From 7c9e08d8854246f6f50ff643ecac87be3d20d8e6 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Fri, 23 Jun 2017 18:00:54 -0400 Subject: [PATCH] gnu: Remove libwmf. This package contains many security vulnerabilities and is no longer maintained upstream. See this discussion for more information: https://lists.gnu.org/archive/html/guix-devel/2017-05/msg00478.html * gnu/packages/image.scm (libwmf): Remove variable. * gnu/packages/wv.scm (wv)[inputs]: Remove libwmf. [arguments]: Remove field. * gnu/packages/abiword.scm (abiword)[inputs]: Remove libwmf. [source]: Remove patch 'abiword-wmf-version-lookup-fix.patch'. * gnu/packages/patches/abiword-wmf-version-lookup-fix.patch, gnu/packages/patches/libwmf-CAN-2004-0941.patch, gnu/packages/patches/libwmf-CVE-2006-3376.patch, gnu/packages/patches/libwmf-CVE-2007-0455.patch, gnu/packages/patches/libwmf-CVE-2007-2756.patch, gnu/packages/patches/libwmf-CVE-2007-3472.patch, gnu/packages/patches/libwmf-CVE-2007-3473.patch, gnu/packages/patches/libwmf-CVE-2007-3477.patch, gnu/packages/patches/libwmf-CVE-2009-1364.patch, gnu/packages/patches/libwmf-CVE-2009-3546.patch, gnu/packages/patches/libwmf-CVE-2015-0848+CVE-2015-4588.patch, gnu/packages/patches/libwmf-CVE-2015-4695.patch, gnu/packages/patches/libwmf-CVE-2015-4696.patch: Delete files. * gnu/local.mk (dist_patch_DATA): Remove them. --- gnu/local.mk | 13 --- gnu/packages/abiword.scm | 5 +- gnu/packages/image.scm | 46 -------- .../patches/abiword-wmf-version-lookup-fix.patch | 28 ----- gnu/packages/patches/libwmf-CAN-2004-0941.patch | 21 ---- gnu/packages/patches/libwmf-CVE-2006-3376.patch | 30 ----- gnu/packages/patches/libwmf-CVE-2007-0455.patch | 15 --- gnu/packages/patches/libwmf-CVE-2007-2756.patch | 20 ---- gnu/packages/patches/libwmf-CVE-2007-3472.patch | 63 ----------- gnu/packages/patches/libwmf-CVE-2007-3473.patch | 17 --- gnu/packages/patches/libwmf-CVE-2007-3477.patch | 42 ------- gnu/packages/patches/libwmf-CVE-2009-1364.patch | 13 --- gnu/packages/patches/libwmf-CVE-2009-3546.patch | 17 --- .../libwmf-CVE-2015-0848+CVE-2015-4588.patch | 122 --------------------- gnu/packages/patches/libwmf-CVE-2015-4695.patch | 60 ---------- gnu/packages/patches/libwmf-CVE-2015-4696.patch | 27 ----- gnu/packages/wv.scm | 5 +- 17 files changed, 3 insertions(+), 541 deletions(-) delete mode 100644 gnu/packages/patches/abiword-wmf-version-lookup-fix.patch delete mode 100644 gnu/packages/patches/libwmf-CAN-2004-0941.patch delete mode 100644 gnu/packages/patches/libwmf-CVE-2006-3376.patch delete mode 100644 gnu/packages/patches/libwmf-CVE-2007-0455.patch delete mode 100644 gnu/packages/patches/libwmf-CVE-2007-2756.patch delete mode 100644 gnu/packages/patches/libwmf-CVE-2007-3472.patch delete mode 100644 gnu/packages/patches/libwmf-CVE-2007-3473.patch delete mode 100644 gnu/packages/patches/libwmf-CVE-2007-3477.patch delete mode 100644 gnu/packages/patches/libwmf-CVE-2009-1364.patch delete mode 100644 gnu/packages/patches/libwmf-CVE-2009-3546.patch delete mode 100644 gnu/packages/patches/libwmf-CVE-2015-0848+CVE-2015-4588.patch delete mode 100644 gnu/packages/patches/libwmf-CVE-2015-4695.patch delete mode 100644 gnu/packages/patches/libwmf-CVE-2015-4696.patch diff --git a/gnu/local.mk b/gnu/local.mk index a4b29d5fd..14151b495 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -492,7 +492,6 @@ dist_patch_DATA = \ %D%/packages/patches/a2ps-CVE-2001-1593.patch \ %D%/packages/patches/a2ps-CVE-2014-0466.patch \ %D%/packages/patches/abiword-explictly-cast-bools.patch \ - %D%/packages/patches/abiword-wmf-version-lookup-fix.patch \ %D%/packages/patches/abiword-black-drawing-with-gtk322.patch \ %D%/packages/patches/acl-hurd-path-max.patch \ %D%/packages/patches/aegis-constness-error.patch \ @@ -775,18 +774,6 @@ dist_patch_DATA = \ %D%/packages/patches/libtool-skip-tests2.patch \ %D%/packages/patches/libunwind-CVE-2015-3239.patch \ %D%/packages/patches/libvpx-CVE-2016-2818.patch \ - %D%/packages/patches/libwmf-CAN-2004-0941.patch \ - %D%/packages/patches/libwmf-CVE-2006-3376.patch \ - %D%/packages/patches/libwmf-CVE-2007-0455.patch \ - %D%/packages/patches/libwmf-CVE-2007-2756.patch \ - %D%/packages/patches/libwmf-CVE-2007-3472.patch \ - %D%/packages/patches/libwmf-CVE-2007-3473.patch \ - %D%/packages/patches/libwmf-CVE-2007-3477.patch \ - %D%/packages/patches/libwmf-CVE-2009-1364.patch \ - %D%/packages/patches/libwmf-CVE-2009-3546.patch \ - %D%/packages/patches/libwmf-CVE-2015-0848+CVE-2015-4588.patch \ - %D%/packages/patches/libwmf-CVE-2015-4695.patch \ - %D%/packages/patches/libwmf-CVE-2015-4696.patch \ %D%/packages/patches/libxcb-python-3.5-compat.patch \ %D%/packages/patches/libxml2-CVE-2016-4658.patch \ %D%/packages/patches/libxml2-CVE-2016-5131.patch \ diff --git a/gnu/packages/abiword.scm b/gnu/packages/abiword.scm index 9a4acdc38..b00dac9a6 100644 --- a/gnu/packages/abiword.scm +++ b/gnu/packages/abiword.scm @@ -2,6 +2,7 @@ ;;; Copyright © 2014 Marek Benc ;;; Copyright © 2016 Efraim Flashner ;;; Copyright © 2017 Ricardo Wurmus +;;; Copyright © 2017 Leo Famulari ;;; ;;; This file is part of GNU Guix. ;;; @@ -55,8 +56,7 @@ (sha256 (base32 "08imry821g81apdwym3gcs4nss0l9j5blqk31j5rv602zmcd9gxg")) (patches - (search-patches "abiword-wmf-version-lookup-fix.patch" - "abiword-explictly-cast-bools.patch" + (search-patches "abiword-explictly-cast-bools.patch" "abiword-black-drawing-with-gtk322.patch")))) (build-system glib-or-gtk-build-system) @@ -97,7 +97,6 @@ ("libjpeg" ,libjpeg) ("libpng" ,libpng) ("librsvg" ,librsvg) - ("libwmf" ,libwmf) ("libxml2" ,libxml2) ("libxslt" ,libxslt) ("ots" ,ots) diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm index fdf3497fe..504df60fb 100644 --- a/gnu/packages/image.scm +++ b/gnu/packages/image.scm @@ -397,52 +397,6 @@ collection of tools for doing simple manipulations of TIFF images.") (base32 "0419mh6kkhz5fkyl77gv0in8x4d2jpdpfs147y8mj86rrjlabmsr")))))) -(define-public libwmf - (package - (name "libwmf") - (version "0.2.8.4") - (source - (origin - (method url-fetch) - (uri (string-append "mirror://sourceforge/wvware/" - name "/" version - "/" name "-" version ".tar.gz")) - (sha256 - (base32 "1y3wba4q8pl7kr51212jwrsz1x6nslsx1gsjml1x0i8549lmqd2v")) - (patches - (search-patches "libwmf-CAN-2004-0941.patch" - "libwmf-CVE-2006-3376.patch" - "libwmf-CVE-2007-0455.patch" - "libwmf-CVE-2007-2756.patch" - "libwmf-CVE-2007-3472.patch" - "libwmf-CVE-2007-3473.patch" - "libwmf-CVE-2007-3477.patch" - "libwmf-CVE-2009-1364.patch" - "libwmf-CVE-2009-3546.patch" - "libwmf-CVE-2015-0848+CVE-2015-4588.patch" - "libwmf-CVE-2015-4695.patch" - "libwmf-CVE-2015-4696.patch")))) - - (build-system gnu-build-system) - (inputs - `(("freetype" ,freetype) - ("libjpeg" ,libjpeg) - ("libpng",libpng) - ("libxml2" ,libxml2) - ("zlib" ,zlib))) - (native-inputs - `(("pkg-config" ,pkg-config))) - (synopsis "Library for reading images in the Microsoft WMF format") - (description - "libwmf is a library for reading vector images in Microsoft's native -Windows Metafile Format (WMF) and for either (a) displaying them in, e.g., an X -window; or (b) converting them to more standard/free file formats such as, e.g., -the W3C's XML-based Scaleable Vector Graphic (SVG) format.") - (home-page "http://wvware.sourceforge.net/libwmf.html") - - ;; 'COPYING' is the GPLv2, but file headers say LGPLv2.0+. - (license license:lgpl2.0+))) - (define-public leptonica (package (name "leptonica") diff --git a/gnu/packages/patches/abiword-wmf-version-lookup-fix.patch b/gnu/packages/patches/abiword-wmf-version-lookup-fix.patch deleted file mode 100644 index f27f32f30..000000000 --- a/gnu/packages/patches/abiword-wmf-version-lookup-fix.patch +++ /dev/null @@ -1,28 +0,0 @@ -The way the configure script determines the version of libwmf is by temporarily -making dots separator characters, but since the file name of the program which -returns the version contains dots in Guix (the version in the store entry name), -doing it this way will always fail. - -This is a simple guix-specific fix for the problem. - ---- a/configure 2010-06-13 23:17:37.000000000 +0200 -+++ b/configure 2014-09-08 17:31:52.102371800 +0200 -@@ -21140,13 +21140,11 @@ - $as_echo "$as_me: WARNING: wmf plugin: program libwmf-config not found in path" >&2;} - fi - else -- IFS_old="$IFS" -- IFS='.' -- set -- `$libwmfconfig --version` -- libwmf_major_found="${1}" -- libwmf_minor_found="${2}" -- libwmf_micro_found="${3}" -- IFS="$IFS_old" -+ libwmf_fullver_found=`$libwmfconfig --version` -+ libwmf_major_found=$(echo $libwmf_fullver_found | cut -d . -f 1) -+ libwmf_minor_found=$(echo $libwmf_fullver_found | cut -d . -f 2) -+ libwmf_micro_found=$(echo $libwmf_fullver_found | cut -d . -f 3) -+ - if test "$libwmf_major_found" -gt "$libwmf_major_req"; then - wmf_deps="yes" - elif test "$libwmf_major_found" -eq "$libwmf_major_req" && diff --git a/gnu/packages/patches/libwmf-CAN-2004-0941.patch b/gnu/packages/patches/libwmf-CAN-2004-0941.patch deleted file mode 100644 index 84dd9baee..000000000 --- a/gnu/packages/patches/libwmf-CAN-2004-0941.patch +++ /dev/null @@ -1,21 +0,0 @@ -Copied from Fedora. - -http://pkgs.fedoraproject.org/cgit/libwmf.git/tree/libwmf-0.2.8.4-CAN-2004-0941.patch - ---- libwmf-0.2.8.4/src/extra/gd/gd_png.c 2004-11-11 14:02:37.407589824 -0500 -+++ libwmf-0.2.8.4/src/extra/gd/gd_png.c 2004-11-11 14:04:29.672522960 -0500 -@@ -188,6 +188,14 @@ - - png_get_IHDR (png_ptr, info_ptr, &width, &height, &bit_depth, &color_type, - &interlace_type, NULL, NULL); -+ if (overflow2(sizeof (int), width)) -+ { -+ return NULL; -+ } -+ if (overflow2(sizeof (int) * width, height)) -+ { -+ return NULL; -+ } - if ((color_type == PNG_COLOR_TYPE_RGB) || - (color_type == PNG_COLOR_TYPE_RGB_ALPHA)) - { diff --git a/gnu/packages/patches/libwmf-CVE-2006-3376.patch b/gnu/packages/patches/libwmf-CVE-2006-3376.patch deleted file mode 100644 index 1e0e1ecfa..000000000 --- a/gnu/packages/patches/libwmf-CVE-2006-3376.patch +++ /dev/null @@ -1,30 +0,0 @@ -Copied from Debian. - ---- libwmf-0.2.8.4.orig/src/player.c -+++ libwmf-0.2.8.4/src/player.c -@@ -23,6 +23,7 @@ - - #include - #include -+#include - #include - #include - -@@ -132,8 +133,14 @@ - } - } - --/* P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)-3) * 2 * sizeof (unsigned char)); -- */ P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char)); -+ if (MAX_REC_SIZE(API) > UINT32_MAX / 2) -+ { -+ API->err = wmf_E_InsMem; -+ WMF_DEBUG (API,"bailing..."); -+ return (API->err); -+ } -+ -+ P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char)); - - if (ERR (API)) - { WMF_DEBUG (API,"bailing..."); - diff --git a/gnu/packages/patches/libwmf-CVE-2007-0455.patch b/gnu/packages/patches/libwmf-CVE-2007-0455.patch deleted file mode 100644 index ceefc75bf..000000000 --- a/gnu/packages/patches/libwmf-CVE-2007-0455.patch +++ /dev/null @@ -1,15 +0,0 @@ -Copied from Fedora. - -http://pkgs.fedoraproject.org/cgit/libwmf.git/tree/libwmf-0.2.8.4-CVE-2007-0455.patch - ---- libwmf-0.2.8.4/src/extra/gd/gdft.c 2010-12-06 11:18:26.000000000 +0000 -+++ libwmf-0.2.8.4/src/extra/gd/gdft.c 2010-12-06 11:21:09.000000000 +0000 -@@ -811,7 +811,7 @@ - { - ch = c & 0xFF; /* don't extend sign */ - } -- next++; -+ if (*next) next++; - } - else - { diff --git a/gnu/packages/patches/libwmf-CVE-2007-2756.patch b/gnu/packages/patches/libwmf-CVE-2007-2756.patch deleted file mode 100644 index feafac535..000000000 --- a/gnu/packages/patches/libwmf-CVE-2007-2756.patch +++ /dev/null @@ -1,20 +0,0 @@ -Copied from Fedora. - -http://pkgs.fedoraproject.org/cgit/libwmf.git/tree/libwmf-0.2.8.4-CVE-2007-2756.patch - ---- libwmf-0.2.8.4/src/extra/gd/gd_png.c 1 Apr 2007 20:41:01 -0000 1.21.2.1 -+++ libwmf-0.2.8.4/src/extra/gd/gd_png.c 16 May 2007 19:06:11 -0000 -@@ -78,8 +78,11 @@ - gdPngReadData (png_structp png_ptr, - png_bytep data, png_size_t length) - { -- gdGetBuf (data, length, (gdIOCtx *) -- png_get_io_ptr (png_ptr)); -+ int check; -+ check = gdGetBuf (data, length, (gdIOCtx *) png_get_io_ptr (png_ptr)); -+ if (check != length) { -+ png_error(png_ptr, "Read Error: truncated data"); -+ } - } - - static void diff --git a/gnu/packages/patches/libwmf-CVE-2007-3472.patch b/gnu/packages/patches/libwmf-CVE-2007-3472.patch deleted file mode 100644 index 180bdb5fc..000000000 --- a/gnu/packages/patches/libwmf-CVE-2007-3472.patch +++ /dev/null @@ -1,63 +0,0 @@ -Based on a patch from Fedora. - -http://pkgs.fedoraproject.org/cgit/libwmf.git/tree/libwmf-0.2.8.4-CVE-2007-3472.patch - ---- libwmf-0.2.8.4/src/extra/gd/gd.c -+++ libwmf-0.2.8.4/src/extra/gd/gd.c -@@ -106,6 +106,18 @@ - gdImagePtr im; - unsigned long cpa_size; - -+ if (overflow2(sx, sy)) { -+ return NULL; -+ } -+ -+ if (overflow2(sizeof (int *), sy)) { -+ return NULL; -+ } -+ -+ if (overflow2(sizeof(int), sx)) { -+ return NULL; -+ } -+ - im = (gdImage *) gdMalloc (sizeof (gdImage)); - if (im == 0) return 0; - memset (im, 0, sizeof (gdImage)); ---- libwmf-0.2.8.4/src/extra/gd/gdhelpers.c 2010-12-06 11:47:31.000000000 +0000 -+++ libwmf-0.2.8.4/src/extra/gd/gdhelpers.c 2010-12-06 11:48:04.000000000 +0000 -@@ -2,6 +2,7 @@ - #include "gdhelpers.h" - #include - #include -+#include - - /* TBB: gd_strtok_r is not portable; provide an implementation */ - -@@ -94,3 +95,18 @@ - { - free (ptr); - } -+ -+int overflow2(int a, int b) -+{ -+ if(a < 0 || b < 0) { -+ fprintf(stderr, "gd warning: one parameter to a memory allocation multiplication is negative, failing operation gracefully\n"); -+ return 1; -+ } -+ if(b == 0) -+ return 0; -+ if(a > INT_MAX / b) { -+ fprintf(stderr, "gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully\n"); -+ return 1; -+ } -+ return 0; -+} ---- libwmf-0.2.8.4/src/extra/gd/gdhelpers.h 2010-12-06 11:47:17.000000000 +0000 -+++ libwmf-0.2.8.4/src/extra/gd/gdhelpers.h 2010-12-06 11:48:36.000000000 +0000 -@@ -15,4 +15,6 @@ - void *gdMalloc(size_t size); - void *gdRealloc(void *ptr, size_t size); - -+int overflow2(int a, int b); -+ - #endif /* GDHELPERS_H */ diff --git a/gnu/packages/patches/libwmf-CVE-2007-3473.patch b/gnu/packages/patches/libwmf-CVE-2007-3473.patch deleted file mode 100644 index cb96c94a4..000000000 --- a/gnu/packages/patches/libwmf-CVE-2007-3473.patch +++ /dev/null @@ -1,17 +0,0 @@ -Copied from Fedora. - -http://pkgs.fedoraproject.org/cgit/libwmf.git/tree/libwmf-0.2.8.4-CVE-2007-3473.patch - ---- libwmf-0.2.8.4/src/extra/gd/gd.c -+++ libwmf-0.2.8.4/src/extra/gd/gd.c -@@ -2483,6 +2483,10 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromXbm (FILE * fd) - } - bytes = (w * h / 8) + 1; - im = gdImageCreate (w, h); -+ if (!im) { -+ return 0; -+ } -+ - gdImageColorAllocate (im, 255, 255, 255); - gdImageColorAllocate (im, 0, 0, 0); - x = 0; diff --git a/gnu/packages/patches/libwmf-CVE-2007-3477.patch b/gnu/packages/patches/libwmf-CVE-2007-3477.patch deleted file mode 100644 index e9f6f4278..000000000 --- a/gnu/packages/patches/libwmf-CVE-2007-3477.patch +++ /dev/null @@ -1,42 +0,0 @@ -Copied from Fedora. - -http://pkgs.fedoraproject.org/cgit/libwmf.git/tree/libwmf-0.2.8.4-CVE-2007-3477.patch - ---- libwmf-0.2.8.4/src/extra/gd/gd.c -+++ libwmf-0.2.8.4/src/extra/gd/gd.c -@@ -1335,10 +1335,31 @@ - int w2, h2; - w2 = w / 2; - h2 = h / 2; -- while (e < s) -- { -- e += 360; -- } -+ -+ if ((s % 360) == (e % 360)) { -+ s = 0; e = 360; -+ } else { -+ if (s > 360) { -+ s = s % 360; -+ } -+ -+ if (e > 360) { -+ e = e % 360; -+ } -+ -+ while (s < 0) { -+ s += 360; -+ } -+ -+ while (e < s) { -+ e += 360; -+ } -+ -+ if (s == e) { -+ s = 0; e = 360; -+ } -+ } -+ - for (i = s; (i <= e); i++) - { - int x, y; diff --git a/gnu/packages/patches/libwmf-CVE-2009-1364.patch b/gnu/packages/patches/libwmf-CVE-2009-1364.patch deleted file mode 100644 index 254b82159..000000000 --- a/gnu/packages/patches/libwmf-CVE-2009-1364.patch +++ /dev/null @@ -1,13 +0,0 @@ -Copied from Debian. - ---- libwmf-0.2.8.4.orig/src/extra/gd/gd_clip.c -+++ libwmf-0.2.8.4/src/extra/gd/gd_clip.c -@@ -70,6 +70,7 @@ - { more = gdRealloc (im->clip->list,(im->clip->max + 8) * sizeof (gdClipRectangle)); - if (more == 0) return; - im->clip->max += 8; -+ im->clip->list = more; - } - im->clip->list[im->clip->count] = (*rect); - im->clip->count++; - diff --git a/gnu/packages/patches/libwmf-CVE-2009-3546.patch b/gnu/packages/patches/libwmf-CVE-2009-3546.patch deleted file mode 100644 index ef76fe073..000000000 --- a/gnu/packages/patches/libwmf-CVE-2009-3546.patch +++ /dev/null @@ -1,17 +0,0 @@ -Copied from Fedora. - -http://pkgs.fedoraproject.org/cgit/libwmf.git/tree/libwmf-0.2.8.4-CVE-2009-3546.patch - ---- libwmf-0.2.8.4/src/extra/gd/gd_gd.c 2010-12-06 14:56:06.000000000 +0000 -+++ libwmf-0.2.8.4/src/extra/gd/gd_gd.c 2010-12-06 14:57:04.000000000 +0000 -@@ -42,6 +42,10 @@ - { - goto fail1; - } -+ if (&im->colorsTotal > gdMaxColors) -+ { -+ goto fail1; -+ } - } - /* Int to accommodate truecolor single-color transparency */ - if (!gdGetInt (&im->transparent, in)) diff --git a/gnu/packages/patches/libwmf-CVE-2015-0848+CVE-2015-4588.patch b/gnu/packages/patches/libwmf-CVE-2015-0848+CVE-2015-4588.patch deleted file mode 100644 index 871be1d26..000000000 --- a/gnu/packages/patches/libwmf-CVE-2015-0848+CVE-2015-4588.patch +++ /dev/null @@ -1,122 +0,0 @@ -Copied from Fedora. - -http://pkgs.fedoraproject.org/cgit/libwmf.git/tree/libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch - ---- libwmf-0.2.8.4/src/ipa/ipa/bmp.h 2015-06-08 14:46:24.591876404 +0100 -+++ libwmf-0.2.8.4/src/ipa/ipa/bmp.h 2015-06-08 14:46:35.345993247 +0100 -@@ -859,7 +859,7 @@ - % - % - */ --static void DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels) -+static int DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels) - { int byte; - int count; - int i; -@@ -870,12 +870,14 @@ - U32 u; - - unsigned char* q; -+ unsigned char* end; - - for (u = 0; u < ((U32) bmp->width * (U32) bmp->height); u++) pixels[u] = 0; - - byte = 0; - x = 0; - q = pixels; -+ end = pixels + bmp->width * bmp->height; - - for (y = 0; y < bmp->height; ) - { count = ReadBlobByte (src); -@@ -884,7 +886,10 @@ - { /* Encoded mode. */ - byte = ReadBlobByte (src); - for (i = 0; i < count; i++) -- { if (compression == 1) -+ { -+ if (q == end) -+ return 0; -+ if (compression == 1) - { (*(q++)) = (unsigned char) byte; - } - else -@@ -896,13 +901,15 @@ - else - { /* Escape mode. */ - count = ReadBlobByte (src); -- if (count == 0x01) return; -+ if (count == 0x01) return 1; - switch (count) - { - case 0x00: - { /* End of line. */ - x = 0; - y++; -+ if (y >= bmp->height) -+ return 0; - q = pixels + y * bmp->width; - break; - } -@@ -910,13 +917,20 @@ - { /* Delta mode. */ - x += ReadBlobByte (src); - y += ReadBlobByte (src); -+ if (y >= bmp->height) -+ return 0; -+ if (x >= bmp->width) -+ return 0; - q = pixels + y * bmp->width + x; - break; - } - default: - { /* Absolute mode. */ - for (i = 0; i < count; i++) -- { if (compression == 1) -+ { -+ if (q == end) -+ return 0; -+ if (compression == 1) - { (*(q++)) = ReadBlobByte (src); - } - else -@@ -943,7 +957,7 @@ - byte = ReadBlobByte (src); /* end of line */ - byte = ReadBlobByte (src); - -- return; -+ return 1; - } - - /* -@@ -1143,8 +1157,18 @@ - } - } - else -- { /* Convert run-length encoded raster pixels. */ -- DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image); -+ { -+ if (bmp_info.bits_per_pixel == 8) /* Convert run-length encoded raster pixels. */ -+ { -+ if (!DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image)) -+ { WMF_ERROR (API,"corrupt bmp"); -+ API->err = wmf_E_BadFormat; -+ } -+ } -+ else -+ { WMF_ERROR (API,"Unexpected pixel depth"); -+ API->err = wmf_E_BadFormat; -+ } - } - - if (ERR (API)) ---- libwmf-0.2.8.4/src/ipa/ipa.h 2015-06-08 14:46:24.590876393 +0100 -+++ libwmf-0.2.8.4/src/ipa/ipa.h 2015-06-08 14:46:35.345993247 +0100 -@@ -48,7 +48,7 @@ - static unsigned short ReadBlobLSBShort (BMPSource*); - static unsigned long ReadBlobLSBLong (BMPSource*); - static long TellBlob (BMPSource*); --static void DecodeImage (wmfAPI*,wmfBMP*,BMPSource*,unsigned int,unsigned char*); -+static int DecodeImage (wmfAPI*,wmfBMP*,BMPSource*,unsigned int,unsigned char*); - static void ReadBMPImage (wmfAPI*,wmfBMP*,BMPSource*); - static int ExtractColor (wmfAPI*,wmfBMP*,wmfRGB*,unsigned int,unsigned int); - static void SetColor (wmfAPI*,wmfBMP*,wmfRGB*,unsigned char,unsigned int,unsigned int); diff --git a/gnu/packages/patches/libwmf-CVE-2015-4695.patch b/gnu/packages/patches/libwmf-CVE-2015-4695.patch deleted file mode 100644 index 42c4d55f4..000000000 --- a/gnu/packages/patches/libwmf-CVE-2015-4695.patch +++ /dev/null @@ -1,60 +0,0 @@ -Copied from Fedora. - -http://pkgs.fedoraproject.org/cgit/libwmf.git/tree/libwmf-0.2.8.4-CVE-2015-4695.patch - ---- libwmf-0.2.8.4/src/player/meta.h -+++ libwmf-0.2.8.4/src/player/meta.h -@@ -1565,7 +1565,7 @@ static int meta_rgn_create (wmfAPI* API, - objects = P->objects; - - i = 0; -- while (objects[i].type && (i < NUM_OBJECTS (API))) i++; -+ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++; - - if (i == NUM_OBJECTS (API)) - { WMF_ERROR (API,"Object out of range!"); -@@ -2142,7 +2142,7 @@ static int meta_dib_brush (wmfAPI* API,w - objects = P->objects; - - i = 0; -- while (objects[i].type && (i < NUM_OBJECTS (API))) i++; -+ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++; - - if (i == NUM_OBJECTS (API)) - { WMF_ERROR (API,"Object out of range!"); -@@ -3067,7 +3067,7 @@ static int meta_pen_create (wmfAPI* API, - objects = P->objects; - - i = 0; -- while (objects[i].type && (i < NUM_OBJECTS (API))) i++; -+ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++; - - if (i == NUM_OBJECTS (API)) - { WMF_ERROR (API,"Object out of range!"); -@@ -3181,7 +3181,7 @@ static int meta_brush_create (wmfAPI* AP - objects = P->objects; - - i = 0; -- while (objects[i].type && (i < NUM_OBJECTS (API))) i++; -+ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++; - - if (i == NUM_OBJECTS (API)) - { WMF_ERROR (API,"Object out of range!"); -@@ -3288,7 +3288,7 @@ static int meta_font_create (wmfAPI* API - objects = P->objects; - - i = 0; -- while (objects[i].type && (i < NUM_OBJECTS (API))) i++; -+ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++; - - if (i == NUM_OBJECTS (API)) - { WMF_ERROR (API,"Object out of range!"); -@@ -3396,7 +3396,7 @@ static int meta_palette_create (wmfAPI* - objects = P->objects; - - i = 0; -- while (objects[i].type && (i < NUM_OBJECTS (API))) i++; -+ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++; - - if (i == NUM_OBJECTS (API)) - { WMF_ERROR (API,"Object out of range!"); diff --git a/gnu/packages/patches/libwmf-CVE-2015-4696.patch b/gnu/packages/patches/libwmf-CVE-2015-4696.patch deleted file mode 100644 index 3674458c9..000000000 --- a/gnu/packages/patches/libwmf-CVE-2015-4696.patch +++ /dev/null @@ -1,27 +0,0 @@ -Copied from Fedora. - -http://pkgs.fedoraproject.org/cgit/libwmf.git/tree/libwmf-0.2.8.4-CVE-2015-4696.patch - ---- libwmf-0.2.8.4/src/player/meta.h -+++ libwmf-0.2.8.4/src/player/meta.h -@@ -2585,6 +2585,8 @@ - polyrect.BR[i] = clip->rects[i].BR; - } - -+ if (FR->region_clip) FR->region_clip (API,&polyrect); -+ - wmf_free (API,polyrect.TL); - wmf_free (API,polyrect.BR); - } -@@ -2593,9 +2595,10 @@ - polyrect.BR = 0; - - polyrect.count = 0; -+ -+ if (FR->region_clip) FR->region_clip (API,&polyrect); - } - -- if (FR->region_clip) FR->region_clip (API,&polyrect); - - return (changed); - } diff --git a/gnu/packages/wv.scm b/gnu/packages/wv.scm index a7f294462..12201faa3 100644 --- a/gnu/packages/wv.scm +++ b/gnu/packages/wv.scm @@ -1,5 +1,6 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2014 Marek Benc +;;; Copyright © 2017 Leo Famulari ;;; ;;; This file is part of GNU Guix. ;;; @@ -39,16 +40,12 @@ (sha256 (base32 "1mn2ax6qjy3pvixlnvbkn6ymy6y4l2wxrr4brjaczm121s8hjcb7")))) - (build-system gnu-build-system) - (arguments - `(#:configure-flags '("--with-libwmf"))) (inputs `(("glib" ,glib) ("libgsf" ,libgsf) ("libjpeg" ,libjpeg) ("libpng" ,libpng) - ("libwmf" ,libwmf) ("zlib" ,zlib))) (native-inputs `(("glib" ,glib "bin") -- 2.13.1