiff-CVE-2016-3990.patch"
"libtiff-CVE-2016-3991.patch"
"libtiff-CVE-2016-5314.patch"
"libtiff-CVE-2016-5321.patch"
"libtiff-CVE-2016-5323.patch"))))
(uri (string-append "ftp://download.osgeo.org/libtiff/tiff-"
version ".tar.gz"))
(sha256
(base32
"06ghqhr4db1ssq0acyyz49gr8k41gzw6pqb6mbn5r7jqp77s4hwz"))))
(build-system gnu-build-system)
(outputs '("out"
"doc")) ;1.3 MiB of HTML documentation
@ -274,6 +265,9 @@ (define-public libtiff
(assoc-ref %outputs "doc")
"/share/doc/"
,name "-" ,version))))
;; Build with a patched GCC to work around <http://bugs.gnu.org/24703>.
(native-inputs
`(("gcc@5" ,gcc-5)))
(inputs `(("zlib" ,zlib)
("libjpeg" ,libjpeg)))
(synopsis "Library for handling TIFF files")
@ -284,20 +278,7 @@ (define-public libtiff
collection of tools for doing simple manipulations of TIFF images.")
(license (license:non-copyleft "file://COPYRIGHT"
"See COPYRIGHT in the distribution."))
(home-page "http://www.remotesensing.org/libtiff/")))
(define libtiff-4.0.7
(package
(inherit libtiff)
(version "4.0.7")
(source (origin
(method url-fetch)
(uri (string-append "ftp://download.osgeo.org/libtiff/tiff-"
version ".tar.gz"))
(sha256
(base32
"06ghqhr4db1ssq0acyyz49gr8k41gzw6pqb6mbn5r7jqp77s4hwz"))))
(home-page "http://www.simplesystems.org/libtiff/")))
(home-page "http://www.simplesystems.org/libtiff/")))
(define-public libwmf
(package

View file

@ -2503,7 +2503,7 @@ (define-public sbc
(define-public bluez
(package
(name "bluez")
(version "5.40")
(version "5.43")
(source (origin
(method url-fetch)
(uri (string-append
@ -2511,7 +2511,7 @@ (define-public bluez
version ".tar.xz"))
(sha256
(base32
"09ywk3lvgis0nbi0d5z8d4qp5r33lzwnd6bdakacmbsm420qpnns"))))
"05cdnpz0w2lwq2x5ba87q1h2wgb4lfnpbnbh6p7499hx59fw1j8n"))))
(build-system gnu-build-system)
(arguments
'(#:configure-flags

View file

@ -0,0 +1,54 @@
This patch from <https://bugzilla.redhat.com/show_bug.cgi?id=1395366> adds NULL
checks to avoid crashes when GL support is missing, as is the case when running
Xvfb.
Upstream issue: <https://github.com/anholt/libepoxy/issues/72>.
diff -ur libepoxy-1.3.1/src/dispatch_common.c libepoxy-1.3.1/src/dispatch_common.c
--- libepoxy-1.3.1/src/dispatch_common.c 2015-07-15 19:46:36.000000000 -0400
+++ libepoxy-1.3.1/src/dispatch_common.c 2016-11-16 09:03:52.809066247 -0500
@@ -348,6 +348,8 @@
epoxy_extension_in_string(const char *extension_list, const char *ext)
{
const char *ptr = extension_list;
+ if (! ptr) return false;
+ if (! ext) return false;
int len = strlen(ext);
/* Make sure that don't just find an extension with our name as a prefix. */
@@ -380,6 +382,7 @@
for (i = 0; i < num_extensions; i++) {
const char *gl_ext = (const char *)glGetStringi(GL_EXTENSIONS, i);
+ if (! gl_ext) return false;
if (strcmp(ext, gl_ext) == 0)
return true;
}
diff -ur libepoxy-1.3.1/src/dispatch_egl.c libepoxy-1.3.1/src/dispatch_egl.c
--- libepoxy-1.3.1/src/dispatch_egl.c 2015-07-15 19:46:36.000000000 -0400
+++ libepoxy-1.3.1/src/dispatch_egl.c 2016-11-16 08:40:34.069358709 -0500
@@ -46,6 +46,7 @@
int ret;
version_string = eglQueryString(dpy, EGL_VERSION);
+ if (! version_string) return 0;
ret = sscanf(version_string, "%d.%d", &major, &minor);
assert(ret == 2);
return major * 10 + minor;
diff -ur libepoxy-1.3.1/src/dispatch_glx.c libepoxy-1.3.1/src/dispatch_glx.c
--- libepoxy-1.3.1/src/dispatch_glx.c 2015-07-15 19:46:36.000000000 -0400
+++ libepoxy-1.3.1/src/dispatch_glx.c 2016-11-16 08:41:03.065730370 -0500
@@ -57,11 +57,13 @@
int ret;
version_string = glXQueryServerString(dpy, screen, GLX_VERSION);
+ if (! version_string) return 0;
ret = sscanf(version_string, "%d.%d", &server_major, &server_minor);
assert(ret == 2);
server = server_major * 10 + server_minor;
version_string = glXGetClientString(dpy, GLX_VERSION);
+ if (! version_string) return 0;
ret = sscanf(version_string, "%d.%d", &client_major, &client_minor);
assert(ret == 2);
client = client_major * 10 + client_minor;

View file

@ -1,107 +0,0 @@
2015-12-26 Even Rouault <even.rouault at spatialys.com>
* libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage
interface in case of unsupported values of SamplesPerPixel/ExtraSamples
for LogLUV / CIELab. Add explicit call to TIFFRGBAImageOK() in
TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by limingxing and
CVE-2015-8683 reported by zzf of Alibaba.
diff -u -r1.93 -r1.94
--- libtiff/libtiff/tif_getimage.c 22 Nov 2015 15:31:03 -0000 1.93
+++ libtiff/libtiff/tif_getimage.c 26 Dec 2015 17:32:03 -0000 1.94
@@ -182,20 +182,22 @@
"Planarconfiguration", td->td_planarconfig);
return (0);
}
- if( td->td_samplesperpixel != 3 )
+ if( td->td_samplesperpixel != 3 || colorchannels != 3 )
{
sprintf(emsg,
- "Sorry, can not handle image with %s=%d",
- "Samples/pixel", td->td_samplesperpixel);
+ "Sorry, can not handle image with %s=%d, %s=%d",
+ "Samples/pixel", td->td_samplesperpixel,
+ "colorchannels", colorchannels);
return 0;
}
break;
case PHOTOMETRIC_CIELAB:
- if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 )
+ if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 )
{
sprintf(emsg,
- "Sorry, can not handle image with %s=%d and %s=%d",
+ "Sorry, can not handle image with %s=%d, %s=%d and %s=%d",
"Samples/pixel", td->td_samplesperpixel,
+ "colorchannels", colorchannels,
"Bits/sample", td->td_bitspersample);
return 0;
}
@@ -255,6 +257,9 @@
int colorchannels;
uint16 *red_orig, *green_orig, *blue_orig;
int n_color;
+
+ if( !TIFFRGBAImageOK(tif, emsg) )
+ return 0;
/* Initialize to normal values */
img->row_offset = 0;
@@ -2509,29 +2514,33 @@
case PHOTOMETRIC_RGB:
switch (img->bitspersample) {
case 8:
- if (img->alpha == EXTRASAMPLE_ASSOCALPHA)
+ if (img->alpha == EXTRASAMPLE_ASSOCALPHA &&
+ img->samplesperpixel >= 4)
img->put.contig = putRGBAAcontig8bittile;
- else if (img->alpha == EXTRASAMPLE_UNASSALPHA)
+ else if (img->alpha == EXTRASAMPLE_UNASSALPHA &&
+ img->samplesperpixel >= 4)
{
if (BuildMapUaToAa(img))
img->put.contig = putRGBUAcontig8bittile;
}
- else
+ else if( img->samplesperpixel >= 3 )
img->put.contig = putRGBcontig8bittile;
break;
case 16:
- if (img->alpha == EXTRASAMPLE_ASSOCALPHA)
+ if (img->alpha == EXTRASAMPLE_ASSOCALPHA &&
+ img->samplesperpixel >=4 )
{
if (BuildMapBitdepth16To8(img))
img->put.contig = putRGBAAcontig16bittile;
}
- else if (img->alpha == EXTRASAMPLE_UNASSALPHA)
+ else if (img->alpha == EXTRASAMPLE_UNASSALPHA &&
+ img->samplesperpixel >=4 )
{
if (BuildMapBitdepth16To8(img) &&
BuildMapUaToAa(img))
img->put.contig = putRGBUAcontig16bittile;
}
- else
+ else if( img->samplesperpixel >=3 )
{
if (BuildMapBitdepth16To8(img))
img->put.contig = putRGBcontig16bittile;
@@ -2540,7 +2549,7 @@
}
break;
case PHOTOMETRIC_SEPARATED:
- if (buildMap(img)) {
+ if (img->samplesperpixel >=4 && buildMap(img)) {
if (img->bitspersample == 8) {
if (!img->Map)
img->put.contig = putRGBcontig8bitCMYKtile;
@@ -2636,7 +2645,7 @@
}
break;
case PHOTOMETRIC_CIELAB:
- if (buildMap(img)) {
+ if (img->samplesperpixel == 3 && buildMap(img)) {
if (img->bitspersample == 8)
img->put.contig = initCIELabConversion(img);
break;

View file

@ -1,30 +0,0 @@
Fix CVE-2016-3623.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3623
http://bugzilla.maptools.org/show_bug.cgi?id=2569
Patch extracted from upstream CVS repo with:
$ cvs diff -u -r1.16 -r1.17 tools/rgb2ycbcr.c
Index: tools/rgb2ycbcr.c
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/tools/rgb2ycbcr.c,v
retrieving revision 1.16
retrieving revision 1.17
diff -u -r1.16 -r1.17
--- libtiff/tools/rgb2ycbcr.c 21 Jun 2015 01:09:10 -0000 1.16
+++ libtiff/tools/rgb2ycbcr.c 15 Aug 2016 21:26:56 -0000 1.17
@@ -95,9 +95,13 @@
break;
case 'h':
horizSubSampling = atoi(optarg);
+ if( horizSubSampling != 1 && horizSubSampling != 2 && horizSubSampling != 4 )
+ usage(-1);
break;
case 'v':
vertSubSampling = atoi(optarg);
+ if( vertSubSampling != 1 && vertSubSampling != 2 && vertSubSampling != 4 )
+ usage(-1);
break;
case 'r':
rowsperstrip = atoi(optarg);

View file

@ -1,94 +0,0 @@
Fix CVE-2016-3945 (integer overflow in size of allocated
buffer, when -b mode is enabled, that could result in out-of-bounds
write).
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3945
http://bugzilla.maptools.org/show_bug.cgi?id=2545
Patch extracted from upstream CVS repo with:
$ cvs diff -u -r1.21 -r1.22 tools/tiff2rgba.c
Index: tools/tiff2rgba.c
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiff2rgba.c,v
retrieving revision 1.21
retrieving revision 1.22
diff -u -r1.21 -r1.22
--- libtiff/tools/tiff2rgba.c 21 Jun 2015 01:09:10 -0000 1.21
+++ libtiff/tools/tiff2rgba.c 15 Aug 2016 20:06:41 -0000 1.22
@@ -147,6 +147,7 @@
uint32 row, col;
uint32 *wrk_line;
int ok = 1;
+ uint32 rastersize, wrk_linesize;
TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
@@ -163,7 +164,13 @@
/*
* Allocate tile buffer
*/
- raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32));
+ rastersize = tile_width * tile_height * sizeof (uint32);
+ if (tile_width != (rastersize / tile_height) / sizeof( uint32))
+ {
+ TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer");
+ exit(-1);
+ }
+ raster = (uint32*)_TIFFmalloc(rastersize);
if (raster == 0) {
TIFFError(TIFFFileName(in), "No space for raster buffer");
return (0);
@@ -173,7 +180,13 @@
* Allocate a scanline buffer for swapping during the vertical
* mirroring pass.
*/
- wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32));
+ wrk_linesize = tile_width * sizeof (uint32);
+ if (tile_width != wrk_linesize / sizeof (uint32))
+ {
+ TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer");
+ exit(-1);
+ }
+ wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);
if (!wrk_line) {
TIFFError(TIFFFileName(in), "No space for raster scanline buffer");
ok = 0;
@@ -249,6 +262,7 @@
uint32 row;
uint32 *wrk_line;
int ok = 1;
+ uint32 rastersize, wrk_linesize;
TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
@@ -263,7 +277,13 @@
/*
* Allocate strip buffer
*/
- raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32));
+ rastersize = width * rowsperstrip * sizeof (uint32);
+ if (width != (rastersize / rowsperstrip) / sizeof( uint32))
+ {
+ TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer");
+ exit(-1);
+ }
+ raster = (uint32*)_TIFFmalloc(rastersize);
if (raster == 0) {
TIFFError(TIFFFileName(in), "No space for raster buffer");
return (0);
@@ -273,7 +293,13 @@
* Allocate a scanline buffer for swapping during the vertical
* mirroring pass.
*/
- wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32));
+ wrk_linesize = width * sizeof (uint32);
+ if (width != wrk_linesize / sizeof (uint32))
+ {
+ TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer");
+ exit(-1);
+ }
+ wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);
if (!wrk_line) {
TIFFError(TIFFFileName(in), "No space for raster scanline buffer");
ok = 0;

View file

@ -1,31 +0,0 @@
Fix CVE-2016-3990 (write buffer overflow in PixarLogEncode if more input
samples are provided than expected by PixarLogSetupEncode).
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3990
http://bugzilla.maptools.org/show_bug.cgi?id=2544
Patch extracted from upstream CVS repo with:
$ cvs diff -u -r1.45 -r1.46 libtiff/tif_pixarlog.c
Index: libtiff/tif_pixarlog.c
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_pixarlog.c,v
retrieving revision 1.45
retrieving revision 1.46
diff -u -r1.45 -r1.46
--- libtiff/libtiff/tif_pixarlog.c 28 Jun 2016 15:37:33 -0000 1.45
+++ libtiff/libtiff/tif_pixarlog.c 15 Aug 2016 20:49:48 -0000 1.46
@@ -1141,6 +1141,13 @@
}
llen = sp->stride * td->td_imagewidth;
+ /* Check against the number of elements (of size uint16) of sp->tbuf */
+ if( n > td->td_rowsperstrip * llen )
+ {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Too many input bytes provided");
+ return 0;
+ }
for (i = 0, up = sp->tbuf; i < n; i += llen, up += llen) {
switch (sp->user_datafmt) {

View file

@ -1,123 +0,0 @@
Fix CVE-2016-3991 (out-of-bounds write in loadImage()).
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3991
http://bugzilla.maptools.org/show_bug.cgi?id=2543
Patch extracted from upstream CVS repo with:
$ cvs diff -u -r1.37 -r1.38 tools/tiffcrop.c
Index: tools/tiffcrop.c
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v
retrieving revision 1.37
retrieving revision 1.38
diff -u -r1.37 -r1.38
--- libtiff/tools/tiffcrop.c 11 Jul 2016 21:38:31 -0000 1.37
+++ libtiff/tools/tiffcrop.c 15 Aug 2016 21:05:40 -0000 1.38
@@ -798,6 +798,11 @@
}
tile_buffsize = tilesize;
+ if (tilesize == 0 || tile_rowsize == 0)
+ {
+ TIFFError("readContigTilesIntoBuffer", "Tile size or tile rowsize is zero");
+ exit(-1);
+ }
if (tilesize < (tsize_t)(tl * tile_rowsize))
{
@@ -807,7 +812,12 @@
tilesize, tl * tile_rowsize);
#endif
tile_buffsize = tl * tile_rowsize;
- }
+ if (tl != (tile_buffsize / tile_rowsize))
+ {
+ TIFFError("readContigTilesIntoBuffer", "Integer overflow when calculating buffer size.");
+ exit(-1);
+ }
+ }
tilebuf = _TIFFmalloc(tile_buffsize);
if (tilebuf == 0)
@@ -1210,6 +1220,12 @@
!TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps) )
return 1;
+ if (tilesize == 0 || tile_rowsize == 0 || tl == 0 || tw == 0)
+ {
+ TIFFError("writeBufferToContigTiles", "Tile size, tile row size, tile width, or tile length is zero");
+ exit(-1);
+ }
+
tile_buffsize = tilesize;
if (tilesize < (tsize_t)(tl * tile_rowsize))
{
@@ -1219,6 +1235,11 @@
tilesize, tl * tile_rowsize);
#endif
tile_buffsize = tl * tile_rowsize;
+ if (tl != tile_buffsize / tile_rowsize)
+ {
+ TIFFError("writeBufferToContigTiles", "Integer overflow when calculating buffer size");
+ exit(-1);
+ }
}
tilebuf = _TIFFmalloc(tile_buffsize);
@@ -5945,12 +5966,27 @@
TIFFGetField(in, TIFFTAG_TILELENGTH, &tl);
tile_rowsize = TIFFTileRowSize(in);
+ if (ntiles == 0 || tlsize == 0 || tile_rowsize == 0)
+ {
+ TIFFError("loadImage", "File appears to be tiled, but the number of tiles, tile size, or tile rowsize is zero.");
+ exit(-1);
+ }
buffsize = tlsize * ntiles;
+ if (tlsize != (buffsize / ntiles))
+ {
+ TIFFError("loadImage", "Integer overflow when calculating buffer size");
+ exit(-1);
+ }
-
if (buffsize < (uint32)(ntiles * tl * tile_rowsize))
{
buffsize = ntiles * tl * tile_rowsize;
+ if (ntiles != (buffsize / tl / tile_rowsize))
+ {
+ TIFFError("loadImage", "Integer overflow when calculating buffer size");
+ exit(-1);
+ }
+
#ifdef DEBUG2
TIFFError("loadImage",
"Tilesize %u is too small, using ntiles * tilelength * tilerowsize %lu",
@@ -5969,8 +6005,25 @@
TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);
stsize = TIFFStripSize(in);
nstrips = TIFFNumberOfStrips(in);
+ if (nstrips == 0 || stsize == 0)
+ {
+ TIFFError("loadImage", "File appears to be striped, but the number of stipes or stripe size is zero.");
+ exit(-1);
+ }
+
buffsize = stsize * nstrips;
-
+ if (stsize != (buffsize / nstrips))
+ {
+ TIFFError("loadImage", "Integer overflow when calculating buffer size");
+ exit(-1);
+ }
+ uint32 buffsize_check;
+ buffsize_check = ((length * width * spp * bps) + 7);
+ if (length != ((buffsize_check - 7) / width / spp / bps))
+ {
+ TIFFError("loadImage", "Integer overflow detected.");
+ exit(-1);
+ }
if (buffsize < (uint32) (((length * width * spp * bps) + 7) / 8))
{
buffsize = ((length * width * spp * bps) + 7) / 8;

View file

@ -1,45 +0,0 @@
Fix CVE-2016-5314.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5314
bugzilla.maptools.org/show_bug.cgi?id=2554
Patch extracted from upstream CVS repo with:
$ cvs diff -u -r1.43 -r1.44 libtiff/tif_pixarlog.c
Index: libtiff/tif_pixarlog.c
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_pixarlog.c,v
retrieving revision 1.43
retrieving revision 1.44
diff -u -r1.43 -r1.44
--- libtiff/libtiff/tif_pixarlog.c 27 Dec 2015 20:14:11 -0000 1.43
+++ libtiff/libtiff/tif_pixarlog.c 28 Jun 2016 15:12:19 -0000 1.44
@@ -459,6 +459,7 @@
typedef struct {
TIFFPredictorState predict;
z_stream stream;
+ tmsize_t tbuf_size; /* only set/used on reading for now */
uint16 *tbuf;
uint16 stride;
int state;
@@ -694,6 +695,7 @@
sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size);
if (sp->tbuf == NULL)
return (0);
+ sp->tbuf_size = tbuf_size;
if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN)
sp->user_datafmt = PixarLogGuessDataFmt(td);
if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) {
@@ -783,6 +785,12 @@
TIFFErrorExt(tif->tif_clientdata, module, "ZLib cannot deal with buffers this size");
return (0);
}
+ /* Check that we will not fill more than what was allocated */
+ if (sp->stream.avail_out > sp->tbuf_size)
+ {
+ TIFFErrorExt(tif->tif_clientdata, module, "sp->stream.avail_out > sp->tbuf_size");
+ return (0);
+ }
do {
int state = inflate(&sp->stream, Z_PARTIAL_FLUSH);
if (state == Z_STREAM_END) {

View file

@ -1,25 +0,0 @@
Fix CVE-2016-5321.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5321
http://bugzilla.maptools.org/show_bug.cgi?id=2558
Patch extracted from upstream CVS repo with:
$ cvs diff -u -r1.35 -r1.36 tools/tiffcrop.c
Index: tools/tiffcrop.c
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v
retrieving revision 1.35
retrieving revision 1.36
diff -u -r1.35 -r1.36
--- libtiff/tools/tiffcrop.c 19 Aug 2015 02:31:04 -0000 1.35
+++ libtiff/tools/tiffcrop.c 11 Jul 2016 21:26:03 -0000 1.36
@@ -989,7 +989,7 @@
nrow = (row + tl > imagelength) ? imagelength - row : tl;
for (col = 0; col < imagewidth; col += tw)
{
- for (s = 0; s < spp; s++)
+ for (s = 0; s < spp && s < MAX_SAMPLES; s++)
{ /* Read each plane of a tile set into srcbuffs[s] */
tbytes = TIFFReadTile(in, srcbuffs[s], col, row, 0, s);
if (tbytes < 0 && !ignore)

View file

@ -1,88 +0,0 @@
Fix CVE-2016-5323.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5323
http://bugzilla.maptools.org/show_bug.cgi?id=2559
Patch extracted from upstream CVS repo with:
$ cvs diff -u -r1.36 -r1.37 tools/tiffcrop.c
Index: tools/tiffcrop.c
===================================================================
RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v
retrieving revision 1.36
retrieving revision 1.37
diff -u -r1.36 -r1.37
--- libtiff/tools/tiffcrop.c 11 Jul 2016 21:26:03 -0000 1.36
+++ libtiff/tools/tiffcrop.c 11 Jul 2016 21:38:31 -0000 1.37
@@ -3738,7 +3738,7 @@
matchbits = maskbits << (8 - src_bit - bps);
/* load up next sample from each plane */
- for (s = 0; s < spp; s++)
+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
{
src = in[s] + src_offset + src_byte;
buff1 = ((*src) & matchbits) << (src_bit);
@@ -3837,7 +3837,7 @@
src_bit = bit_offset % 8;
matchbits = maskbits << (16 - src_bit - bps);
- for (s = 0; s < spp; s++)
+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
{
src = in[s] + src_offset + src_byte;
if (little_endian)
@@ -3947,7 +3947,7 @@
src_bit = bit_offset % 8;
matchbits = maskbits << (32 - src_bit - bps);
- for (s = 0; s < spp; s++)
+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
{
src = in[s] + src_offset + src_byte;
if (little_endian)
@@ -4073,7 +4073,7 @@
src_bit = bit_offset % 8;
matchbits = maskbits << (64 - src_bit - bps);
- for (s = 0; s < spp; s++)
+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
{
src = in[s] + src_offset + src_byte;
if (little_endian)
@@ -4263,7 +4263,7 @@
matchbits = maskbits << (8 - src_bit - bps);
/* load up next sample from each plane */
- for (s = 0; s < spp; s++)
+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
{
src = in[s] + src_offset + src_byte;
buff1 = ((*src) & matchbits) << (src_bit);
@@ -4362,7 +4362,7 @@
src_bit = bit_offset % 8;
matchbits = maskbits << (16 - src_bit - bps);
- for (s = 0; s < spp; s++)
+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
{
src = in[s] + src_offset + src_byte;
if (little_endian)
@@ -4471,7 +4471,7 @@
src_bit = bit_offset % 8;
matchbits = maskbits << (32 - src_bit - bps);
- for (s = 0; s < spp; s++)
+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
{
src = in[s] + src_offset + src_byte;
if (little_endian)
@@ -4597,7 +4597,7 @@
src_bit = bit_offset % 8;
matchbits = maskbits << (64 - src_bit - bps);
- for (s = 0; s < spp; s++)
+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
{
src = in[s] + src_offset + src_byte;
if (little_endian)

View file

@ -1,171 +0,0 @@
2015-12-27 Even Rouault <even.rouault at spatialys.com>
* libtiff/tif_luv.c: fix potential out-of-bound writes in decode
functions in non debug builds by replacing assert()s by regular if
checks (bugzilla #2522).
Fix potential out-of-bound reads in case of short input data.
diff -u -r1.40 -r1.41
--- libtiff/libtiff/tif_luv.c 21 Jun 2015 01:09:09 -0000 1.40
+++ libtiff/libtiff/tif_luv.c 27 Dec 2015 16:25:11 -0000 1.41
@@ -1,4 +1,4 @@
-/* $Id: tif_luv.c,v 1.40 2015-06-21 01:09:09 bfriesen Exp $ */
+/* $Id: tif_luv.c,v 1.41 2015-12-27 16:25:11 erouault Exp $ */
/*
* Copyright (c) 1997 Greg Ward Larson
@@ -202,7 +202,11 @@
if (sp->user_datafmt == SGILOGDATAFMT_16BIT)
tp = (int16*) op;
else {
- assert(sp->tbuflen >= npixels);
+ if(sp->tbuflen < npixels) {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Translation buffer too short");
+ return (0);
+ }
tp = (int16*) sp->tbuf;
}
_TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0]));
@@ -211,9 +215,11 @@
cc = tif->tif_rawcc;
/* get each byte string */
for (shft = 2*8; (shft -= 8) >= 0; ) {
- for (i = 0; i < npixels && cc > 0; )
+ for (i = 0; i < npixels && cc > 0; ) {
if (*bp >= 128) { /* run */
- rc = *bp++ + (2-128); /* TODO: potential input buffer overrun when decoding corrupt or truncated data */
+ if( cc < 2 )
+ break;
+ rc = *bp++ + (2-128);
b = (int16)(*bp++ << shft);
cc -= 2;
while (rc-- && i < npixels)
@@ -223,6 +229,7 @@
while (--cc && rc-- && i < npixels)
tp[i++] |= (int16)*bp++ << shft;
}
+ }
if (i != npixels) {
#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
TIFFErrorExt(tif->tif_clientdata, module,
@@ -268,13 +275,17 @@
if (sp->user_datafmt == SGILOGDATAFMT_RAW)
tp = (uint32 *)op;
else {
- assert(sp->tbuflen >= npixels);
+ if(sp->tbuflen < npixels) {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Translation buffer too short");
+ return (0);
+ }
tp = (uint32 *) sp->tbuf;
}
/* copy to array of uint32 */
bp = (unsigned char*) tif->tif_rawcp;
cc = tif->tif_rawcc;
- for (i = 0; i < npixels && cc > 0; i++) {
+ for (i = 0; i < npixels && cc >= 3; i++) {
tp[i] = bp[0] << 16 | bp[1] << 8 | bp[2];
bp += 3;
cc -= 3;
@@ -325,7 +336,11 @@
if (sp->user_datafmt == SGILOGDATAFMT_RAW)
tp = (uint32*) op;
else {
- assert(sp->tbuflen >= npixels);
+ if(sp->tbuflen < npixels) {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Translation buffer too short");
+ return (0);
+ }
tp = (uint32*) sp->tbuf;
}
_TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0]));
@@ -334,11 +349,13 @@
cc = tif->tif_rawcc;
/* get each byte string */
for (shft = 4*8; (shft -= 8) >= 0; ) {
- for (i = 0; i < npixels && cc > 0; )
+ for (i = 0; i < npixels && cc > 0; ) {
if (*bp >= 128) { /* run */
+ if( cc < 2 )
+ break;
rc = *bp++ + (2-128);
b = (uint32)*bp++ << shft;
- cc -= 2; /* TODO: potential input buffer overrun when decoding corrupt or truncated data */
+ cc -= 2;
while (rc-- && i < npixels)
tp[i++] |= b;
} else { /* non-run */
@@ -346,6 +363,7 @@
while (--cc && rc-- && i < npixels)
tp[i++] |= (uint32)*bp++ << shft;
}
+ }
if (i != npixels) {
#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
TIFFErrorExt(tif->tif_clientdata, module,
@@ -413,6 +431,7 @@
static int
LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
{
+ static const char module[] = "LogL16Encode";
LogLuvState* sp = EncoderState(tif);
int shft;
tmsize_t i;
@@ -433,7 +452,11 @@
tp = (int16*) bp;
else {
tp = (int16*) sp->tbuf;
- assert(sp->tbuflen >= npixels);
+ if(sp->tbuflen < npixels) {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Translation buffer too short");
+ return (0);
+ }
(*sp->tfunc)(sp, bp, npixels);
}
/* compress each byte string */
@@ -506,6 +529,7 @@
static int
LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
{
+ static const char module[] = "LogLuvEncode24";
LogLuvState* sp = EncoderState(tif);
tmsize_t i;
tmsize_t npixels;
@@ -521,7 +545,11 @@
tp = (uint32*) bp;
else {
tp = (uint32*) sp->tbuf;
- assert(sp->tbuflen >= npixels);
+ if(sp->tbuflen < npixels) {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Translation buffer too short");
+ return (0);
+ }
(*sp->tfunc)(sp, bp, npixels);
}
/* write out encoded pixels */
@@ -553,6 +581,7 @@
static int
LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
{
+ static const char module[] = "LogLuvEncode32";
LogLuvState* sp = EncoderState(tif);
int shft;
tmsize_t i;
@@ -574,7 +603,11 @@
tp = (uint32*) bp;
else {
tp = (uint32*) sp->tbuf;
- assert(sp->tbuflen >= npixels);
+ if(sp->tbuflen < npixels) {
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "Translation buffer too short");
+ return (0);
+ }
(*sp->tfunc)(sp, bp, npixels);
}
/* compress each byte string */

View file

@ -1,49 +0,0 @@
2015-12-27 Even Rouault <even.rouault at spatialys.com>
* libtiff/tif_next.c: fix potential out-of-bound write in NeXTDecode()
triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif
(bugzilla #2508)
diff -u -r1.16 -r1.18
--- libtiff/libtiff/tif_next.c 29 Dec 2014 12:09:11 -0000 1.16
+++ libtiff/libtiff/tif_next.c 27 Dec 2015 17:14:52 -0000 1.18
@@ -1,4 +1,4 @@
-/* $Id: tif_next.c,v 1.16 2014-12-29 12:09:11 erouault Exp $ */
+/* $Id: tif_next.c,v 1.18 2015-12-27 17:14:52 erouault Exp $ */
/*
* Copyright (c) 1988-1997 Sam Leffler
@@ -37,7 +37,7 @@
case 0: op[0] = (unsigned char) ((v) << 6); break; \
case 1: op[0] |= (v) << 4; break; \
case 2: op[0] |= (v) << 2; break; \
- case 3: *op++ |= (v); break; \
+ case 3: *op++ |= (v); op_offset++; break; \
} \
}
@@ -103,6 +103,7 @@
}
default: {
uint32 npixels = 0, grey;
+ tmsize_t op_offset = 0;
uint32 imagewidth = tif->tif_dir.td_imagewidth;
if( isTiled(tif) )
imagewidth = tif->tif_dir.td_tilewidth;
@@ -122,10 +123,15 @@
* bounds, potentially resulting in a security
* issue.
*/
- while (n-- > 0 && npixels < imagewidth)
+ while (n-- > 0 && npixels < imagewidth && op_offset < scanline)
SETPIXEL(op, grey);
if (npixels >= imagewidth)
break;
+ if (op_offset >= scanline ) {
+ TIFFErrorExt(tif->tif_clientdata, module, "Invalid data for scanline %ld",
+ (long) tif->tif_row);
+ return (0);
+ }
if (cc == 0)
goto bad;
n = *bp++, cc--;

View file

@ -1,30 +0,0 @@
Fix CVE-2016-6265 (use after free in pdf_load_xref()).
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6265
https://security-tracker.debian.org/tracker/CVE-2016-6265
Patch copied from upstream source repository:
http://git.ghostscript.com/?p=mupdf.git;h=fa1936405b6a84e5c9bb440912c23d532772f958
diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c
index 576c315..3222599 100644
--- a/source/pdf/pdf-xref.c
+++ b/source/pdf/pdf-xref.c
@@ -1184,8 +1184,14 @@ pdf_load_xref(fz_context *ctx, pdf_document *doc, pdf_lexbuf *buf)
fz_throw(ctx, FZ_ERROR_GENERIC, "object offset out of range: %d (%d 0 R)", (int)entry->ofs, i);
}
if (entry->type == 'o')
- if (entry->ofs <= 0 || entry->ofs >= xref_len || pdf_get_xref_entry(ctx, doc, entry->ofs)->type != 'n')
- fz_throw(ctx, FZ_ERROR_GENERIC, "invalid reference to an objstm that does not exist: %d (%d 0 R)", (int)entry->ofs, i);
+ {
+ /* Read this into a local variable here, because pdf_get_xref_entry
+ * may solidify the xref, hence invalidating "entry", meaning we
+ * need a stashed value for the throw. */
+ fz_off_t ofs = entry->ofs;
+ if (ofs <= 0 || ofs >= xref_len || pdf_get_xref_entry(ctx, doc, ofs)->type != 'n')
+ fz_throw(ctx, FZ_ERROR_GENERIC, "invalid reference to an objstm that does not exist: %d (%d 0 R)", (int)ofs, i);
+ }
}
}

View file

@ -1,21 +0,0 @@
Fix CVE-2016-6525 (heap overflow in pdf_load_mesh_params()).
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6525
https://security-tracker.debian.org/tracker/CVE-2016-6525
Patch copied from upstream source repository:
http://git.ghostscript.com/?p=mupdf.git;h=39b0f07dd960f34e7e6bf230ffc3d87c41ef0f2e
diff --git a/source/pdf/pdf-shade.c b/source/pdf/pdf-shade.c
index 7815b3c..6e25efa 100644
--- a/source/pdf/pdf-shade.c
+++ b/source/pdf/pdf-shade.c
@@ -206,7 +206,7 @@ pdf_load_mesh_params(fz_context *ctx, pdf_document *doc, fz_shade *shade, pdf_ob
obj = pdf_dict_get(ctx, dict, PDF_NAME_Decode);
if (pdf_array_len(ctx, obj) >= 6)
{
- n = (pdf_array_len(ctx, obj) - 4) / 2;
+ n = fz_mini(FZ_MAX_COLORS, (pdf_array_len(ctx, obj) - 4) / 2);
shade->u.m.x0 = pdf_to_real(ctx, pdf_array_get(ctx, obj, 0));
shade->u.m.x1 = pdf_to_real(ctx, pdf_array_get(ctx, obj, 1));
shade->u.m.y0 = pdf_to_real(ctx, pdf_array_get(ctx, obj, 2));

View file

@ -1,99 +0,0 @@
Fix CVE-2016-7504:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7504
http://bugs.ghostscript.com/show_bug.cgi?id=697142
Patch copied from upstream source repository:
http://git.ghostscript.com/?p=mujs.git;a=commitdiff;h=5c337af4b3df80cf967e4f9f6a21522de84b392a
From 5c337af4b3df80cf967e4f9f6a21522de84b392a Mon Sep 17 00:00:00 2001
From: Tor Andersson <tor.andersson@artifex.com>
Date: Wed, 21 Sep 2016 16:01:08 +0200
Subject: [PATCH] Fix bug 697142: Stale string pointer stored in regexp object.
Make sure to make a copy of the source pattern string.
A case we missed when adding short and memory strings to the runtime.
The code assumed all strings passed to it were either literal or interned.
---
jsgc.c | 4 +++-
jsi.h | 1 +
jsregexp.c | 2 +-
jsrun.c | 8 ++++++++
jsvalue.h | 2 +-
5 files changed, 14 insertions(+), 3 deletions(-)
diff --git a/jsgc.c b/jsgc.c
index 9bd6482..4f7e7dc 100644
--- a/thirdparty/mujs/jsgc.c
+++ b/thirdparty/mujs/jsgc.c
@@ -44,8 +44,10 @@ static void jsG_freeobject(js_State *J, js_Object *obj)
{
if (obj->head)
jsG_freeproperty(J, obj->head);
- if (obj->type == JS_CREGEXP)
+ if (obj->type == JS_CREGEXP) {
+ js_free(J, obj->u.r.source);
js_regfree(obj->u.r.prog);
+ }
if (obj->type == JS_CITERATOR)
jsG_freeiterator(J, obj->u.iter.head);
if (obj->type == JS_CUSERDATA && obj->u.user.finalize)
diff --git a/jsi.h b/jsi.h
index 7d9f7c7..e855045 100644
--- a/thirdparty/mujs/jsi.h
+++ b/thirdparty/mujs/jsi.h
@@ -79,6 +79,7 @@ typedef unsigned short js_Instruction;
/* String interning */
+char *js_strdup(js_State *J, const char *s);
const char *js_intern(js_State *J, const char *s);
void jsS_dumpstrings(js_State *J);
void jsS_freestrings(js_State *J);
diff --git a/jsregexp.c b/jsregexp.c
index 2a056b7..a2d5156 100644
--- a/thirdparty/mujs/jsregexp.c
+++ b/thirdparty/mujs/jsregexp.c
@@ -21,7 +21,7 @@ void js_newregexp(js_State *J, const char *pattern, int flags)
js_syntaxerror(J, "regular expression: %s", error);
obj->u.r.prog = prog;
- obj->u.r.source = pattern;
+ obj->u.r.source = js_strdup(J, pattern);
obj->u.r.flags = flags;
obj->u.r.last = 0;
js_pushobject(J, obj);
diff --git a/jsrun.c b/jsrun.c
index 2648c4c..ee80845 100644
--- a/thirdparty/mujs/jsrun.c
+++ b/thirdparty/mujs/jsrun.c
@@ -45,6 +45,14 @@ void *js_realloc(js_State *J, void *ptr, int size)
return ptr;
}
+char *js_strdup(js_State *J, const char *s)
+{
+ int n = strlen(s) + 1;
+ char *p = js_malloc(J, n);
+ memcpy(p, s, n);
+ return p;
+}
+
void js_free(js_State *J, void *ptr)
{
J->alloc(J->actx, ptr, 0);
diff --git a/jsvalue.h b/jsvalue.h
index 6cfbd89..8fb5016 100644
--- a/thirdparty/mujs/jsvalue.h
+++ b/thirdparty/mujs/jsvalue.h
@@ -71,7 +71,7 @@ struct js_String
struct js_Regexp
{
void *prog;
- const char *source;
+ char *source;
unsigned short flags;
unsigned short last;
};
--
2.10.2

View file

@ -1,32 +0,0 @@
Fix CVE-2016-7505:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7505
http://bugs.ghostscript.com/show_bug.cgi?id=697140
Patch copied from upstream source repository:
http://git.ghostscript.com/?p=mujs.git;a=commitdiff;h=8c805b4eb19cf2af689c860b77e6111d2ee439d5
From 8c805b4eb19cf2af689c860b77e6111d2ee439d5 Mon Sep 17 00:00:00 2001
From: Tor Andersson <tor.andersson@artifex.com>
Date: Wed, 21 Sep 2016 15:21:04 +0200
Subject: [PATCH] Fix bug 697140: Overflow check in ascii division in strtod.
---
jsdtoa.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/jsdtoa.c b/jsdtoa.c
index 2e52368..920c1a7 100644
--- a/thirdparty/mujs/jsdtoa.c
+++ b/thirdparty/mujs/jsdtoa.c
@@ -735,6 +735,7 @@ xx:
n -= c<<b;
*p++ = c + '0';
(*na)++;
+ if (*na >= Ndig) break; /* abort if overflowing */
}
*p = 0;
}
--
2.10.2

View file

@ -1,42 +0,0 @@
Fix CVE-2016-7506:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7506
http://bugs.ghostscript.com/show_bug.cgi?id=697141
Patch copied from upstream source repository:
http://git.ghostscript.com/?p=mujs.git;a=commitdiff;h=5000749f5afe3b956fc916e407309de840997f4a
From 5000749f5afe3b956fc916e407309de840997f4a Mon Sep 17 00:00:00 2001
From: Tor Andersson <tor.andersson@artifex.com>
Date: Wed, 21 Sep 2016 16:02:11 +0200
Subject: [PATCH] Fix bug 697141: buffer overrun in regexp string substitution.
A '$' escape at the end of the string would read past the zero terminator
when looking for the escaped character.
---
jsstring.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/jsstring.c b/jsstring.c
index 66f6a89..0209a8e 100644
--- a/thirdparty/mujs/jsstring.c
+++ b/thirdparty/mujs/jsstring.c
@@ -421,6 +421,7 @@ loop:
while (*r) {
if (*r == '$') {
switch (*(++r)) {
+ case 0: --r; /* end of string; back up and fall through */
case '$': js_putc(J, &sb, '$'); break;
case '`': js_putm(J, &sb, source, s); break;
case '\'': js_puts(J, &sb, s + n); break;
@@ -516,6 +517,7 @@ static void Sp_replace_string(js_State *J)
while (*r) {
if (*r == '$') {
switch (*(++r)) {
+ case 0: --r; /* end of string; back up and fall through */
case '$': js_putc(J, &sb, '$'); break;
case '&': js_putm(J, &sb, s, s + n); break;
case '`': js_putm(J, &sb, source, s); break;
--
2.10.2

View file

@ -1,37 +0,0 @@
Fix CVE-2016-7563:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7563
http://bugs.ghostscript.com/show_bug.cgi?id=697136
Patch copied from upstream source repository:
http://git.ghostscript.com/?p=mujs.git;a=commitdiff;h=f8234d830e17fc5e8fe09eb76d86dad3f6233c59
From f8234d830e17fc5e8fe09eb76d86dad3f6233c59 Mon Sep 17 00:00:00 2001
From: Tor Andersson <tor.andersson@artifex.com>
Date: Tue, 20 Sep 2016 17:11:32 +0200
Subject: [PATCH] Fix bug 697136.
We were unconditionally reading the next character if we encountered
a '*' in a multi-line comment; possibly reading past the end of
the input.
---
jslex.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/jslex.c b/jslex.c
index 7b80800..cbd0eeb 100644
--- a/thirdparty/mujs/jslex.c
+++ b/thirdparty/mujs/jslex.c
@@ -225,7 +225,8 @@ static int lexcomment(js_State *J)
if (jsY_accept(J, '/'))
return 0;
}
- jsY_next(J);
+ else
+ jsY_next(J);
}
return -1;
}
--
2.10.2

View file

@ -1,34 +0,0 @@
Fix CVE-2016-7564:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7564
http://bugs.ghostscript.com/show_bug.cgi?id=697137
Patch copied from upstream source repository:
http://git.ghostscript.com/?p=mujs.git;a=commitdiff;h=a3a4fe840b80706c706e86160352af5936f292d8
From a3a4fe840b80706c706e86160352af5936f292d8 Mon Sep 17 00:00:00 2001
From: Tor Andersson <tor.andersson@artifex.com>
Date: Tue, 20 Sep 2016 17:19:06 +0200
Subject: [PATCH] Fix bug 697137: off by one in string length calculation.
We were not allocating space for the terminating zero byte.
---
jsfunction.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/jsfunction.c b/jsfunction.c
index 8b5b18e..28f7aa7 100644
--- a/thirdparty/mujs/jsfunction.c
+++ b/thirdparty/mujs/jsfunction.c
@@ -61,7 +61,7 @@ static void Fp_toString(js_State *J)
n += strlen(F->name);
for (i = 0; i < F->numparams; ++i)
n += strlen(F->vartab[i]) + 1;
- s = js_malloc(J, n);
+ s = js_malloc(J, n + 1);
strcpy(s, "function ");
strcat(s, F->name);
strcat(s, "(");
--
2.10.2

View file

@ -1,165 +0,0 @@
Fix CVE-2016-8674 (use-after-free in pdf_to_num()).
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8674
https://security-tracker.debian.org/tracker/CVE-2016-8674
Patch adapted from upstream source repository:
http://git.ghostscript.com/?p=mupdf.git;h=1e03c06456d997435019fb3526fa2d4be7dbc6ec
diff --git a/include/mupdf/pdf/document.h b/include/mupdf/pdf/document.h
index f8ef0cd..e8345b7 100644
--- a/include/mupdf/pdf/document.h
+++ b/include/mupdf/pdf/document.h
@@ -258,6 +258,10 @@ struct pdf_document_s
fz_font **type3_fonts;
pdf_resource_tables *resources;
+
+ int orphans_max;
+ int orphans_count;
+ pdf_obj **orphans;
};
/*
diff --git a/include/mupdf/pdf/object.h b/include/mupdf/pdf/object.h
index 346a2f1..02d4119 100644
--- a/include/mupdf/pdf/object.h
+++ b/include/mupdf/pdf/object.h
@@ -109,6 +109,7 @@ pdf_obj *pdf_dict_gets(fz_context *ctx, pdf_obj *dict, const char *key);
pdf_obj *pdf_dict_getsa(fz_context *ctx, pdf_obj *dict, const char *key, const char *abbrev);
void pdf_dict_put(fz_context *ctx, pdf_obj *dict, pdf_obj *key, pdf_obj *val);
void pdf_dict_put_drop(fz_context *ctx, pdf_obj *dict, pdf_obj *key, pdf_obj *val);
+void pdf_dict_get_put_drop(fz_context *ctx, pdf_obj *dict, pdf_obj *key, pdf_obj *val, pdf_obj **old_val);
void pdf_dict_puts(fz_context *ctx, pdf_obj *dict, const char *key, pdf_obj *val);
void pdf_dict_puts_drop(fz_context *ctx, pdf_obj *dict, const char *key, pdf_obj *val);
void pdf_dict_putp(fz_context *ctx, pdf_obj *dict, const char *path, pdf_obj *val);
diff --git a/source/pdf/pdf-object.c b/source/pdf/pdf-object.c
index f2e4551..a0d0d8e 100644
--- a/source/pdf/pdf-object.c
+++ b/source/pdf/pdf-object.c
@@ -1240,9 +1240,13 @@ pdf_dict_geta(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *abbrev)
return pdf_dict_get(ctx, obj, abbrev);
}
-void
-pdf_dict_put(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *val)
+static void
+pdf_dict_get_put(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *val, pdf_obj **old_val)
{
+
+ if (old_val)
+ *old_val = NULL;
+
RESOLVE(obj);
if (obj >= PDF_OBJ__LIMIT)
{
@@ -1282,7 +1286,10 @@ pdf_dict_put(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *val)
{
pdf_obj *d = DICT(obj)->items[i].v;
DICT(obj)->items[i].v = pdf_keep_obj(ctx, val);
- pdf_drop_obj(ctx, d);
+ if (old_val)
+ *old_val = d;
+ else
+ pdf_drop_obj(ctx, d);
}
}
else
@@ -1305,10 +1312,27 @@ pdf_dict_put(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *val)
}
void
+pdf_dict_put(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *val)
+{
+ pdf_dict_get_put(ctx, obj, key, val, NULL);
+}
+
+void
pdf_dict_put_drop(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *val)
{
fz_try(ctx)
- pdf_dict_put(ctx, obj, key, val);
+ pdf_dict_get_put(ctx, obj, key, val, NULL);
+ fz_always(ctx)
+ pdf_drop_obj(ctx, val);
+ fz_catch(ctx)
+ fz_rethrow(ctx);
+}
+
+void
+pdf_dict_get_put_drop(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *val, pdf_obj **old_val)
+{
+ fz_try(ctx)
+ pdf_dict_get_put(ctx, obj, key, val, old_val);
fz_always(ctx)
pdf_drop_obj(ctx, val);
fz_catch(ctx)
diff --git a/source/pdf/pdf-repair.c b/source/pdf/pdf-repair.c
index fdd4648..212c8b7 100644
--- a/source/pdf/pdf-repair.c
+++ b/source/pdf/pdf-repair.c
@@ -259,6 +259,27 @@ pdf_repair_obj_stm(fz_context *ctx, pdf_document *doc, int num, int gen)
}
}
+static void
+orphan_object(fz_context *ctx, pdf_document *doc, pdf_obj *obj)
+{
+ if (doc->orphans_count == doc->orphans_max)
+ {
+ int new_max = (doc->orphans_max ? doc->orphans_max*2 : 32);
+
+ fz_try(ctx)
+ {
+ doc->orphans = fz_resize_array(ctx, doc->orphans, new_max, sizeof(*doc->orphans));
+ doc->orphans_max = new_max;
+ }
+ fz_catch(ctx)
+ {
+ pdf_drop_obj(ctx, obj);
+ fz_rethrow(ctx);
+ }
+ }
+ doc->orphans[doc->orphans_count++] = obj;
+}
+
void
pdf_repair_xref(fz_context *ctx, pdf_document *doc)
{
@@ -520,12 +541,13 @@ pdf_repair_xref(fz_context *ctx, pdf_document *doc)
/* correct stream length for unencrypted documents */
if (!encrypt && list[i].stm_len >= 0)
{
+ pdf_obj *old_obj = NULL;
dict = pdf_load_object(ctx, doc, list[i].num, list[i].gen);
length = pdf_new_int(ctx, doc, list[i].stm_len);
- pdf_dict_put(ctx, dict, PDF_NAME_Length, length);
- pdf_drop_obj(ctx, length);
-
+ pdf_dict_get_put_drop(ctx, dict, PDF_NAME_Length, length, &old_obj);
+ if (old_obj)
+ orphan_object(ctx, doc, old_obj);
pdf_drop_obj(ctx, dict);
}
}
diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c
index 3de1cd2..6682741 100644
--- a/source/pdf/pdf-xref.c
+++ b/source/pdf/pdf-xref.c
@@ -1626,6 +1626,12 @@ pdf_close_document(fz_context *ctx, pdf_document *doc)
pdf_drop_resource_tables(ctx, doc);
+ for (i = 0; i < doc->orphans_count; i++)
+ {
+ pdf_drop_obj(ctx, doc->orphans[i]);
+ }
+ fz_free(ctx, doc->orphans);
+
fz_free(ctx, doc);
}
--
2.10.1

View file

@ -1,46 +0,0 @@
Fix CVE-2016-9017:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9107
http://bugs.ghostscript.com/show_bug.cgi?id=697171
Patch copied from upstream source repository:
http://git.ghostscript.com/?p=mujs.git;a=commitdiff;h=a5c747f1d40e8d6659a37a8d25f13fb5acf8e767
From a5c747f1d40e8d6659a37a8d25f13fb5acf8e767 Mon Sep 17 00:00:00 2001
From: Tor Andersson <tor.andersson@artifex.com>
Date: Tue, 25 Oct 2016 14:08:27 +0200
Subject: [PATCH] Fix 697171: missed an operand in the bytecode debugger dump.
---
jscompile.h | 2 +-
jsdump.c | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/jscompile.h b/jscompile.h
index 802cc9e..3054d13 100644
--- a/thirdparty/mujs/jscompile.h
+++ b/thirdparty/mujs/jscompile.h
@@ -21,7 +21,7 @@ enum js_OpCode
OP_NEWARRAY,
OP_NEWOBJECT,
- OP_NEWREGEXP,
+ OP_NEWREGEXP, /* -S,opts- <regexp> */
OP_UNDEF,
OP_NULL,
diff --git a/jsdump.c b/jsdump.c
index 1c51c29..37ad88c 100644
--- a/thirdparty/mujs/jsdump.c
+++ b/thirdparty/mujs/jsdump.c
@@ -750,6 +750,7 @@ void jsC_dumpfunction(js_State *J, js_Function *F)
case OP_INITVAR:
case OP_DEFVAR:
case OP_GETVAR:
+ case OP_HASVAR:
case OP_SETVAR:
case OP_DELVAR:
case OP_GETPROP_S:
--
2.10.2

View file

@ -1,32 +0,0 @@
Fix CVE-2016-9136:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9136
http://bugs.ghostscript.com/show_bug.cgi?id=697244
Patch copied from upstream source repository:
http://git.ghostscript.com/?p=mujs.git;a=commitdiff;h=a0ceaf5050faf419401fe1b83acfa950ec8a8a89
From a0ceaf5050faf419401fe1b83acfa950ec8a8a89 Mon Sep 17 00:00:00 2001
From: Tor Andersson <tor.andersson@artifex.com>
Date: Mon, 31 Oct 2016 13:05:37 +0100
Subject: [PATCH] Fix 697244: Check for incomplete escape sequence at end of
input.
---
jslex.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/jslex.c b/jslex.c
index cbd0eeb..aaafdac 100644
--- a/thirdparty/mujs/jslex.c
+++ b/thirdparty/mujs/jslex.c
@@ -377,6 +377,7 @@ static int lexescape(js_State *J)
return 0;
switch (J->lexchar) {
+ case 0: jsY_error(J, "unterminated escape sequence");
case 'u':
jsY_next(J);
if (!jsY_ishex(J->lexchar)) return 1; else { x |= jsY_tohex(J->lexchar) << 12; jsY_next(J); }
--
2.10.2

View file

@ -27,12 +27,3 @@ index 6b92e5c..72dea50 100644
#include <openjpeg.h>
static void fz_opj_error_callback(const char *msg, void *client_data)
@@ -117,7 +109,7 @@ fz_load_jpx(fz_context *ctx, unsigned char *data, int size, fz_colorspace *defcs
opj_stream_set_read_function(stream, fz_opj_stream_read);
opj_stream_set_skip_function(stream, fz_opj_stream_skip);
opj_stream_set_seek_function(stream, fz_opj_stream_seek);
- opj_stream_set_user_data(stream, &sb);
+ opj_stream_set_user_data(stream, &sb, NULL);
/* Set the length to avoid an assert */
opj_stream_set_user_data_length(stream, size);

View file

@ -1,53 +0,0 @@
Fix symlinks to '..' to fix rubygems improperly expanding symlinked
paths. Without this fix, some gems fail to install. This patch is applied in
rubygems 2.5.2, but ruby version 2.3.1 bundles an older version of rubygems
(2.5.1).
--- a/lib/rubygems/package.rb
+++ b/lib/rubygems/package.rb
@@ -383,7 +383,7 @@ def extract_tar_gz io, destination_dir, pattern = "*" # :nodoc:
FileUtils.chmod entry.header.mode, destination
end if entry.file?
- File.symlink(install_location(entry.header.linkname, destination_dir), destination) if entry.symlink?
+ File.symlink(entry.header.linkname, destination) if entry.symlink?
verbose destination
end
diff --git a/test/rubygems/test_gem_package.rb b/test/rubygems/test_gem_package.rb
index 7848bc2..f287bd3 100644
--- a/test/rubygems/test_gem_package.rb
+++ b/test/rubygems/test_gem_package.rb
@@ -428,19 +428,25 @@ def test_extract_tar_gz_absolute
"#{@destination} is not allowed", e.message)
end
- def test_extract_tar_gz_symlink_absolute
+ def test_extract_tar_gz_symlink_relative_path
+ skip 'symlink not supported' if Gem.win_platform?
+
package = Gem::Package.new @gem
tgz_io = util_tar_gz do |tar|
- tar.add_symlink 'code.rb', '/absolute.rb', 0644
+ tar.add_file 'relative.rb', 0644 do |io| io.write 'hi' end
+ tar.mkdir 'lib', 0755
+ tar.add_symlink 'lib/foo.rb', '../relative.rb', 0644
end
- e = assert_raises Gem::Package::PathError do
- package.extract_tar_gz tgz_io, @destination
- end
+ package.extract_tar_gz tgz_io, @destination
- assert_equal("installing into parent path /absolute.rb of " +
- "#{@destination} is not allowed", e.message)
+ extracted = File.join @destination, 'lib/foo.rb'
+ assert_path_exists extracted
+ assert_equal '../relative.rb',
+ File.readlink(extracted)
+ assert_equal 'hi',
+ File.read(extracted)
end
def test_extract_tar_gz_directory

View file

@ -95,17 +95,6 @@ (define-public poppler
;; To build poppler-glib (as needed by Evince), we need Cairo and
;; GLib. But of course, that Cairo must not depend on Poppler.
("cairo" ,(package (inherit cairo)
(replacement
(package
(inherit cairo)
(replacement #f)
(source
(origin
(inherit (package-source cairo))
(patches (search-patches
"cairo-CVE-2016-9082.patch"))))
(inputs (alist-delete "poppler"
(package-inputs cairo)))))
(inputs (alist-delete "poppler"
(package-inputs cairo)))))
("glib" ,glib)))
@ -490,7 +479,7 @@ (define-public podofo
(define-public mupdf
(package
(name "mupdf")
(version "1.9a")
(version "1.10a")
(source
(origin
(method url-fetch)
@ -498,18 +487,8 @@ (define-public mupdf
name "-" version "-source.tar.gz"))
(sha256
(base32
"1k64pdapyj8a336jw3j61fhn0rp4q6az7d0dqp9r5n3d9rgwa5c0"))
(patches (search-patches "mupdf-build-with-openjpeg-2.1.patch"
"mupdf-CVE-2016-6265.patch"
"mupdf-CVE-2016-6525.patch"
"mupdf-CVE-2016-7504.patch"
"mupdf-CVE-2016-7505.patch"
"mupdf-CVE-2016-7506.patch"
"mupdf-CVE-2016-7563.patch"
"mupdf-CVE-2016-7564.patch"
"mupdf-CVE-2016-8674.patch"
"mupdf-CVE-2016-9017.patch"
"mupdf-CVE-2016-9136.patch"))
"0dm8wcs8i29aibzkqkrn8kcnk4q0kd1v66pg48h5c3qqp4v1zk5a"))
(patches (search-patches "mupdf-build-with-openjpeg-2.1.patch"))
(modules '((guix build utils)))
(snippet
;; Delete all the bundled libraries except for mujs, which is

View file

@ -1,6 +1,6 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2014, 2015 Pjotr Prins <pjotr.guix@thebird.nl>
;;; Copyright © 2014, 2015 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2014, 2015 Mark H Weaver <mhw@netris.org>
;;; Copyright © 2014, 2015 David Thompson <davet@gnu.org>
;;; Copyright © 2015 Ricardo Wurmus <rekado@elephly.net>
@ -47,8 +47,7 @@ (define-module (gnu packages ruby)
(define-public ruby
(package
(name "ruby")
(replacement ruby-2.3.3)
(version "2.3.1")
(version "2.3.3")
(source
(origin
(method url-fetch)
@ -57,9 +56,8 @@ (define-public ruby
"/ruby-" version ".tar.xz"))
(sha256
(base32
"0f3395q7pd2hrl2gv26bib80038sjawxgmhl9zn22fjs9m9va9b7"))
"1p0rfk0blrbfjcnv0vb0ha4hxflgkfhv9zbzp4vvld2pi31ahkqs"))
(modules '((guix build utils)))
(patches (search-patches "ruby-symlinkfix.patch"))
(snippet `(begin
;; Remove bundled libffi
(delete-file-recursively "ext/fiddle/libffi-3.2.1")
@ -102,25 +100,6 @@ (define-public ruby
(home-page "https://ruby-lang.org")
(license license:ruby)))
(define ruby-2.3.3
(package
(inherit ruby)
(version "2.3.3")
(source
(origin
(method url-fetch)
(uri (string-append "http://cache.ruby-lang.org/pub/ruby/"
(version-major+minor version)
"/ruby-" version ".tar.xz"))
(sha256
(base32
"1p0rfk0blrbfjcnv0vb0ha4hxflgkfhv9zbzp4vvld2pi31ahkqs"))
(modules '((guix build utils)))
(snippet `(begin
;; Remove bundled libffi
(delete-file-recursively "ext/fiddle/libffi-3.2.1")
#t))))))
(define-public ruby-2.2
(package (inherit ruby)
(replacement #f)
@ -1447,8 +1426,8 @@ (define-public ruby-mocha
(add-before 'check 'use-latest-redcarpet
(lambda _
(substitute* "mocha.gemspec"
(("<redcarpet>, \\[\"~> 1\"\\]")
"<redcarpet>, [\">= 3\"]"))
(("<redcarpet>.freeze, \\[\"~> 1\"\\]")
"<redcarpet>.freeze, [\">= 3\"]"))
#t))
(add-before 'check 'hardcode-version
(lambda _
@ -2225,28 +2204,27 @@ (define-public ruby-pry-editline
(define-public ruby-sdoc
(package
(name "ruby-sdoc")
(version "0.4.1")
(version "0.4.2")
(source (origin
(method url-fetch)
(uri (rubygems-uri "sdoc" version))
(sha256
(base32
"16xyfair1j4irfkd6sxvmdcak957z71lwkvhglrznfpkalfnqyqp"))))
"0qhvy10vnmrqcgh8494m13kd5ag9c3sczzhfasv8j0294ylk679n"))))
(build-system ruby-build-system)
(arguments
`(#:phases
(modify-phases %standard-phases
(add-after 'build 'relax-minitest-requirement
(add-before 'check 'set-rubylib
(lambda _
(substitute* "sdoc.gemspec"
(("<minitest>, \\[\"~> 4\\.0\"\\]")
"<minitest>, [\">= 4.0\"]"))
(setenv "RUBYLIB" "lib")
#t)))))
(propagated-inputs
`(("ruby-json" ,ruby-json)))
(native-inputs
`(("bundler" ,bundler)
("ruby-minitest" ,ruby-minitest)))
("ruby-minitest" ,ruby-minitest)
("ruby-hoe" ,ruby-hoe)))
(synopsis "Generate searchable RDoc documentation")
(description
"SDoc is an RDoc documentation generator to build searchable HTML
@ -3514,7 +3492,7 @@ (define-public ruby-domain-name
"Bundler::GemHelper.gemspec.version"))
;; Loosen unnecessarily strict test-unit version specification.
(substitute* "domain_name.gemspec"
(("<test-unit>, \\[\\\"~> 2.5.5") "<test-unit>, [\">0"))
(("<test-unit>.freeze, \\[\\\"~> 2.5.5") "<test-unit>, [\">0"))
#t)))))
(propagated-inputs
`(("ruby-unf" ,ruby-unf)))

View file

@ -31,7 +31,7 @@ (define-module (gnu packages swig)
(define-public swig
(package
(name "swig")
(version "3.0.5")
(version "3.0.10")
(source (origin
(method url-fetch)
(uri (string-append "mirror://sourceforge/" name "/" name "/"
@ -39,7 +39,7 @@ (define-public swig
name "-" version ".tar.gz"))
(sha256
(base32
"0g1a69vrqxgsnr1wkx851ljn73a2x3jqzxa66s2l3w0kyblbjk4z"))))
"0k7ljh07rla6223lhvljgg881b2qr7hmrfgic9a0j1pckpislf99"))))
(build-system gnu-build-system)
(native-inputs `(("boost" ,boost)
("pcre" ,pcre "bin"))) ;for 'pcre-config'

View file

@ -241,7 +241,6 @@ (define-public pixman
(package
(name "pixman")
(version "0.34.0")
(replacement pixman/fixed)
(source (origin
(method url-fetch)
(uri (string-append
@ -249,7 +248,8 @@ (define-public pixman
version ".tar.gz"))
(sha256
(base32
"13m842m9ffac3m9r0b4lvwjhwzg3w4353djkjpf00s0wnm4v5di1"))))
"13m842m9ffac3m9r0b4lvwjhwzg3w4353djkjpf00s0wnm4v5di1"))
(patches (search-patches "pixman-CVE-2016-5296.patch"))))
(build-system gnu-build-system)
(inputs
`(("libpng" ,libpng)
@ -263,14 +263,6 @@ (define-public pixman
rasterisation.")
(license license:x11)))
(define pixman/fixed
(package
(inherit pixman)
(source (origin
(inherit (package-source pixman))
(patches (search-patches "pixman-CVE-2016-5296.patch"))))))
(define-public libdrm
(package
(name "libdrm")

View file

@ -4923,7 +4923,7 @@ (define-public libxfont
(define-public libxi
(package
(name "libxi")
(version "1.7.7")
(version "1.7.8")
(source
(origin
(method url-fetch)
@ -4933,7 +4933,7 @@ (define-public libxi
".tar.bz2"))
(sha256
(base32
"0c70n4aq0ba628wr88ih4740nci9d9f6y3v96sx376vvlm7q6vwr"))))
"1fr7mi4nbcxsa88qin9g2ipmzh595ydxy9qnabzl270laf6zmwnq"))))
(build-system gnu-build-system)
(propagated-inputs
`(("inputproto" ,inputproto)

View file

@ -66,6 +66,7 @@ (define* (configure #:key outputs (configure-flags '()) (out-of-source? #t)
(define* (check #:key (tests? #t) (parallel-tests? #t) (test-target "test")
#:allow-other-keys)
(let ((gnu-check (assoc-ref gnu:%standard-phases 'check)))
(setenv "CTEST_OUTPUT_ON_FAILURE" "1")
(gnu-check #:tests? tests? #:test-target test-target
#:parallel-tests? parallel-tests?)))