diff options
Diffstat (limited to 'gnu/packages/patches')
-rw-r--r-- | gnu/packages/patches/freeimage-CVE-2015-0852.patch | 129 | ||||
-rw-r--r-- | gnu/packages/patches/openjpeg-CVE-2015-6581.patch | 47 | ||||
-rw-r--r-- | gnu/packages/patches/openjpeg-use-after-free-fix.patch | 48 | ||||
-rw-r--r-- | gnu/packages/patches/qt4-tests.patch | 22 | ||||
-rw-r--r-- | gnu/packages/patches/qt5-runpath.patch | 27 | ||||
-rw-r--r-- | gnu/packages/patches/valgrind-enable-arm.patch | 15 | ||||
-rw-r--r-- | gnu/packages/patches/valgrind-glibc-2.22.patch | 39 | ||||
-rw-r--r-- | gnu/packages/patches/valgrind-linux-libre-4.x.patch | 18 | ||||
-rw-r--r-- | gnu/packages/patches/webkitgtk-2.4-sql-init-string.patch | 17 |
9 files changed, 256 insertions, 106 deletions
diff --git a/gnu/packages/patches/freeimage-CVE-2015-0852.patch b/gnu/packages/patches/freeimage-CVE-2015-0852.patch new file mode 100644 index 0000000000..34d538e925 --- /dev/null +++ b/gnu/packages/patches/freeimage-CVE-2015-0852.patch @@ -0,0 +1,129 @@ +Copied from Debian. + +Description: fix integer overflow +Origin: upstream + http://freeimage.cvs.sourceforge.net/viewvc/freeimage/FreeImage/Source/FreeImage/PluginPCX.cpp?view=patch&r1=1.17&r2=1.18&pathrev=MAIN + http://freeimage.cvs.sourceforge.net/viewvc/freeimage/FreeImage/Source/FreeImage/PluginPCX.cpp?view=patch&r1=1.18&r2=1.19&pathrev=MAIN +Bug-Debian: https://bugs.debian.org/797165 +Last-Update: 2015-09-14 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +Index: freeimage/Source/FreeImage/PluginPCX.cpp +=================================================================== +--- freeimage.orig/Source/FreeImage/PluginPCX.cpp ++++ freeimage/Source/FreeImage/PluginPCX.cpp +@@ -347,12 +347,14 @@ Load(FreeImageIO *io, fi_handle handle, + + try { + // check PCX identifier +- +- long start_pos = io->tell_proc(handle); +- BOOL validated = pcx_validate(io, handle); +- io->seek_proc(handle, start_pos, SEEK_SET); +- if(!validated) { +- throw FI_MSG_ERROR_MAGIC_NUMBER; ++ // (note: should have been already validated using FreeImage_GetFileType but check again) ++ { ++ long start_pos = io->tell_proc(handle); ++ BOOL validated = pcx_validate(io, handle); ++ io->seek_proc(handle, start_pos, SEEK_SET); ++ if(!validated) { ++ throw FI_MSG_ERROR_MAGIC_NUMBER; ++ } + } + + // process the header +@@ -366,20 +368,38 @@ Load(FreeImageIO *io, fi_handle handle, + SwapHeader(&header); + #endif + +- // allocate a new DIB ++ // process the window ++ const WORD *window = header.window; // left, upper, right,lower pixel coord. ++ const int left = window[0]; ++ const int top = window[1]; ++ const int right = window[2]; ++ const int bottom = window[3]; + +- unsigned width = header.window[2] - header.window[0] + 1; +- unsigned height = header.window[3] - header.window[1] + 1; +- unsigned bitcount = header.bpp * header.planes; +- +- if (bitcount == 24) { +- dib = FreeImage_AllocateHeader(header_only, width, height, bitcount, FI_RGBA_RED_MASK, FI_RGBA_GREEN_MASK, FI_RGBA_BLUE_MASK); +- } else { +- dib = FreeImage_AllocateHeader(header_only, width, height, bitcount); ++ // check image size ++ if((left >= right) || (top >= bottom)) { ++ throw FI_MSG_ERROR_PARSING; + } + +- // if the dib couldn't be allocated, throw an error ++ const unsigned width = right - left + 1; ++ const unsigned height = bottom - top + 1; ++ const unsigned bitcount = header.bpp * header.planes; ++ ++ // allocate a new DIB ++ switch(bitcount) { ++ case 1: ++ case 4: ++ case 8: ++ dib = FreeImage_AllocateHeader(header_only, width, height, bitcount); ++ break; ++ case 24: ++ dib = FreeImage_AllocateHeader(header_only, width, height, bitcount, FI_RGBA_RED_MASK, FI_RGBA_GREEN_MASK, FI_RGBA_BLUE_MASK); ++ break; ++ default: ++ throw FI_MSG_ERROR_DIB_MEMORY; ++ break; ++ } + ++ // if the dib couldn't be allocated, throw an error + if (!dib) { + throw FI_MSG_ERROR_DIB_MEMORY; + } +@@ -426,19 +446,23 @@ Load(FreeImageIO *io, fi_handle handle, + + if (palette_id == 0x0C) { + BYTE *cmap = (BYTE*)malloc(768 * sizeof(BYTE)); +- io->read_proc(cmap, 768, 1, handle); + +- pal = FreeImage_GetPalette(dib); +- BYTE *pColormap = &cmap[0]; ++ if(cmap) { ++ io->read_proc(cmap, 768, 1, handle); + +- for(int i = 0; i < 256; i++) { +- pal[i].rgbRed = pColormap[0]; +- pal[i].rgbGreen = pColormap[1]; +- pal[i].rgbBlue = pColormap[2]; +- pColormap += 3; ++ pal = FreeImage_GetPalette(dib); ++ BYTE *pColormap = &cmap[0]; ++ ++ for(int i = 0; i < 256; i++) { ++ pal[i].rgbRed = pColormap[0]; ++ pal[i].rgbGreen = pColormap[1]; ++ pal[i].rgbBlue = pColormap[2]; ++ pColormap += 3; ++ } ++ ++ free(cmap); + } + +- free(cmap); + } + + // wrong palette ID, perhaps a gray scale is needed ? +@@ -466,9 +490,9 @@ Load(FreeImageIO *io, fi_handle handle, + // calculate the line length for the PCX and the DIB + + // length of raster line in bytes +- unsigned linelength = header.bytes_per_line * header.planes; ++ const unsigned linelength = header.bytes_per_line * header.planes; + // length of DIB line (rounded to DWORD) in bytes +- unsigned pitch = FreeImage_GetPitch(dib); ++ const unsigned pitch = FreeImage_GetPitch(dib); + + // run-length encoding ? + diff --git a/gnu/packages/patches/openjpeg-CVE-2015-6581.patch b/gnu/packages/patches/openjpeg-CVE-2015-6581.patch new file mode 100644 index 0000000000..7ce03501f4 --- /dev/null +++ b/gnu/packages/patches/openjpeg-CVE-2015-6581.patch @@ -0,0 +1,47 @@ +From 0fa5a17c98c4b8f9ee2286f4f0a50cf52a5fccb0 Mon Sep 17 00:00:00 2001 +From: Matthieu Darbois <mayeut@users.noreply.github.com> +Date: Tue, 19 May 2015 21:57:27 +0000 +Subject: [PATCH] [trunk] Correct potential double free on malloc failure in + opj_j2k_copy_default_tcp_and_create_tcp (fixes issue 492) + +--- + src/lib/openjp2/j2k.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c +index 8c62a39..cbdd368 100644 +--- a/src/lib/openjp2/j2k.c ++++ b/src/lib/openjp2/j2k.c +@@ -7365,6 +7365,12 @@ static OPJ_BOOL opj_j2k_copy_default_tcp_and_create_tcd ( opj_j2k_t * p_j2 + l_tcp->cod = 0; + l_tcp->ppt = 0; + l_tcp->ppt_data = 00; ++ /* Remove memory not owned by this tile in case of early error return. */ ++ l_tcp->m_mct_decoding_matrix = 00; ++ l_tcp->m_nb_max_mct_records = 0; ++ l_tcp->m_mct_records = 00; ++ l_tcp->m_nb_max_mcc_records = 0; ++ l_tcp->m_mcc_records = 00; + /* Reconnect the tile-compo coding parameters pointer to the current tile coding parameters*/ + l_tcp->tccps = l_current_tccp; + +@@ -7402,6 +7408,8 @@ static OPJ_BOOL opj_j2k_copy_default_tcp_and_create_tcd ( opj_j2k_t * p_j2 + + ++l_src_mct_rec; + ++l_dest_mct_rec; ++ /* Update with each pass to free exactly what has been allocated on early return. */ ++ l_tcp->m_nb_max_mct_records += 1; + } + + /* Get the mcc_record of the dflt_tile_cp and copy them into the current tile cp*/ +@@ -7411,6 +7419,7 @@ static OPJ_BOOL opj_j2k_copy_default_tcp_and_create_tcd ( opj_j2k_t * p_j2 + return OPJ_FALSE; + } + memcpy(l_tcp->m_mcc_records,l_default_tcp->m_mcc_records,l_mcc_records_size); ++ l_tcp->m_nb_max_mcc_records = l_default_tcp->m_nb_max_mcc_records; + + /* Copy the mcc record data from dflt_tile_cp to the current tile*/ + l_src_mcc_rec = l_default_tcp->m_mcc_records; +-- +2.5.0 + diff --git a/gnu/packages/patches/openjpeg-use-after-free-fix.patch b/gnu/packages/patches/openjpeg-use-after-free-fix.patch new file mode 100644 index 0000000000..1a9cb1ae1d --- /dev/null +++ b/gnu/packages/patches/openjpeg-use-after-free-fix.patch @@ -0,0 +1,48 @@ +From 940100c28ae28931722290794889cf84a92c5f6f Mon Sep 17 00:00:00 2001 +From: mayeut <mayeut@users.noreply.github.com> +Date: Sun, 6 Sep 2015 17:24:03 +0200 +Subject: [PATCH] Fix potential use-after-free in opj_j2k_write_mco function + +Fixes #563 +--- + src/lib/openjp2/j2k.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c +index 19a48f5..d487d89 100644 +--- a/src/lib/openjp2/j2k.c ++++ b/src/lib/openjp2/j2k.c +@@ -5559,8 +5559,7 @@ static OPJ_BOOL opj_j2k_write_mco( opj_j2k_t *p_j2k, + assert(p_stream != 00); + + l_tcp =&(p_j2k->m_cp.tcps[p_j2k->m_current_tile_number]); +- l_current_data = p_j2k->m_specific_param.m_encoder.m_header_tile_data; +- ++ + l_mco_size = 5 + l_tcp->m_nb_mcc_records; + if (l_mco_size > p_j2k->m_specific_param.m_encoder.m_header_tile_data_size) { + +@@ -5575,6 +5574,8 @@ static OPJ_BOOL opj_j2k_write_mco( opj_j2k_t *p_j2k, + p_j2k->m_specific_param.m_encoder.m_header_tile_data = new_header_tile_data; + p_j2k->m_specific_param.m_encoder.m_header_tile_data_size = l_mco_size; + } ++ l_current_data = p_j2k->m_specific_param.m_encoder.m_header_tile_data; ++ + + opj_write_bytes(l_current_data,J2K_MS_MCO,2); /* MCO */ + l_current_data += 2; +@@ -5586,10 +5587,9 @@ static OPJ_BOOL opj_j2k_write_mco( opj_j2k_t *p_j2k, + ++l_current_data; + + l_mcc_record = l_tcp->m_mcc_records; +- for (i=0;i<l_tcp->m_nb_mcc_records;++i) { ++ for (i=0;i<l_tcp->m_nb_mcc_records;++i) { + opj_write_bytes(l_current_data,l_mcc_record->m_index,1);/* Imco -> use the mcc indicated by 1*/ + ++l_current_data; +- + ++l_mcc_record; + } + +-- +2.5.0 + diff --git a/gnu/packages/patches/qt4-tests.patch b/gnu/packages/patches/qt4-tests.patch deleted file mode 100644 index eb499ec76a..0000000000 --- a/gnu/packages/patches/qt4-tests.patch +++ /dev/null @@ -1,22 +0,0 @@ -Drop tests requiring a running X server, but not starting any. - -diff -ru qt-everywhere-opensource-src-4.8.5.orig/src/3rdparty/webkit/Source/WebKit/qt/tests/tests.pro qt-everywhere-opensource-src-4.8.5/src/3rdparty/webkit/Source/WebKit/qt/tests/tests.pro ---- qt-everywhere-opensource-src-4.8.5.orig/src/3rdparty/webkit/Source/WebKit/qt/tests/tests.pro 2013-10-12 13:15:47.000000000 +0200 -+++ qt-everywhere-opensource-src-4.8.5/src/3rdparty/webkit/Source/WebKit/qt/tests/tests.pro 2013-10-12 13:20:15.000000000 +0200 -@@ -1,15 +1,4 @@ - - TEMPLATE = subdirs --SUBDIRS = qwebframe qwebpage qwebelement qgraphicswebview qwebhistoryinterface qwebview qwebhistory qwebinspector hybridPixmap -+SUBDIRS = - --linux-* { -- # This test bypasses the library and links the tested code's object itself. -- # This stresses the build system in some corners so we only run it on linux. -- SUBDIRS += MIMESniffing --} -- --contains(QT_CONFIG, declarative): SUBDIRS += qdeclarativewebview --SUBDIRS += benchmarks/painting benchmarks/loading --contains(DEFINES, ENABLE_WEBGL=1) { -- SUBDIRS += benchmarks/webgl --} diff --git a/gnu/packages/patches/qt5-runpath.patch b/gnu/packages/patches/qt5-runpath.patch deleted file mode 100644 index d045d39aaa..0000000000 --- a/gnu/packages/patches/qt5-runpath.patch +++ /dev/null @@ -1,27 +0,0 @@ -Allow the use of DT_RUNPATH. This fixes a bug whereby libQt5WebEngineCore.so -ends up having an empty RUNPATH. - - -diff -u -r qt-everywhere-opensource-src-5.5.0.orig/qtwebengine/src/3rdparty/chromium/build/common.gypi qt-everywhere-opensource-src-5.5.0/qtwebengine/src/3rdparty/chromium/build/common.gypi ---- qt-everywhere-opensource-src-5.5.0.orig/qtwebengine/src/3rdparty/chromium/build/common.gypi 2015-06-29 22:09:36.000000000 +0200 -+++ qt-everywhere-opensource-src-5.5.0/qtwebengine/src/3rdparty/chromium/build/common.gypi 2015-07-25 15:32:57.999411191 +0200 -@@ -4448,19 +4448,6 @@ - '-B<!(cd <(DEPTH) && pwd -P)/<(binutils_dir)', - ], - }], -- # Some binutils 2.23 releases may or may not have new dtags enabled, -- # but they are all compatible with --disable-new-dtags, -- # because the new dynamic tags are not created by default. -- ['binutils_version>=223', { -- # Newer binutils don't set DT_RPATH unless you disable "new" dtags -- # and the new DT_RUNPATH doesn't work without --no-as-needed flag. -- # FIXME(mithro): Figure out the --as-needed/--no-as-needed flags -- # inside this file to allow usage of --no-as-needed and removal of -- # this flag. -- 'ldflags': [ -- '-Wl,--disable-new-dtags', -- ], -- }], - ['gcc_version>=47 and clang==0', { - 'target_conditions': [ - ['_toolset=="target"', { diff --git a/gnu/packages/patches/valgrind-enable-arm.patch b/gnu/packages/patches/valgrind-enable-arm.patch new file mode 100644 index 0000000000..663e68463c --- /dev/null +++ b/gnu/packages/patches/valgrind-enable-arm.patch @@ -0,0 +1,15 @@ +Accept "arm" instead of "armv7" in configure, see + http://valgrind.10908.n7.nabble.com/building-for-arm-td39382.html . + +diff -u -r valgrind-3.11.0.orig/configure valgrind-3.11.0/configure +--- valgrind-3.11.0.orig/configure 2015-10-02 20:37:41.915721386 +0200 ++++ valgrind-3.11.0/configure 2015-10-02 20:37:54.886746395 +0200 +@@ -5607,7 +5607,7 @@ + ARCH_MAX="s390x" + ;; + +- armv7*) ++ arm*) + { $as_echo "$as_me:${as_lineno-$LINENO}: result: ok (${host_cpu})" >&5 + $as_echo "ok (${host_cpu})" >&6; } + ARCH_MAX="arm" diff --git a/gnu/packages/patches/valgrind-glibc-2.22.patch b/gnu/packages/patches/valgrind-glibc-2.22.patch deleted file mode 100644 index 36c4916cc6..0000000000 --- a/gnu/packages/patches/valgrind-glibc-2.22.patch +++ /dev/null @@ -1,39 +0,0 @@ -Submitted By: Pierre Labastie <pierre at linuxfromscratch dot org> -Date: 2015-02-22 -Initial Package Version: 3.10.1 -Upstream Status: Unknown -Origin: Self -Description: Allows Valgrind to build with glibc-2.21 - -Later modified to support glibc-2.22 as well. - -diff -Naur valgrind-3.10.1.old/configure valgrind-3.10.1.new/configure ---- valgrind-3.10.1.old/configure 2014-11-25 20:42:25.000000000 +0100 -+++ valgrind-3.10.1.new/configure 2015-02-22 10:46:06.607826488 +0100 -@@ -6842,6 +6842,26 @@ - DEFAULT_SUPP="glibc-2.34567-NPTL-helgrind.supp ${DEFAULT_SUPP}" - DEFAULT_SUPP="glibc-2.X-drd.supp ${DEFAULT_SUPP}" - ;; -+ 2.21) -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: 2.21 family" >&5 -+$as_echo "2.21 family" >&6; } -+ -+$as_echo "#define GLIBC_2_21 1" >>confdefs.h -+ -+ DEFAULT_SUPP="glibc-2.X.supp ${DEFAULT_SUPP}" -+ DEFAULT_SUPP="glibc-2.34567-NPTL-helgrind.supp ${DEFAULT_SUPP}" -+ DEFAULT_SUPP="glibc-2.X-drd.supp ${DEFAULT_SUPP}" -+ ;; -+ 2.22) -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: 2.22 family" >&5 -+$as_echo "2.22 family" >&6; } -+ -+$as_echo "#define GLIBC_2_22 1" >>confdefs.h -+ -+ DEFAULT_SUPP="glibc-2.X.supp ${DEFAULT_SUPP}" -+ DEFAULT_SUPP="glibc-2.34567-NPTL-helgrind.supp ${DEFAULT_SUPP}" -+ DEFAULT_SUPP="glibc-2.X-drd.supp ${DEFAULT_SUPP}" -+ ;; - darwin) - { $as_echo "$as_me:${as_lineno-$LINENO}: result: Darwin" >&5 - $as_echo "Darwin" >&6; } diff --git a/gnu/packages/patches/valgrind-linux-libre-4.x.patch b/gnu/packages/patches/valgrind-linux-libre-4.x.patch deleted file mode 100644 index 79166619c7..0000000000 --- a/gnu/packages/patches/valgrind-linux-libre-4.x.patch +++ /dev/null @@ -1,18 +0,0 @@ -Modify valgrind's configure script to accept linux-libre-4.x as being in the -same family as 3.x. - ---- valgrind-3.10.1/configure 2015-09-15 18:02:20.710262686 -0400 -+++ valgrind-3.10.1/configure 2015-09-15 18:02:59.831829731 -0400 -@@ -5553,9 +5553,9 @@ - kernel=`uname -r` - - case "${kernel}" in -- 2.6.*|3.*) -- { $as_echo "$as_me:${as_lineno-$LINENO}: result: 2.6.x/3.x family (${kernel})" >&5 --$as_echo "2.6.x/3.x family (${kernel})" >&6; } -+ 2.6.*|3.*|4.*) -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: 2.6.x/3.x/4.x family (${kernel})" >&5 -+$as_echo "2.6.x/3.x/4.x family (${kernel})" >&6; } - - $as_echo "#define KERNEL_2_6 1" >>confdefs.h - diff --git a/gnu/packages/patches/webkitgtk-2.4-sql-init-string.patch b/gnu/packages/patches/webkitgtk-2.4-sql-init-string.patch new file mode 100644 index 0000000000..671b5fb910 --- /dev/null +++ b/gnu/packages/patches/webkitgtk-2.4-sql-init-string.patch @@ -0,0 +1,17 @@ +Copied from Fedora. + +https://bugzilla.redhat.com/show_bug.cgi?id=1189303 +http://pkgs.fedoraproject.org/cgit/webkitgtk.git/commit/?id=e689e45d0cc2c50484e69d20371ba607af7326f3 + +diff -up webkitgtk-2.4.9/Source/WebCore/platform/sql/SQLiteStatement.cpp.sql_initialize_string webkitgtk-2.4.9/Source/WebCore/platform/sql/SQLiteStatement.cpp +--- webkitgtk-2.4.9/Source/WebCore/platform/sql/SQLiteStatement.cpp.sql_initialize_string 2015-09-14 09:25:43.004200172 +0200 ++++ webkitgtk-2.4.9/Source/WebCore/platform/sql/SQLiteStatement.cpp 2015-09-14 09:25:57.852082368 +0200 +@@ -71,7 +71,7 @@ int SQLiteStatement::prepare() + // this lets SQLite avoid an extra string copy. + size_t lengthIncludingNullCharacter = query.length() + 1; + +- const char* tail; ++ const char* tail = nullptr; + int error = sqlite3_prepare_v2(m_database.sqlite3Handle(), query.data(), lengthIncludingNullCharacter, &m_statement, &tail); + + if (error != SQLITE_OK) |