aboutsummaryrefslogtreecommitdiff
path: root/gnu/packages/patches
diff options
context:
space:
mode:
authorLeo Famulari <leo@famulari.name>2016-12-11 15:03:52 -0500
committerLeo Famulari <leo@famulari.name>2016-12-11 15:03:52 -0500
commit4a990395d749619c6e565c57a05c0ca9f6894eed (patch)
tree19ce08ce112e3ad790b6cc6f0352bc40f48b8b64 /gnu/packages/patches
parent0c6fc4b7e5984ae1d63ea2ba9c7c2f5b35895574 (diff)
parentd94691e0c21440657ad198b03145743d4a876829 (diff)
downloadguix-4a990395d749619c6e565c57a05c0ca9f6894eed.tar
guix-4a990395d749619c6e565c57a05c0ca9f6894eed.tar.gz
Merge branch 'staging'
Diffstat (limited to 'gnu/packages/patches')
-rw-r--r--gnu/packages/patches/libepoxy-gl-null-checks.patch54
-rw-r--r--gnu/packages/patches/libtiff-CVE-2015-8665+CVE-2015-8683.patch107
-rw-r--r--gnu/packages/patches/libtiff-CVE-2016-3623.patch30
-rw-r--r--gnu/packages/patches/libtiff-CVE-2016-3945.patch94
-rw-r--r--gnu/packages/patches/libtiff-CVE-2016-3990.patch31
-rw-r--r--gnu/packages/patches/libtiff-CVE-2016-3991.patch123
-rw-r--r--gnu/packages/patches/libtiff-CVE-2016-5314.patch45
-rw-r--r--gnu/packages/patches/libtiff-CVE-2016-5321.patch25
-rw-r--r--gnu/packages/patches/libtiff-CVE-2016-5323.patch88
-rw-r--r--gnu/packages/patches/libtiff-oob-accesses-in-decode.patch171
-rw-r--r--gnu/packages/patches/libtiff-oob-write-in-nextdecode.patch49
-rw-r--r--gnu/packages/patches/mupdf-CVE-2016-6265.patch30
-rw-r--r--gnu/packages/patches/mupdf-CVE-2016-6525.patch21
-rw-r--r--gnu/packages/patches/mupdf-CVE-2016-7504.patch99
-rw-r--r--gnu/packages/patches/mupdf-CVE-2016-7505.patch32
-rw-r--r--gnu/packages/patches/mupdf-CVE-2016-7506.patch42
-rw-r--r--gnu/packages/patches/mupdf-CVE-2016-7563.patch37
-rw-r--r--gnu/packages/patches/mupdf-CVE-2016-7564.patch34
-rw-r--r--gnu/packages/patches/mupdf-CVE-2016-8674.patch165
-rw-r--r--gnu/packages/patches/mupdf-CVE-2016-9017.patch46
-rw-r--r--gnu/packages/patches/mupdf-CVE-2016-9136.patch32
-rw-r--r--gnu/packages/patches/mupdf-build-with-openjpeg-2.1.patch9
-rw-r--r--gnu/packages/patches/ruby-symlinkfix.patch53
23 files changed, 54 insertions, 1363 deletions
diff --git a/gnu/packages/patches/libepoxy-gl-null-checks.patch b/gnu/packages/patches/libepoxy-gl-null-checks.patch
new file mode 100644
index 0000000000..bdc4b05989
--- /dev/null
+++ b/gnu/packages/patches/libepoxy-gl-null-checks.patch
@@ -0,0 +1,54 @@
+This patch from <https://bugzilla.redhat.com/show_bug.cgi?id=1395366> adds NULL
+checks to avoid crashes when GL support is missing, as is the case when running
+Xvfb.
+
+Upstream issue: <https://github.com/anholt/libepoxy/issues/72>.
+
+diff -ur libepoxy-1.3.1/src/dispatch_common.c libepoxy-1.3.1/src/dispatch_common.c
+--- libepoxy-1.3.1/src/dispatch_common.c 2015-07-15 19:46:36.000000000 -0400
++++ libepoxy-1.3.1/src/dispatch_common.c 2016-11-16 09:03:52.809066247 -0500
+@@ -348,6 +348,8 @@
+ epoxy_extension_in_string(const char *extension_list, const char *ext)
+ {
+ const char *ptr = extension_list;
++ if (! ptr) return false;
++ if (! ext) return false;
+ int len = strlen(ext);
+
+ /* Make sure that don't just find an extension with our name as a prefix. */
+@@ -380,6 +382,7 @@
+
+ for (i = 0; i < num_extensions; i++) {
+ const char *gl_ext = (const char *)glGetStringi(GL_EXTENSIONS, i);
++ if (! gl_ext) return false;
+ if (strcmp(ext, gl_ext) == 0)
+ return true;
+ }
+diff -ur libepoxy-1.3.1/src/dispatch_egl.c libepoxy-1.3.1/src/dispatch_egl.c
+--- libepoxy-1.3.1/src/dispatch_egl.c 2015-07-15 19:46:36.000000000 -0400
++++ libepoxy-1.3.1/src/dispatch_egl.c 2016-11-16 08:40:34.069358709 -0500
+@@ -46,6 +46,7 @@
+ int ret;
+
+ version_string = eglQueryString(dpy, EGL_VERSION);
++ if (! version_string) return 0;
+ ret = sscanf(version_string, "%d.%d", &major, &minor);
+ assert(ret == 2);
+ return major * 10 + minor;
+diff -ur libepoxy-1.3.1/src/dispatch_glx.c libepoxy-1.3.1/src/dispatch_glx.c
+--- libepoxy-1.3.1/src/dispatch_glx.c 2015-07-15 19:46:36.000000000 -0400
++++ libepoxy-1.3.1/src/dispatch_glx.c 2016-11-16 08:41:03.065730370 -0500
+@@ -57,11 +57,13 @@
+ int ret;
+
+ version_string = glXQueryServerString(dpy, screen, GLX_VERSION);
++ if (! version_string) return 0;
+ ret = sscanf(version_string, "%d.%d", &server_major, &server_minor);
+ assert(ret == 2);
+ server = server_major * 10 + server_minor;
+
+ version_string = glXGetClientString(dpy, GLX_VERSION);
++ if (! version_string) return 0;
+ ret = sscanf(version_string, "%d.%d", &client_major, &client_minor);
+ assert(ret == 2);
+ client = client_major * 10 + client_minor;
diff --git a/gnu/packages/patches/libtiff-CVE-2015-8665+CVE-2015-8683.patch b/gnu/packages/patches/libtiff-CVE-2015-8665+CVE-2015-8683.patch
deleted file mode 100644
index 811516dbe9..0000000000
--- a/gnu/packages/patches/libtiff-CVE-2015-8665+CVE-2015-8683.patch
+++ /dev/null
@@ -1,107 +0,0 @@
-2015-12-26 Even Rouault <even.rouault at spatialys.com>
-
- * libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage
- interface in case of unsupported values of SamplesPerPixel/ExtraSamples
- for LogLUV / CIELab. Add explicit call to TIFFRGBAImageOK() in
- TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by limingxing and
- CVE-2015-8683 reported by zzf of Alibaba.
-
-diff -u -r1.93 -r1.94
---- libtiff/libtiff/tif_getimage.c 22 Nov 2015 15:31:03 -0000 1.93
-+++ libtiff/libtiff/tif_getimage.c 26 Dec 2015 17:32:03 -0000 1.94
-@@ -182,20 +182,22 @@
- "Planarconfiguration", td->td_planarconfig);
- return (0);
- }
-- if( td->td_samplesperpixel != 3 )
-+ if( td->td_samplesperpixel != 3 || colorchannels != 3 )
- {
- sprintf(emsg,
-- "Sorry, can not handle image with %s=%d",
-- "Samples/pixel", td->td_samplesperpixel);
-+ "Sorry, can not handle image with %s=%d, %s=%d",
-+ "Samples/pixel", td->td_samplesperpixel,
-+ "colorchannels", colorchannels);
- return 0;
- }
- break;
- case PHOTOMETRIC_CIELAB:
-- if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 )
-+ if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 )
- {
- sprintf(emsg,
-- "Sorry, can not handle image with %s=%d and %s=%d",
-+ "Sorry, can not handle image with %s=%d, %s=%d and %s=%d",
- "Samples/pixel", td->td_samplesperpixel,
-+ "colorchannels", colorchannels,
- "Bits/sample", td->td_bitspersample);
- return 0;
- }
-@@ -255,6 +257,9 @@
- int colorchannels;
- uint16 *red_orig, *green_orig, *blue_orig;
- int n_color;
-+
-+ if( !TIFFRGBAImageOK(tif, emsg) )
-+ return 0;
-
- /* Initialize to normal values */
- img->row_offset = 0;
-@@ -2509,29 +2514,33 @@
- case PHOTOMETRIC_RGB:
- switch (img->bitspersample) {
- case 8:
-- if (img->alpha == EXTRASAMPLE_ASSOCALPHA)
-+ if (img->alpha == EXTRASAMPLE_ASSOCALPHA &&
-+ img->samplesperpixel >= 4)
- img->put.contig = putRGBAAcontig8bittile;
-- else if (img->alpha == EXTRASAMPLE_UNASSALPHA)
-+ else if (img->alpha == EXTRASAMPLE_UNASSALPHA &&
-+ img->samplesperpixel >= 4)
- {
- if (BuildMapUaToAa(img))
- img->put.contig = putRGBUAcontig8bittile;
- }
-- else
-+ else if( img->samplesperpixel >= 3 )
- img->put.contig = putRGBcontig8bittile;
- break;
- case 16:
-- if (img->alpha == EXTRASAMPLE_ASSOCALPHA)
-+ if (img->alpha == EXTRASAMPLE_ASSOCALPHA &&
-+ img->samplesperpixel >=4 )
- {
- if (BuildMapBitdepth16To8(img))
- img->put.contig = putRGBAAcontig16bittile;
- }
-- else if (img->alpha == EXTRASAMPLE_UNASSALPHA)
-+ else if (img->alpha == EXTRASAMPLE_UNASSALPHA &&
-+ img->samplesperpixel >=4 )
- {
- if (BuildMapBitdepth16To8(img) &&
- BuildMapUaToAa(img))
- img->put.contig = putRGBUAcontig16bittile;
- }
-- else
-+ else if( img->samplesperpixel >=3 )
- {
- if (BuildMapBitdepth16To8(img))
- img->put.contig = putRGBcontig16bittile;
-@@ -2540,7 +2549,7 @@
- }
- break;
- case PHOTOMETRIC_SEPARATED:
-- if (buildMap(img)) {
-+ if (img->samplesperpixel >=4 && buildMap(img)) {
- if (img->bitspersample == 8) {
- if (!img->Map)
- img->put.contig = putRGBcontig8bitCMYKtile;
-@@ -2636,7 +2645,7 @@
- }
- break;
- case PHOTOMETRIC_CIELAB:
-- if (buildMap(img)) {
-+ if (img->samplesperpixel == 3 && buildMap(img)) {
- if (img->bitspersample == 8)
- img->put.contig = initCIELabConversion(img);
- break;
diff --git a/gnu/packages/patches/libtiff-CVE-2016-3623.patch b/gnu/packages/patches/libtiff-CVE-2016-3623.patch
deleted file mode 100644
index 08705861e3..0000000000
--- a/gnu/packages/patches/libtiff-CVE-2016-3623.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-Fix CVE-2016-3623.
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3623
-http://bugzilla.maptools.org/show_bug.cgi?id=2569
-
-Patch extracted from upstream CVS repo with:
-$ cvs diff -u -r1.16 -r1.17 tools/rgb2ycbcr.c
-
-Index: tools/rgb2ycbcr.c
-===================================================================
-RCS file: /cvs/maptools/cvsroot/libtiff/tools/rgb2ycbcr.c,v
-retrieving revision 1.16
-retrieving revision 1.17
-diff -u -r1.16 -r1.17
---- libtiff/tools/rgb2ycbcr.c 21 Jun 2015 01:09:10 -0000 1.16
-+++ libtiff/tools/rgb2ycbcr.c 15 Aug 2016 21:26:56 -0000 1.17
-@@ -95,9 +95,13 @@
- break;
- case 'h':
- horizSubSampling = atoi(optarg);
-+ if( horizSubSampling != 1 && horizSubSampling != 2 && horizSubSampling != 4 )
-+ usage(-1);
- break;
- case 'v':
- vertSubSampling = atoi(optarg);
-+ if( vertSubSampling != 1 && vertSubSampling != 2 && vertSubSampling != 4 )
-+ usage(-1);
- break;
- case 'r':
- rowsperstrip = atoi(optarg);
diff --git a/gnu/packages/patches/libtiff-CVE-2016-3945.patch b/gnu/packages/patches/libtiff-CVE-2016-3945.patch
deleted file mode 100644
index 8ec62bab99..0000000000
--- a/gnu/packages/patches/libtiff-CVE-2016-3945.patch
+++ /dev/null
@@ -1,94 +0,0 @@
-Fix CVE-2016-3945 (integer overflow in size of allocated
-buffer, when -b mode is enabled, that could result in out-of-bounds
-write).
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3945
-http://bugzilla.maptools.org/show_bug.cgi?id=2545
-
-Patch extracted from upstream CVS repo with:
-$ cvs diff -u -r1.21 -r1.22 tools/tiff2rgba.c
-
-Index: tools/tiff2rgba.c
-===================================================================
-RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiff2rgba.c,v
-retrieving revision 1.21
-retrieving revision 1.22
-diff -u -r1.21 -r1.22
---- libtiff/tools/tiff2rgba.c 21 Jun 2015 01:09:10 -0000 1.21
-+++ libtiff/tools/tiff2rgba.c 15 Aug 2016 20:06:41 -0000 1.22
-@@ -147,6 +147,7 @@
- uint32 row, col;
- uint32 *wrk_line;
- int ok = 1;
-+ uint32 rastersize, wrk_linesize;
-
- TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
- TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
-@@ -163,7 +164,13 @@
- /*
- * Allocate tile buffer
- */
-- raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32));
-+ rastersize = tile_width * tile_height * sizeof (uint32);
-+ if (tile_width != (rastersize / tile_height) / sizeof( uint32))
-+ {
-+ TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer");
-+ exit(-1);
-+ }
-+ raster = (uint32*)_TIFFmalloc(rastersize);
- if (raster == 0) {
- TIFFError(TIFFFileName(in), "No space for raster buffer");
- return (0);
-@@ -173,7 +180,13 @@
- * Allocate a scanline buffer for swapping during the vertical
- * mirroring pass.
- */
-- wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32));
-+ wrk_linesize = tile_width * sizeof (uint32);
-+ if (tile_width != wrk_linesize / sizeof (uint32))
-+ {
-+ TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer");
-+ exit(-1);
-+ }
-+ wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);
- if (!wrk_line) {
- TIFFError(TIFFFileName(in), "No space for raster scanline buffer");
- ok = 0;
-@@ -249,6 +262,7 @@
- uint32 row;
- uint32 *wrk_line;
- int ok = 1;
-+ uint32 rastersize, wrk_linesize;
-
- TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width);
- TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height);
-@@ -263,7 +277,13 @@
- /*
- * Allocate strip buffer
- */
-- raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32));
-+ rastersize = width * rowsperstrip * sizeof (uint32);
-+ if (width != (rastersize / rowsperstrip) / sizeof( uint32))
-+ {
-+ TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer");
-+ exit(-1);
-+ }
-+ raster = (uint32*)_TIFFmalloc(rastersize);
- if (raster == 0) {
- TIFFError(TIFFFileName(in), "No space for raster buffer");
- return (0);
-@@ -273,7 +293,13 @@
- * Allocate a scanline buffer for swapping during the vertical
- * mirroring pass.
- */
-- wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32));
-+ wrk_linesize = width * sizeof (uint32);
-+ if (width != wrk_linesize / sizeof (uint32))
-+ {
-+ TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer");
-+ exit(-1);
-+ }
-+ wrk_line = (uint32*)_TIFFmalloc(wrk_linesize);
- if (!wrk_line) {
- TIFFError(TIFFFileName(in), "No space for raster scanline buffer");
- ok = 0;
diff --git a/gnu/packages/patches/libtiff-CVE-2016-3990.patch b/gnu/packages/patches/libtiff-CVE-2016-3990.patch
deleted file mode 100644
index 7641c3073b..0000000000
--- a/gnu/packages/patches/libtiff-CVE-2016-3990.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-Fix CVE-2016-3990 (write buffer overflow in PixarLogEncode if more input
-samples are provided than expected by PixarLogSetupEncode).
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3990
-http://bugzilla.maptools.org/show_bug.cgi?id=2544
-
-Patch extracted from upstream CVS repo with:
-$ cvs diff -u -r1.45 -r1.46 libtiff/tif_pixarlog.c
-
-Index: libtiff/tif_pixarlog.c
-===================================================================
-RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_pixarlog.c,v
-retrieving revision 1.45
-retrieving revision 1.46
-diff -u -r1.45 -r1.46
---- libtiff/libtiff/tif_pixarlog.c 28 Jun 2016 15:37:33 -0000 1.45
-+++ libtiff/libtiff/tif_pixarlog.c 15 Aug 2016 20:49:48 -0000 1.46
-@@ -1141,6 +1141,13 @@
- }
-
- llen = sp->stride * td->td_imagewidth;
-+ /* Check against the number of elements (of size uint16) of sp->tbuf */
-+ if( n > td->td_rowsperstrip * llen )
-+ {
-+ TIFFErrorExt(tif->tif_clientdata, module,
-+ "Too many input bytes provided");
-+ return 0;
-+ }
-
- for (i = 0, up = sp->tbuf; i < n; i += llen, up += llen) {
- switch (sp->user_datafmt) {
diff --git a/gnu/packages/patches/libtiff-CVE-2016-3991.patch b/gnu/packages/patches/libtiff-CVE-2016-3991.patch
deleted file mode 100644
index cb05f0007f..0000000000
--- a/gnu/packages/patches/libtiff-CVE-2016-3991.patch
+++ /dev/null
@@ -1,123 +0,0 @@
-Fix CVE-2016-3991 (out-of-bounds write in loadImage()).
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3991
-http://bugzilla.maptools.org/show_bug.cgi?id=2543
-
-Patch extracted from upstream CVS repo with:
-$ cvs diff -u -r1.37 -r1.38 tools/tiffcrop.c
-
-Index: tools/tiffcrop.c
-===================================================================
-RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v
-retrieving revision 1.37
-retrieving revision 1.38
-diff -u -r1.37 -r1.38
---- libtiff/tools/tiffcrop.c 11 Jul 2016 21:38:31 -0000 1.37
-+++ libtiff/tools/tiffcrop.c 15 Aug 2016 21:05:40 -0000 1.38
-@@ -798,6 +798,11 @@
- }
-
- tile_buffsize = tilesize;
-+ if (tilesize == 0 || tile_rowsize == 0)
-+ {
-+ TIFFError("readContigTilesIntoBuffer", "Tile size or tile rowsize is zero");
-+ exit(-1);
-+ }
-
- if (tilesize < (tsize_t)(tl * tile_rowsize))
- {
-@@ -807,7 +812,12 @@
- tilesize, tl * tile_rowsize);
- #endif
- tile_buffsize = tl * tile_rowsize;
-- }
-+ if (tl != (tile_buffsize / tile_rowsize))
-+ {
-+ TIFFError("readContigTilesIntoBuffer", "Integer overflow when calculating buffer size.");
-+ exit(-1);
-+ }
-+ }
-
- tilebuf = _TIFFmalloc(tile_buffsize);
- if (tilebuf == 0)
-@@ -1210,6 +1220,12 @@
- !TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps) )
- return 1;
-
-+ if (tilesize == 0 || tile_rowsize == 0 || tl == 0 || tw == 0)
-+ {
-+ TIFFError("writeBufferToContigTiles", "Tile size, tile row size, tile width, or tile length is zero");
-+ exit(-1);
-+ }
-+
- tile_buffsize = tilesize;
- if (tilesize < (tsize_t)(tl * tile_rowsize))
- {
-@@ -1219,6 +1235,11 @@
- tilesize, tl * tile_rowsize);
- #endif
- tile_buffsize = tl * tile_rowsize;
-+ if (tl != tile_buffsize / tile_rowsize)
-+ {
-+ TIFFError("writeBufferToContigTiles", "Integer overflow when calculating buffer size");
-+ exit(-1);
-+ }
- }
-
- tilebuf = _TIFFmalloc(tile_buffsize);
-@@ -5945,12 +5966,27 @@
- TIFFGetField(in, TIFFTAG_TILELENGTH, &tl);
-
- tile_rowsize = TIFFTileRowSize(in);
-+ if (ntiles == 0 || tlsize == 0 || tile_rowsize == 0)
-+ {
-+ TIFFError("loadImage", "File appears to be tiled, but the number of tiles, tile size, or tile rowsize is zero.");
-+ exit(-1);
-+ }
- buffsize = tlsize * ntiles;
-+ if (tlsize != (buffsize / ntiles))
-+ {
-+ TIFFError("loadImage", "Integer overflow when calculating buffer size");
-+ exit(-1);
-+ }
-
--
- if (buffsize < (uint32)(ntiles * tl * tile_rowsize))
- {
- buffsize = ntiles * tl * tile_rowsize;
-+ if (ntiles != (buffsize / tl / tile_rowsize))
-+ {
-+ TIFFError("loadImage", "Integer overflow when calculating buffer size");
-+ exit(-1);
-+ }
-+
- #ifdef DEBUG2
- TIFFError("loadImage",
- "Tilesize %u is too small, using ntiles * tilelength * tilerowsize %lu",
-@@ -5969,8 +6005,25 @@
- TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);
- stsize = TIFFStripSize(in);
- nstrips = TIFFNumberOfStrips(in);
-+ if (nstrips == 0 || stsize == 0)
-+ {
-+ TIFFError("loadImage", "File appears to be striped, but the number of stipes or stripe size is zero.");
-+ exit(-1);
-+ }
-+
- buffsize = stsize * nstrips;
--
-+ if (stsize != (buffsize / nstrips))
-+ {
-+ TIFFError("loadImage", "Integer overflow when calculating buffer size");
-+ exit(-1);
-+ }
-+ uint32 buffsize_check;
-+ buffsize_check = ((length * width * spp * bps) + 7);
-+ if (length != ((buffsize_check - 7) / width / spp / bps))
-+ {
-+ TIFFError("loadImage", "Integer overflow detected.");
-+ exit(-1);
-+ }
- if (buffsize < (uint32) (((length * width * spp * bps) + 7) / 8))
- {
- buffsize = ((length * width * spp * bps) + 7) / 8;
diff --git a/gnu/packages/patches/libtiff-CVE-2016-5314.patch b/gnu/packages/patches/libtiff-CVE-2016-5314.patch
deleted file mode 100644
index e5380f8639..0000000000
--- a/gnu/packages/patches/libtiff-CVE-2016-5314.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-Fix CVE-2016-5314.
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5314
-bugzilla.maptools.org/show_bug.cgi?id=2554
-
-Patch extracted from upstream CVS repo with:
-$ cvs diff -u -r1.43 -r1.44 libtiff/tif_pixarlog.c
-
-Index: libtiff/tif_pixarlog.c
-===================================================================
-RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_pixarlog.c,v
-retrieving revision 1.43
-retrieving revision 1.44
-diff -u -r1.43 -r1.44
---- libtiff/libtiff/tif_pixarlog.c 27 Dec 2015 20:14:11 -0000 1.43
-+++ libtiff/libtiff/tif_pixarlog.c 28 Jun 2016 15:12:19 -0000 1.44
-@@ -459,6 +459,7 @@
- typedef struct {
- TIFFPredictorState predict;
- z_stream stream;
-+ tmsize_t tbuf_size; /* only set/used on reading for now */
- uint16 *tbuf;
- uint16 stride;
- int state;
-@@ -694,6 +695,7 @@
- sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size);
- if (sp->tbuf == NULL)
- return (0);
-+ sp->tbuf_size = tbuf_size;
- if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN)
- sp->user_datafmt = PixarLogGuessDataFmt(td);
- if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) {
-@@ -783,6 +785,12 @@
- TIFFErrorExt(tif->tif_clientdata, module, "ZLib cannot deal with buffers this size");
- return (0);
- }
-+ /* Check that we will not fill more than what was allocated */
-+ if (sp->stream.avail_out > sp->tbuf_size)
-+ {
-+ TIFFErrorExt(tif->tif_clientdata, module, "sp->stream.avail_out > sp->tbuf_size");
-+ return (0);
-+ }
- do {
- int state = inflate(&sp->stream, Z_PARTIAL_FLUSH);
- if (state == Z_STREAM_END) {
diff --git a/gnu/packages/patches/libtiff-CVE-2016-5321.patch b/gnu/packages/patches/libtiff-CVE-2016-5321.patch
deleted file mode 100644
index 2afca18e1d..0000000000
--- a/gnu/packages/patches/libtiff-CVE-2016-5321.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-Fix CVE-2016-5321.
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5321
-http://bugzilla.maptools.org/show_bug.cgi?id=2558
-
-Patch extracted from upstream CVS repo with:
-$ cvs diff -u -r1.35 -r1.36 tools/tiffcrop.c
-
-Index: tools/tiffcrop.c
-===================================================================
-RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v
-retrieving revision 1.35
-retrieving revision 1.36
-diff -u -r1.35 -r1.36
---- libtiff/tools/tiffcrop.c 19 Aug 2015 02:31:04 -0000 1.35
-+++ libtiff/tools/tiffcrop.c 11 Jul 2016 21:26:03 -0000 1.36
-@@ -989,7 +989,7 @@
- nrow = (row + tl > imagelength) ? imagelength - row : tl;
- for (col = 0; col < imagewidth; col += tw)
- {
-- for (s = 0; s < spp; s++)
-+ for (s = 0; s < spp && s < MAX_SAMPLES; s++)
- { /* Read each plane of a tile set into srcbuffs[s] */
- tbytes = TIFFReadTile(in, srcbuffs[s], col, row, 0, s);
- if (tbytes < 0 && !ignore)
diff --git a/gnu/packages/patches/libtiff-CVE-2016-5323.patch b/gnu/packages/patches/libtiff-CVE-2016-5323.patch
deleted file mode 100644
index 8b2a043d29..0000000000
--- a/gnu/packages/patches/libtiff-CVE-2016-5323.patch
+++ /dev/null
@@ -1,88 +0,0 @@
-Fix CVE-2016-5323.
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5323
-http://bugzilla.maptools.org/show_bug.cgi?id=2559
-
-Patch extracted from upstream CVS repo with:
-$ cvs diff -u -r1.36 -r1.37 tools/tiffcrop.c
-
-Index: tools/tiffcrop.c
-===================================================================
-RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v
-retrieving revision 1.36
-retrieving revision 1.37
-diff -u -r1.36 -r1.37
---- libtiff/tools/tiffcrop.c 11 Jul 2016 21:26:03 -0000 1.36
-+++ libtiff/tools/tiffcrop.c 11 Jul 2016 21:38:31 -0000 1.37
-@@ -3738,7 +3738,7 @@
-
- matchbits = maskbits << (8 - src_bit - bps);
- /* load up next sample from each plane */
-- for (s = 0; s < spp; s++)
-+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
- {
- src = in[s] + src_offset + src_byte;
- buff1 = ((*src) & matchbits) << (src_bit);
-@@ -3837,7 +3837,7 @@
- src_bit = bit_offset % 8;
-
- matchbits = maskbits << (16 - src_bit - bps);
-- for (s = 0; s < spp; s++)
-+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
- {
- src = in[s] + src_offset + src_byte;
- if (little_endian)
-@@ -3947,7 +3947,7 @@
- src_bit = bit_offset % 8;
-
- matchbits = maskbits << (32 - src_bit - bps);
-- for (s = 0; s < spp; s++)
-+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
- {
- src = in[s] + src_offset + src_byte;
- if (little_endian)
-@@ -4073,7 +4073,7 @@
- src_bit = bit_offset % 8;
-
- matchbits = maskbits << (64 - src_bit - bps);
-- for (s = 0; s < spp; s++)
-+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
- {
- src = in[s] + src_offset + src_byte;
- if (little_endian)
-@@ -4263,7 +4263,7 @@
-
- matchbits = maskbits << (8 - src_bit - bps);
- /* load up next sample from each plane */
-- for (s = 0; s < spp; s++)
-+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
- {
- src = in[s] + src_offset + src_byte;
- buff1 = ((*src) & matchbits) << (src_bit);
-@@ -4362,7 +4362,7 @@
- src_bit = bit_offset % 8;
-
- matchbits = maskbits << (16 - src_bit - bps);
-- for (s = 0; s < spp; s++)
-+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
- {
- src = in[s] + src_offset + src_byte;
- if (little_endian)
-@@ -4471,7 +4471,7 @@
- src_bit = bit_offset % 8;
-
- matchbits = maskbits << (32 - src_bit - bps);
-- for (s = 0; s < spp; s++)
-+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
- {
- src = in[s] + src_offset + src_byte;
- if (little_endian)
-@@ -4597,7 +4597,7 @@
- src_bit = bit_offset % 8;
-
- matchbits = maskbits << (64 - src_bit - bps);
-- for (s = 0; s < spp; s++)
-+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
- {
- src = in[s] + src_offset + src_byte;
- if (little_endian)
diff --git a/gnu/packages/patches/libtiff-oob-accesses-in-decode.patch b/gnu/packages/patches/libtiff-oob-accesses-in-decode.patch
deleted file mode 100644
index 3fea745056..0000000000
--- a/gnu/packages/patches/libtiff-oob-accesses-in-decode.patch
+++ /dev/null
@@ -1,171 +0,0 @@
-2015-12-27 Even Rouault <even.rouault at spatialys.com>
-
- * libtiff/tif_luv.c: fix potential out-of-bound writes in decode
- functions in non debug builds by replacing assert()s by regular if
- checks (bugzilla #2522).
- Fix potential out-of-bound reads in case of short input data.
-
-diff -u -r1.40 -r1.41
---- libtiff/libtiff/tif_luv.c 21 Jun 2015 01:09:09 -0000 1.40
-+++ libtiff/libtiff/tif_luv.c 27 Dec 2015 16:25:11 -0000 1.41
-@@ -1,4 +1,4 @@
--/* $Id: tif_luv.c,v 1.40 2015-06-21 01:09:09 bfriesen Exp $ */
-+/* $Id: tif_luv.c,v 1.41 2015-12-27 16:25:11 erouault Exp $ */
-
- /*
- * Copyright (c) 1997 Greg Ward Larson
-@@ -202,7 +202,11 @@
- if (sp->user_datafmt == SGILOGDATAFMT_16BIT)
- tp = (int16*) op;
- else {
-- assert(sp->tbuflen >= npixels);
-+ if(sp->tbuflen < npixels) {
-+ TIFFErrorExt(tif->tif_clientdata, module,
-+ "Translation buffer too short");
-+ return (0);
-+ }
- tp = (int16*) sp->tbuf;
- }
- _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0]));
-@@ -211,9 +215,11 @@
- cc = tif->tif_rawcc;
- /* get each byte string */
- for (shft = 2*8; (shft -= 8) >= 0; ) {
-- for (i = 0; i < npixels && cc > 0; )
-+ for (i = 0; i < npixels && cc > 0; ) {
- if (*bp >= 128) { /* run */
-- rc = *bp++ + (2-128); /* TODO: potential input buffer overrun when decoding corrupt or truncated data */
-+ if( cc < 2 )
-+ break;
-+ rc = *bp++ + (2-128);
- b = (int16)(*bp++ << shft);
- cc -= 2;
- while (rc-- && i < npixels)
-@@ -223,6 +229,7 @@
- while (--cc && rc-- && i < npixels)
- tp[i++] |= (int16)*bp++ << shft;
- }
-+ }
- if (i != npixels) {
- #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
- TIFFErrorExt(tif->tif_clientdata, module,
-@@ -268,13 +275,17 @@
- if (sp->user_datafmt == SGILOGDATAFMT_RAW)
- tp = (uint32 *)op;
- else {
-- assert(sp->tbuflen >= npixels);
-+ if(sp->tbuflen < npixels) {
-+ TIFFErrorExt(tif->tif_clientdata, module,
-+ "Translation buffer too short");
-+ return (0);
-+ }
- tp = (uint32 *) sp->tbuf;
- }
- /* copy to array of uint32 */
- bp = (unsigned char*) tif->tif_rawcp;
- cc = tif->tif_rawcc;
-- for (i = 0; i < npixels && cc > 0; i++) {
-+ for (i = 0; i < npixels && cc >= 3; i++) {
- tp[i] = bp[0] << 16 | bp[1] << 8 | bp[2];
- bp += 3;
- cc -= 3;
-@@ -325,7 +336,11 @@
- if (sp->user_datafmt == SGILOGDATAFMT_RAW)
- tp = (uint32*) op;
- else {
-- assert(sp->tbuflen >= npixels);
-+ if(sp->tbuflen < npixels) {
-+ TIFFErrorExt(tif->tif_clientdata, module,
-+ "Translation buffer too short");
-+ return (0);
-+ }
- tp = (uint32*) sp->tbuf;
- }
- _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0]));
-@@ -334,11 +349,13 @@
- cc = tif->tif_rawcc;
- /* get each byte string */
- for (shft = 4*8; (shft -= 8) >= 0; ) {
-- for (i = 0; i < npixels && cc > 0; )
-+ for (i = 0; i < npixels && cc > 0; ) {
- if (*bp >= 128) { /* run */
-+ if( cc < 2 )
-+ break;
- rc = *bp++ + (2-128);
- b = (uint32)*bp++ << shft;
-- cc -= 2; /* TODO: potential input buffer overrun when decoding corrupt or truncated data */
-+ cc -= 2;
- while (rc-- && i < npixels)
- tp[i++] |= b;
- } else { /* non-run */
-@@ -346,6 +363,7 @@
- while (--cc && rc-- && i < npixels)
- tp[i++] |= (uint32)*bp++ << shft;
- }
-+ }
- if (i != npixels) {
- #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
- TIFFErrorExt(tif->tif_clientdata, module,
-@@ -413,6 +431,7 @@
- static int
- LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
- {
-+ static const char module[] = "LogL16Encode";
- LogLuvState* sp = EncoderState(tif);
- int shft;
- tmsize_t i;
-@@ -433,7 +452,11 @@
- tp = (int16*) bp;
- else {
- tp = (int16*) sp->tbuf;
-- assert(sp->tbuflen >= npixels);
-+ if(sp->tbuflen < npixels) {
-+ TIFFErrorExt(tif->tif_clientdata, module,
-+ "Translation buffer too short");
-+ return (0);
-+ }
- (*sp->tfunc)(sp, bp, npixels);
- }
- /* compress each byte string */
-@@ -506,6 +529,7 @@
- static int
- LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
- {
-+ static const char module[] = "LogLuvEncode24";
- LogLuvState* sp = EncoderState(tif);
- tmsize_t i;
- tmsize_t npixels;
-@@ -521,7 +545,11 @@
- tp = (uint32*) bp;
- else {
- tp = (uint32*) sp->tbuf;
-- assert(sp->tbuflen >= npixels);
-+ if(sp->tbuflen < npixels) {
-+ TIFFErrorExt(tif->tif_clientdata, module,
-+ "Translation buffer too short");
-+ return (0);
-+ }
- (*sp->tfunc)(sp, bp, npixels);
- }
- /* write out encoded pixels */
-@@ -553,6 +581,7 @@
- static int
- LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s)
- {
-+ static const char module[] = "LogLuvEncode32";
- LogLuvState* sp = EncoderState(tif);
- int shft;
- tmsize_t i;
-@@ -574,7 +603,11 @@
- tp = (uint32*) bp;
- else {
- tp = (uint32*) sp->tbuf;
-- assert(sp->tbuflen >= npixels);
-+ if(sp->tbuflen < npixels) {
-+ TIFFErrorExt(tif->tif_clientdata, module,
-+ "Translation buffer too short");
-+ return (0);
-+ }
- (*sp->tfunc)(sp, bp, npixels);
- }
- /* compress each byte string */
diff --git a/gnu/packages/patches/libtiff-oob-write-in-nextdecode.patch b/gnu/packages/patches/libtiff-oob-write-in-nextdecode.patch
deleted file mode 100644
index 50657b667c..0000000000
--- a/gnu/packages/patches/libtiff-oob-write-in-nextdecode.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-2015-12-27 Even Rouault <even.rouault at spatialys.com>
-
- * libtiff/tif_next.c: fix potential out-of-bound write in NeXTDecode()
- triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif
- (bugzilla #2508)
-
-diff -u -r1.16 -r1.18
---- libtiff/libtiff/tif_next.c 29 Dec 2014 12:09:11 -0000 1.16
-+++ libtiff/libtiff/tif_next.c 27 Dec 2015 17:14:52 -0000 1.18
-@@ -1,4 +1,4 @@
--/* $Id: tif_next.c,v 1.16 2014-12-29 12:09:11 erouault Exp $ */
-+/* $Id: tif_next.c,v 1.18 2015-12-27 17:14:52 erouault Exp $ */
-
- /*
- * Copyright (c) 1988-1997 Sam Leffler
-@@ -37,7 +37,7 @@
- case 0: op[0] = (unsigned char) ((v) << 6); break; \
- case 1: op[0] |= (v) << 4; break; \
- case 2: op[0] |= (v) << 2; break; \
-- case 3: *op++ |= (v); break; \
-+ case 3: *op++ |= (v); op_offset++; break; \
- } \
- }
-
-@@ -103,6 +103,7 @@
- }
- default: {
- uint32 npixels = 0, grey;
-+ tmsize_t op_offset = 0;
- uint32 imagewidth = tif->tif_dir.td_imagewidth;
- if( isTiled(tif) )
- imagewidth = tif->tif_dir.td_tilewidth;
-@@ -122,10 +123,15 @@
- * bounds, potentially resulting in a security
- * issue.
- */
-- while (n-- > 0 && npixels < imagewidth)
-+ while (n-- > 0 && npixels < imagewidth && op_offset < scanline)
- SETPIXEL(op, grey);
- if (npixels >= imagewidth)
- break;
-+ if (op_offset >= scanline ) {
-+ TIFFErrorExt(tif->tif_clientdata, module, "Invalid data for scanline %ld",
-+ (long) tif->tif_row);
-+ return (0);
-+ }
- if (cc == 0)
- goto bad;
- n = *bp++, cc--;
diff --git a/gnu/packages/patches/mupdf-CVE-2016-6265.patch b/gnu/packages/patches/mupdf-CVE-2016-6265.patch
deleted file mode 100644
index 58f5c3726c..0000000000
--- a/gnu/packages/patches/mupdf-CVE-2016-6265.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-Fix CVE-2016-6265 (use after free in pdf_load_xref()).
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6265
-https://security-tracker.debian.org/tracker/CVE-2016-6265
-
-Patch copied from upstream source repository:
-
-http://git.ghostscript.com/?p=mupdf.git;h=fa1936405b6a84e5c9bb440912c23d532772f958
-
-diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c
-index 576c315..3222599 100644
---- a/source/pdf/pdf-xref.c
-+++ b/source/pdf/pdf-xref.c
-@@ -1184,8 +1184,14 @@ pdf_load_xref(fz_context *ctx, pdf_document *doc, pdf_lexbuf *buf)
- fz_throw(ctx, FZ_ERROR_GENERIC, "object offset out of range: %d (%d 0 R)", (int)entry->ofs, i);
- }
- if (entry->type == 'o')
-- if (entry->ofs <= 0 || entry->ofs >= xref_len || pdf_get_xref_entry(ctx, doc, entry->ofs)->type != 'n')
-- fz_throw(ctx, FZ_ERROR_GENERIC, "invalid reference to an objstm that does not exist: %d (%d 0 R)", (int)entry->ofs, i);
-+ {
-+ /* Read this into a local variable here, because pdf_get_xref_entry
-+ * may solidify the xref, hence invalidating "entry", meaning we
-+ * need a stashed value for the throw. */
-+ fz_off_t ofs = entry->ofs;
-+ if (ofs <= 0 || ofs >= xref_len || pdf_get_xref_entry(ctx, doc, ofs)->type != 'n')
-+ fz_throw(ctx, FZ_ERROR_GENERIC, "invalid reference to an objstm that does not exist: %d (%d 0 R)", (int)ofs, i);
-+ }
- }
- }
-
diff --git a/gnu/packages/patches/mupdf-CVE-2016-6525.patch b/gnu/packages/patches/mupdf-CVE-2016-6525.patch
deleted file mode 100644
index 370af5ade6..0000000000
--- a/gnu/packages/patches/mupdf-CVE-2016-6525.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-Fix CVE-2016-6525 (heap overflow in pdf_load_mesh_params()).
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6525
-https://security-tracker.debian.org/tracker/CVE-2016-6525
-
-Patch copied from upstream source repository:
-http://git.ghostscript.com/?p=mupdf.git;h=39b0f07dd960f34e7e6bf230ffc3d87c41ef0f2e
-
-diff --git a/source/pdf/pdf-shade.c b/source/pdf/pdf-shade.c
-index 7815b3c..6e25efa 100644
---- a/source/pdf/pdf-shade.c
-+++ b/source/pdf/pdf-shade.c
-@@ -206,7 +206,7 @@ pdf_load_mesh_params(fz_context *ctx, pdf_document *doc, fz_shade *shade, pdf_ob
- obj = pdf_dict_get(ctx, dict, PDF_NAME_Decode);
- if (pdf_array_len(ctx, obj) >= 6)
- {
-- n = (pdf_array_len(ctx, obj) - 4) / 2;
-+ n = fz_mini(FZ_MAX_COLORS, (pdf_array_len(ctx, obj) - 4) / 2);
- shade->u.m.x0 = pdf_to_real(ctx, pdf_array_get(ctx, obj, 0));
- shade->u.m.x1 = pdf_to_real(ctx, pdf_array_get(ctx, obj, 1));
- shade->u.m.y0 = pdf_to_real(ctx, pdf_array_get(ctx, obj, 2));
diff --git a/gnu/packages/patches/mupdf-CVE-2016-7504.patch b/gnu/packages/patches/mupdf-CVE-2016-7504.patch
deleted file mode 100644
index 4bbb4411c0..0000000000
--- a/gnu/packages/patches/mupdf-CVE-2016-7504.patch
+++ /dev/null
@@ -1,99 +0,0 @@
-Fix CVE-2016-7504:
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7504
-http://bugs.ghostscript.com/show_bug.cgi?id=697142
-
-Patch copied from upstream source repository:
-http://git.ghostscript.com/?p=mujs.git;a=commitdiff;h=5c337af4b3df80cf967e4f9f6a21522de84b392a
-
-From 5c337af4b3df80cf967e4f9f6a21522de84b392a Mon Sep 17 00:00:00 2001
-From: Tor Andersson <tor.andersson@artifex.com>
-Date: Wed, 21 Sep 2016 16:01:08 +0200
-Subject: [PATCH] Fix bug 697142: Stale string pointer stored in regexp object.
-
-Make sure to make a copy of the source pattern string.
-A case we missed when adding short and memory strings to the runtime.
-The code assumed all strings passed to it were either literal or interned.
----
- jsgc.c | 4 +++-
- jsi.h | 1 +
- jsregexp.c | 2 +-
- jsrun.c | 8 ++++++++
- jsvalue.h | 2 +-
- 5 files changed, 14 insertions(+), 3 deletions(-)
-
-diff --git a/jsgc.c b/jsgc.c
-index 9bd6482..4f7e7dc 100644
---- a/thirdparty/mujs/jsgc.c
-+++ b/thirdparty/mujs/jsgc.c
-@@ -44,8 +44,10 @@ static void jsG_freeobject(js_State *J, js_Object *obj)
- {
- if (obj->head)
- jsG_freeproperty(J, obj->head);
-- if (obj->type == JS_CREGEXP)
-+ if (obj->type == JS_CREGEXP) {
-+ js_free(J, obj->u.r.source);
- js_regfree(obj->u.r.prog);
-+ }
- if (obj->type == JS_CITERATOR)
- jsG_freeiterator(J, obj->u.iter.head);
- if (obj->type == JS_CUSERDATA && obj->u.user.finalize)
-diff --git a/jsi.h b/jsi.h
-index 7d9f7c7..e855045 100644
---- a/thirdparty/mujs/jsi.h
-+++ b/thirdparty/mujs/jsi.h
-@@ -79,6 +79,7 @@ typedef unsigned short js_Instruction;
-
- /* String interning */
-
-+char *js_strdup(js_State *J, const char *s);
- const char *js_intern(js_State *J, const char *s);
- void jsS_dumpstrings(js_State *J);
- void jsS_freestrings(js_State *J);
-diff --git a/jsregexp.c b/jsregexp.c
-index 2a056b7..a2d5156 100644
---- a/thirdparty/mujs/jsregexp.c
-+++ b/thirdparty/mujs/jsregexp.c
-@@ -21,7 +21,7 @@ void js_newregexp(js_State *J, const char *pattern, int flags)
- js_syntaxerror(J, "regular expression: %s", error);
-
- obj->u.r.prog = prog;
-- obj->u.r.source = pattern;
-+ obj->u.r.source = js_strdup(J, pattern);
- obj->u.r.flags = flags;
- obj->u.r.last = 0;
- js_pushobject(J, obj);
-diff --git a/jsrun.c b/jsrun.c
-index 2648c4c..ee80845 100644
---- a/thirdparty/mujs/jsrun.c
-+++ b/thirdparty/mujs/jsrun.c
-@@ -45,6 +45,14 @@ void *js_realloc(js_State *J, void *ptr, int size)
- return ptr;
- }
-
-+char *js_strdup(js_State *J, const char *s)
-+{
-+ int n = strlen(s) + 1;
-+ char *p = js_malloc(J, n);
-+ memcpy(p, s, n);
-+ return p;
-+}
-+
- void js_free(js_State *J, void *ptr)
- {
- J->alloc(J->actx, ptr, 0);
-diff --git a/jsvalue.h b/jsvalue.h
-index 6cfbd89..8fb5016 100644
---- a/thirdparty/mujs/jsvalue.h
-+++ b/thirdparty/mujs/jsvalue.h
-@@ -71,7 +71,7 @@ struct js_String
- struct js_Regexp
- {
- void *prog;
-- const char *source;
-+ char *source;
- unsigned short flags;
- unsigned short last;
- };
---
-2.10.2
-
diff --git a/gnu/packages/patches/mupdf-CVE-2016-7505.patch b/gnu/packages/patches/mupdf-CVE-2016-7505.patch
deleted file mode 100644
index 15e4f374d6..0000000000
--- a/gnu/packages/patches/mupdf-CVE-2016-7505.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-Fix CVE-2016-7505:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7505
-http://bugs.ghostscript.com/show_bug.cgi?id=697140
-
-Patch copied from upstream source repository:
-http://git.ghostscript.com/?p=mujs.git;a=commitdiff;h=8c805b4eb19cf2af689c860b77e6111d2ee439d5
-
-From 8c805b4eb19cf2af689c860b77e6111d2ee439d5 Mon Sep 17 00:00:00 2001
-From: Tor Andersson <tor.andersson@artifex.com>
-Date: Wed, 21 Sep 2016 15:21:04 +0200
-Subject: [PATCH] Fix bug 697140: Overflow check in ascii division in strtod.
-
----
- jsdtoa.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/jsdtoa.c b/jsdtoa.c
-index 2e52368..920c1a7 100644
---- a/thirdparty/mujs/jsdtoa.c
-+++ b/thirdparty/mujs/jsdtoa.c
-@@ -735,6 +735,7 @@ xx:
- n -= c<<b;
- *p++ = c + '0';
- (*na)++;
-+ if (*na >= Ndig) break; /* abort if overflowing */
- }
- *p = 0;
- }
---
-2.10.2
-
diff --git a/gnu/packages/patches/mupdf-CVE-2016-7506.patch b/gnu/packages/patches/mupdf-CVE-2016-7506.patch
deleted file mode 100644
index 733249acaa..0000000000
--- a/gnu/packages/patches/mupdf-CVE-2016-7506.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-Fix CVE-2016-7506:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7506
-http://bugs.ghostscript.com/show_bug.cgi?id=697141
-
-Patch copied from upstream source repository:
-http://git.ghostscript.com/?p=mujs.git;a=commitdiff;h=5000749f5afe3b956fc916e407309de840997f4a
-
-From 5000749f5afe3b956fc916e407309de840997f4a Mon Sep 17 00:00:00 2001
-From: Tor Andersson <tor.andersson@artifex.com>
-Date: Wed, 21 Sep 2016 16:02:11 +0200
-Subject: [PATCH] Fix bug 697141: buffer overrun in regexp string substitution.
-
-A '$' escape at the end of the string would read past the zero terminator
-when looking for the escaped character.
----
- jsstring.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/jsstring.c b/jsstring.c
-index 66f6a89..0209a8e 100644
---- a/thirdparty/mujs/jsstring.c
-+++ b/thirdparty/mujs/jsstring.c
-@@ -421,6 +421,7 @@ loop:
- while (*r) {
- if (*r == '$') {
- switch (*(++r)) {
-+ case 0: --r; /* end of string; back up and fall through */
- case '$': js_putc(J, &sb, '$'); break;
- case '`': js_putm(J, &sb, source, s); break;
- case '\'': js_puts(J, &sb, s + n); break;
-@@ -516,6 +517,7 @@ static void Sp_replace_string(js_State *J)
- while (*r) {
- if (*r == '$') {
- switch (*(++r)) {
-+ case 0: --r; /* end of string; back up and fall through */
- case '$': js_putc(J, &sb, '$'); break;
- case '&': js_putm(J, &sb, s, s + n); break;
- case '`': js_putm(J, &sb, source, s); break;
---
-2.10.2
-
diff --git a/gnu/packages/patches/mupdf-CVE-2016-7563.patch b/gnu/packages/patches/mupdf-CVE-2016-7563.patch
deleted file mode 100644
index 288c9ab2df..0000000000
--- a/gnu/packages/patches/mupdf-CVE-2016-7563.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-Fix CVE-2016-7563:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7563
-http://bugs.ghostscript.com/show_bug.cgi?id=697136
-
-Patch copied from upstream source repository:
-http://git.ghostscript.com/?p=mujs.git;a=commitdiff;h=f8234d830e17fc5e8fe09eb76d86dad3f6233c59
-
-From f8234d830e17fc5e8fe09eb76d86dad3f6233c59 Mon Sep 17 00:00:00 2001
-From: Tor Andersson <tor.andersson@artifex.com>
-Date: Tue, 20 Sep 2016 17:11:32 +0200
-Subject: [PATCH] Fix bug 697136.
-
-We were unconditionally reading the next character if we encountered
-a '*' in a multi-line comment; possibly reading past the end of
-the input.
----
- jslex.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/jslex.c b/jslex.c
-index 7b80800..cbd0eeb 100644
---- a/thirdparty/mujs/jslex.c
-+++ b/thirdparty/mujs/jslex.c
-@@ -225,7 +225,8 @@ static int lexcomment(js_State *J)
- if (jsY_accept(J, '/'))
- return 0;
- }
-- jsY_next(J);
-+ else
-+ jsY_next(J);
- }
- return -1;
- }
---
-2.10.2
-
diff --git a/gnu/packages/patches/mupdf-CVE-2016-7564.patch b/gnu/packages/patches/mupdf-CVE-2016-7564.patch
deleted file mode 100644
index c2ce33d1df..0000000000
--- a/gnu/packages/patches/mupdf-CVE-2016-7564.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-Fix CVE-2016-7564:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7564
-http://bugs.ghostscript.com/show_bug.cgi?id=697137
-
-Patch copied from upstream source repository:
-http://git.ghostscript.com/?p=mujs.git;a=commitdiff;h=a3a4fe840b80706c706e86160352af5936f292d8
-
-From a3a4fe840b80706c706e86160352af5936f292d8 Mon Sep 17 00:00:00 2001
-From: Tor Andersson <tor.andersson@artifex.com>
-Date: Tue, 20 Sep 2016 17:19:06 +0200
-Subject: [PATCH] Fix bug 697137: off by one in string length calculation.
-
-We were not allocating space for the terminating zero byte.
----
- jsfunction.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/jsfunction.c b/jsfunction.c
-index 8b5b18e..28f7aa7 100644
---- a/thirdparty/mujs/jsfunction.c
-+++ b/thirdparty/mujs/jsfunction.c
-@@ -61,7 +61,7 @@ static void Fp_toString(js_State *J)
- n += strlen(F->name);
- for (i = 0; i < F->numparams; ++i)
- n += strlen(F->vartab[i]) + 1;
-- s = js_malloc(J, n);
-+ s = js_malloc(J, n + 1);
- strcpy(s, "function ");
- strcat(s, F->name);
- strcat(s, "(");
---
-2.10.2
-
diff --git a/gnu/packages/patches/mupdf-CVE-2016-8674.patch b/gnu/packages/patches/mupdf-CVE-2016-8674.patch
deleted file mode 100644
index 2a35619761..0000000000
--- a/gnu/packages/patches/mupdf-CVE-2016-8674.patch
+++ /dev/null
@@ -1,165 +0,0 @@
-Fix CVE-2016-8674 (use-after-free in pdf_to_num()).
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8674
-https://security-tracker.debian.org/tracker/CVE-2016-8674
-
-Patch adapted from upstream source repository:
-http://git.ghostscript.com/?p=mupdf.git;h=1e03c06456d997435019fb3526fa2d4be7dbc6ec
-
-diff --git a/include/mupdf/pdf/document.h b/include/mupdf/pdf/document.h
-index f8ef0cd..e8345b7 100644
---- a/include/mupdf/pdf/document.h
-+++ b/include/mupdf/pdf/document.h
-@@ -258,6 +258,10 @@ struct pdf_document_s
- fz_font **type3_fonts;
-
- pdf_resource_tables *resources;
-+
-+ int orphans_max;
-+ int orphans_count;
-+ pdf_obj **orphans;
- };
-
- /*
-diff --git a/include/mupdf/pdf/object.h b/include/mupdf/pdf/object.h
-index 346a2f1..02d4119 100644
---- a/include/mupdf/pdf/object.h
-+++ b/include/mupdf/pdf/object.h
-@@ -109,6 +109,7 @@ pdf_obj *pdf_dict_gets(fz_context *ctx, pdf_obj *dict, const char *key);
- pdf_obj *pdf_dict_getsa(fz_context *ctx, pdf_obj *dict, const char *key, const char *abbrev);
- void pdf_dict_put(fz_context *ctx, pdf_obj *dict, pdf_obj *key, pdf_obj *val);
- void pdf_dict_put_drop(fz_context *ctx, pdf_obj *dict, pdf_obj *key, pdf_obj *val);
-+void pdf_dict_get_put_drop(fz_context *ctx, pdf_obj *dict, pdf_obj *key, pdf_obj *val, pdf_obj **old_val);
- void pdf_dict_puts(fz_context *ctx, pdf_obj *dict, const char *key, pdf_obj *val);
- void pdf_dict_puts_drop(fz_context *ctx, pdf_obj *dict, const char *key, pdf_obj *val);
- void pdf_dict_putp(fz_context *ctx, pdf_obj *dict, const char *path, pdf_obj *val);
-diff --git a/source/pdf/pdf-object.c b/source/pdf/pdf-object.c
-index f2e4551..a0d0d8e 100644
---- a/source/pdf/pdf-object.c
-+++ b/source/pdf/pdf-object.c
-@@ -1240,9 +1240,13 @@ pdf_dict_geta(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *abbrev)
- return pdf_dict_get(ctx, obj, abbrev);
- }
-
--void
--pdf_dict_put(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *val)
-+static void
-+pdf_dict_get_put(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *val, pdf_obj **old_val)
- {
-+
-+ if (old_val)
-+ *old_val = NULL;
-+
- RESOLVE(obj);
- if (obj >= PDF_OBJ__LIMIT)
- {
-@@ -1282,7 +1286,10 @@ pdf_dict_put(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *val)
- {
- pdf_obj *d = DICT(obj)->items[i].v;
- DICT(obj)->items[i].v = pdf_keep_obj(ctx, val);
-- pdf_drop_obj(ctx, d);
-+ if (old_val)
-+ *old_val = d;
-+ else
-+ pdf_drop_obj(ctx, d);
- }
- }
- else
-@@ -1305,10 +1312,27 @@ pdf_dict_put(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *val)
- }
-
- void
-+pdf_dict_put(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *val)
-+{
-+ pdf_dict_get_put(ctx, obj, key, val, NULL);
-+}
-+
-+void
- pdf_dict_put_drop(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *val)
- {
- fz_try(ctx)
-- pdf_dict_put(ctx, obj, key, val);
-+ pdf_dict_get_put(ctx, obj, key, val, NULL);
-+ fz_always(ctx)
-+ pdf_drop_obj(ctx, val);
-+ fz_catch(ctx)
-+ fz_rethrow(ctx);
-+}
-+
-+void
-+pdf_dict_get_put_drop(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *val, pdf_obj **old_val)
-+{
-+ fz_try(ctx)
-+ pdf_dict_get_put(ctx, obj, key, val, old_val);
- fz_always(ctx)
- pdf_drop_obj(ctx, val);
- fz_catch(ctx)
-diff --git a/source/pdf/pdf-repair.c b/source/pdf/pdf-repair.c
-index fdd4648..212c8b7 100644
---- a/source/pdf/pdf-repair.c
-+++ b/source/pdf/pdf-repair.c
-@@ -259,6 +259,27 @@ pdf_repair_obj_stm(fz_context *ctx, pdf_document *doc, int num, int gen)
- }
- }
-
-+static void
-+orphan_object(fz_context *ctx, pdf_document *doc, pdf_obj *obj)
-+{
-+ if (doc->orphans_count == doc->orphans_max)
-+ {
-+ int new_max = (doc->orphans_max ? doc->orphans_max*2 : 32);
-+
-+ fz_try(ctx)
-+ {
-+ doc->orphans = fz_resize_array(ctx, doc->orphans, new_max, sizeof(*doc->orphans));
-+ doc->orphans_max = new_max;
-+ }
-+ fz_catch(ctx)
-+ {
-+ pdf_drop_obj(ctx, obj);
-+ fz_rethrow(ctx);
-+ }
-+ }
-+ doc->orphans[doc->orphans_count++] = obj;
-+}
-+
- void
- pdf_repair_xref(fz_context *ctx, pdf_document *doc)
- {
-@@ -520,12 +541,13 @@ pdf_repair_xref(fz_context *ctx, pdf_document *doc)
- /* correct stream length for unencrypted documents */
- if (!encrypt && list[i].stm_len >= 0)
- {
-+ pdf_obj *old_obj = NULL;
- dict = pdf_load_object(ctx, doc, list[i].num, list[i].gen);
-
- length = pdf_new_int(ctx, doc, list[i].stm_len);
-- pdf_dict_put(ctx, dict, PDF_NAME_Length, length);
-- pdf_drop_obj(ctx, length);
--
-+ pdf_dict_get_put_drop(ctx, dict, PDF_NAME_Length, length, &old_obj);
-+ if (old_obj)
-+ orphan_object(ctx, doc, old_obj);
- pdf_drop_obj(ctx, dict);
- }
- }
-diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c
-index 3de1cd2..6682741 100644
---- a/source/pdf/pdf-xref.c
-+++ b/source/pdf/pdf-xref.c
-@@ -1626,6 +1626,12 @@ pdf_close_document(fz_context *ctx, pdf_document *doc)
-
- pdf_drop_resource_tables(ctx, doc);
-
-+ for (i = 0; i < doc->orphans_count; i++)
-+ {
-+ pdf_drop_obj(ctx, doc->orphans[i]);
-+ }
-+ fz_free(ctx, doc->orphans);
-+
- fz_free(ctx, doc);
- }
-
---
-2.10.1
-
diff --git a/gnu/packages/patches/mupdf-CVE-2016-9017.patch b/gnu/packages/patches/mupdf-CVE-2016-9017.patch
deleted file mode 100644
index 1e2b7c3258..0000000000
--- a/gnu/packages/patches/mupdf-CVE-2016-9017.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-Fix CVE-2016-9017:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9107
-http://bugs.ghostscript.com/show_bug.cgi?id=697171
-
-Patch copied from upstream source repository:
-http://git.ghostscript.com/?p=mujs.git;a=commitdiff;h=a5c747f1d40e8d6659a37a8d25f13fb5acf8e767
-
-From a5c747f1d40e8d6659a37a8d25f13fb5acf8e767 Mon Sep 17 00:00:00 2001
-From: Tor Andersson <tor.andersson@artifex.com>
-Date: Tue, 25 Oct 2016 14:08:27 +0200
-Subject: [PATCH] Fix 697171: missed an operand in the bytecode debugger dump.
-
----
- jscompile.h | 2 +-
- jsdump.c | 1 +
- 2 files changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/jscompile.h b/jscompile.h
-index 802cc9e..3054d13 100644
---- a/thirdparty/mujs/jscompile.h
-+++ b/thirdparty/mujs/jscompile.h
-@@ -21,7 +21,7 @@ enum js_OpCode
-
- OP_NEWARRAY,
- OP_NEWOBJECT,
-- OP_NEWREGEXP,
-+ OP_NEWREGEXP, /* -S,opts- <regexp> */
-
- OP_UNDEF,
- OP_NULL,
-diff --git a/jsdump.c b/jsdump.c
-index 1c51c29..37ad88c 100644
---- a/thirdparty/mujs/jsdump.c
-+++ b/thirdparty/mujs/jsdump.c
-@@ -750,6 +750,7 @@ void jsC_dumpfunction(js_State *J, js_Function *F)
- case OP_INITVAR:
- case OP_DEFVAR:
- case OP_GETVAR:
-+ case OP_HASVAR:
- case OP_SETVAR:
- case OP_DELVAR:
- case OP_GETPROP_S:
---
-2.10.2
-
diff --git a/gnu/packages/patches/mupdf-CVE-2016-9136.patch b/gnu/packages/patches/mupdf-CVE-2016-9136.patch
deleted file mode 100644
index 1f68839a52..0000000000
--- a/gnu/packages/patches/mupdf-CVE-2016-9136.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-Fix CVE-2016-9136:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9136
-http://bugs.ghostscript.com/show_bug.cgi?id=697244
-
-Patch copied from upstream source repository:
-http://git.ghostscript.com/?p=mujs.git;a=commitdiff;h=a0ceaf5050faf419401fe1b83acfa950ec8a8a89
-From a0ceaf5050faf419401fe1b83acfa950ec8a8a89 Mon Sep 17 00:00:00 2001
-From: Tor Andersson <tor.andersson@artifex.com>
-Date: Mon, 31 Oct 2016 13:05:37 +0100
-Subject: [PATCH] Fix 697244: Check for incomplete escape sequence at end of
- input.
-
----
- jslex.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/jslex.c b/jslex.c
-index cbd0eeb..aaafdac 100644
---- a/thirdparty/mujs/jslex.c
-+++ b/thirdparty/mujs/jslex.c
-@@ -377,6 +377,7 @@ static int lexescape(js_State *J)
- return 0;
-
- switch (J->lexchar) {
-+ case 0: jsY_error(J, "unterminated escape sequence");
- case 'u':
- jsY_next(J);
- if (!jsY_ishex(J->lexchar)) return 1; else { x |= jsY_tohex(J->lexchar) << 12; jsY_next(J); }
---
-2.10.2
-
diff --git a/gnu/packages/patches/mupdf-build-with-openjpeg-2.1.patch b/gnu/packages/patches/mupdf-build-with-openjpeg-2.1.patch
index cd8136b701..d97c1cb348 100644
--- a/gnu/packages/patches/mupdf-build-with-openjpeg-2.1.patch
+++ b/gnu/packages/patches/mupdf-build-with-openjpeg-2.1.patch
@@ -27,12 +27,3 @@ index 6b92e5c..72dea50 100644
#include <openjpeg.h>
static void fz_opj_error_callback(const char *msg, void *client_data)
-@@ -117,7 +109,7 @@ fz_load_jpx(fz_context *ctx, unsigned char *data, int size, fz_colorspace *defcs
- opj_stream_set_read_function(stream, fz_opj_stream_read);
- opj_stream_set_skip_function(stream, fz_opj_stream_skip);
- opj_stream_set_seek_function(stream, fz_opj_stream_seek);
-- opj_stream_set_user_data(stream, &sb);
-+ opj_stream_set_user_data(stream, &sb, NULL);
- /* Set the length to avoid an assert */
- opj_stream_set_user_data_length(stream, size);
-
diff --git a/gnu/packages/patches/ruby-symlinkfix.patch b/gnu/packages/patches/ruby-symlinkfix.patch
deleted file mode 100644
index 16beecc97a..0000000000
--- a/gnu/packages/patches/ruby-symlinkfix.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-Fix symlinks to '..' to fix rubygems improperly expanding symlinked
-paths. Without this fix, some gems fail to install. This patch is applied in
-rubygems 2.5.2, but ruby version 2.3.1 bundles an older version of rubygems
-(2.5.1).
-
---- a/lib/rubygems/package.rb
-+++ b/lib/rubygems/package.rb
-@@ -383,7 +383,7 @@ def extract_tar_gz io, destination_dir, pattern = "*" # :nodoc:
- FileUtils.chmod entry.header.mode, destination
- end if entry.file?
-
-- File.symlink(install_location(entry.header.linkname, destination_dir), destination) if entry.symlink?
-+ File.symlink(entry.header.linkname, destination) if entry.symlink?
-
- verbose destination
- end
-diff --git a/test/rubygems/test_gem_package.rb b/test/rubygems/test_gem_package.rb
-index 7848bc2..f287bd3 100644
---- a/test/rubygems/test_gem_package.rb
-+++ b/test/rubygems/test_gem_package.rb
-@@ -428,19 +428,25 @@ def test_extract_tar_gz_absolute
- "#{@destination} is not allowed", e.message)
- end
-
-- def test_extract_tar_gz_symlink_absolute
-+ def test_extract_tar_gz_symlink_relative_path
-+ skip 'symlink not supported' if Gem.win_platform?
-+
- package = Gem::Package.new @gem
-
- tgz_io = util_tar_gz do |tar|
-- tar.add_symlink 'code.rb', '/absolute.rb', 0644
-+ tar.add_file 'relative.rb', 0644 do |io| io.write 'hi' end
-+ tar.mkdir 'lib', 0755
-+ tar.add_symlink 'lib/foo.rb', '../relative.rb', 0644
- end
-
-- e = assert_raises Gem::Package::PathError do
-- package.extract_tar_gz tgz_io, @destination
-- end
-+ package.extract_tar_gz tgz_io, @destination
-
-- assert_equal("installing into parent path /absolute.rb of " +
-- "#{@destination} is not allowed", e.message)
-+ extracted = File.join @destination, 'lib/foo.rb'
-+ assert_path_exists extracted
-+ assert_equal '../relative.rb',
-+ File.readlink(extracted)
-+ assert_equal 'hi',
-+ File.read(extracted)
- end
-
- def test_extract_tar_gz_directory