diff options
author | Leo Famulari <leo@famulari.name> | 2016-12-11 15:03:52 -0500 |
---|---|---|
committer | Leo Famulari <leo@famulari.name> | 2016-12-11 15:03:52 -0500 |
commit | 4a990395d749619c6e565c57a05c0ca9f6894eed (patch) | |
tree | 19ce08ce112e3ad790b6cc6f0352bc40f48b8b64 /gnu/packages | |
parent | 0c6fc4b7e5984ae1d63ea2ba9c7c2f5b35895574 (diff) | |
parent | d94691e0c21440657ad198b03145743d4a876829 (diff) | |
download | patches-4a990395d749619c6e565c57a05c0ca9f6894eed.tar patches-4a990395d749619c6e565c57a05c0ca9f6894eed.tar.gz |
Merge branch 'staging'
Diffstat (limited to 'gnu/packages')
37 files changed, 116 insertions, 1543 deletions
diff --git a/gnu/packages/algebra.scm b/gnu/packages/algebra.scm index 4288913f78..8e3327eafe 100644 --- a/gnu/packages/algebra.scm +++ b/gnu/packages/algebra.scm @@ -544,7 +544,8 @@ a C program.") "1kwbx92ps0r7s2mqy7lxbxanslxdzj7dp7r7gmdkzv1j8yqf3kwf")))) (build-system gnu-build-system) (arguments - '(#:configure-flags '("--enable-shared" "--enable-openmp") + '(#:configure-flags + '("--enable-shared" "--enable-openmp" "--enable-threads") #:phases (alist-cons-before 'build 'no-native (lambda _ diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm index 8b8134c822..c2430f656f 100644 --- a/gnu/packages/base.scm +++ b/gnu/packages/base.scm @@ -940,15 +940,15 @@ command.") (define-public tzdata (package (name "tzdata") - (version "2016g") + (version "2016j") (source (origin (method url-fetch) (uri (string-append - "http://www.iana.org/time-zones/repository/releases/tzdata" + "https://www.iana.org/time-zones/repository/releases/tzdata" version ".tar.gz")) (sha256 (base32 - "1lgbh49bsbysibzr7imjsh1xa7pqmimphxvvwh6kncj7pjr3fw9w")))) + "1j4xycpwhs57qnkcxwh3np8wnf3km69n3cf4w6p2yv2z247lxvpm")))) (build-system gnu-build-system) (arguments '(#:tests? #f @@ -996,8 +996,8 @@ command.") version ".tar.gz")) (sha256 (base32 - "0azsz436vd65bkdkdmjgsh7zhh0whnqqfliva45191krmm3hpy8z")))))) - (home-page "http://www.iana.org/time-zones") + "1dxhrk4z0n2di8p0yd6q00pa6bwyz5xqbrfbasiz8785ni7zrvxr")))))) + (home-page "https://www.iana.org/time-zones") (synopsis "Database of current and historical time zones") (description "The Time Zone Database (often called tz or zoneinfo) contains code and data that represent the history of local time for many diff --git a/gnu/packages/docbook.scm b/gnu/packages/docbook.scm index 46041c24d3..067ad1c3b0 100644 --- a/gnu/packages/docbook.scm +++ b/gnu/packages/docbook.scm @@ -132,14 +132,14 @@ by no means limited to these applications.) This package provides XML DTDs.") (define-public docbook-xsl (package (name "docbook-xsl") - (version "1.78.1") + (version "1.79.1") (source (origin (method url-fetch) (uri (string-append "mirror://sourceforge/docbook/docbook-xsl/" version "/docbook-xsl-" version ".tar.bz2")) (sha256 (base32 - "0rxl013ncmz1n6ymk2idvx3hix9pdabk8xn01cpcv32wmfb753y9")))) + "0s59lihif2fr7rznckxr2kfyrvkirv76r1zvidp9b5mj28p4apvj")))) (build-system trivial-build-system) (arguments `(#:builder (let ((name-version (string-append ,name "-" ,version))) diff --git a/gnu/packages/gl.scm b/gnu/packages/gl.scm index 50b474c623..0e9b5ddb5f 100644 --- a/gnu/packages/gl.scm +++ b/gnu/packages/gl.scm @@ -196,7 +196,7 @@ also known as DXTn or DXTC) for Mesa.") (define-public mesa (package (name "mesa") - (version "12.0.1") + (version "13.0.2") (source (origin (method url-fetch) @@ -204,7 +204,9 @@ also known as DXTn or DXTC) for Mesa.") version "/mesa-" version ".tar.xz")) (sha256 (base32 - "12b3i59xdn2in2hchrkgh4fwij8zhznibx976l3pdj3qkyvlzcms")))) + "1m8n8kd8kcs5ddyvldiw09wvpi5wwpfmmxlb87d63vgl8lk65vd6")) + (patches + (search-patches "mesa-wayland-egl-symbols-check-mips.patch")))) (build-system gnu-build-system) (propagated-inputs `(("glproto" ,glproto) @@ -227,20 +229,10 @@ also known as DXTn or DXTC) for Mesa.") ("makedepend" ,makedepend) ("presentproto" ,presentproto) ("s2tc" ,s2tc) - ("udev" ,eudev) ("wayland" ,wayland))) (native-inputs `(("pkg-config" ,pkg-config) - ("python" ,python-2) - - ;; XXX To prevent a large number of rebuilds on other systems, - ;; apply the following patch on MIPS systems only. In the next - ;; core-updates cycle, this patch could be applied on all platforms. - ,@(if (string-prefix? "mips" (or (%current-target-system) - (%current-system))) - `(("mips-patch" - ,(search-patch "mesa-wayland-egl-symbols-check-mips.patch"))) - '()))) + ("python" ,python-2))) (arguments `(#:configure-flags '(;; drop r300 from default gallium drivers, as it requires llvm @@ -267,16 +259,6 @@ also known as DXTn or DXTC) for Mesa.") '("--with-dri-drivers=nouveau,r200,radeon,swrast")))) #:phases (modify-phases %standard-phases - ;; Add an 'apply-mips-patch' phase conditionally (see above.) - ,@(if (string-prefix? "mips" (or (%current-target-system) - (%current-system))) - `((add-after 'unpack 'apply-mips-patch - (lambda* (#:key inputs #:allow-other-keys) - (let ((patch (assoc-ref inputs "mips-patch"))) - (zero? (system* "patch" "-p1" "--force" - "--input" patch)))))) - '()) - (add-after 'unpack 'patch-create_test_cases (lambda _ @@ -288,7 +270,6 @@ also known as DXTn or DXTC) for Mesa.") 'build 'fix-dlopen-libnames (lambda* (#:key inputs outputs #:allow-other-keys) (let ((s2tc (assoc-ref inputs "s2tc")) - (udev (assoc-ref inputs "udev")) (out (assoc-ref outputs "out"))) ;; Remain agnostic to .so.X.Y.Z versions while doing ;; the substitutions so we're future-safe. @@ -297,10 +278,6 @@ also known as DXTn or DXTC) for Mesa.") "src/mesa/main/texcompress_s3tc.c") (("\"libtxc_dxtn\\.so") (string-append "\"" s2tc "/lib/libtxc_dxtn.so"))) - (substitute* "src/loader/loader.c" - (("udev_handle = dlopen\\(name") - (string-append "udev_handle = dlopen(\"" - udev "/lib/libudev.so\""))) (substitute* "src/glx/dri_common.c" (("dlopen\\(\"libGL\\.so") (string-append "dlopen(\"" out "/lib/libGL.so"))) @@ -485,7 +462,8 @@ OpenGL graphics API.") (file-name (string-append name "-" version ".tar.gz")) (sha256 (base32 - "1d1brhwfmlzgnphmdwlvn5wbcrxsdyzf1qfcf8nb89xqzznxs037")))) + "1d1brhwfmlzgnphmdwlvn5wbcrxsdyzf1qfcf8nb89xqzznxs037")) + (patches (search-patches "libepoxy-gl-null-checks.patch")))) (arguments `(#:phases (modify-phases %standard-phases diff --git a/gnu/packages/glib.scm b/gnu/packages/glib.scm index ba2184c6ad..a78b188af0 100644 --- a/gnu/packages/glib.scm +++ b/gnu/packages/glib.scm @@ -64,8 +64,7 @@ (define dbus (package (name "dbus") - (replacement dbus-1.10.12) - (version "1.10.10") + (version "1.10.14") (source (origin (method url-fetch) (uri (string-append @@ -73,7 +72,7 @@ version ".tar.gz")) (sha256 (base32 - "0hwsfczhx2djmc9116vj5v230i7gpjihwh3vbljs1ldlk831v3wx")) + "10x0wvv2ly4lyyfd42k4xw0ar5qdbi9cksw3l5fcwf1y6mq8y8r3")) (patches (search-patches "dbus-helper-search-path.patch")))) (build-system gnu-build-system) (arguments @@ -132,21 +131,6 @@ or through unencrypted TCP/IP suitable for use behind a firewall with shared NFS home directories.") (license license:gpl2+))) ; or Academic Free License 2.1 -(define dbus-1.10.12 - (package - (inherit dbus) - (name "dbus") - (source - (let ((version "1.10.12")) - (origin - (inherit (package-source dbus)) - (uri (string-append - "https://dbus.freedesktop.org/releases/dbus/dbus-" - version ".tar.gz")) - (sha256 - (base32 - "0pa71vf5c0d7k3gni06iascmplj0j5g70wbc833ayvi71d1pj2i1"))))))) - (define glib (package (name "glib") diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm index 1dde6c06c7..1762381cf0 100644 --- a/gnu/packages/gnome.scm +++ b/gnu/packages/gnome.scm @@ -681,14 +681,14 @@ update-desktop-database: updates the database containing a cache of MIME types (define-public shared-mime-info (package (name "shared-mime-info") - (version "1.6") + (version "1.7") (source (origin (method url-fetch) (uri (string-append "https://freedesktop.org/~hadess/" "shared-mime-info-" version ".tar.xz")) (sha256 (base32 - "0k637g047gci8g69bg4g19akylpfraxm40hd30j3i4v7cidziy5j")))) + "0bjd2j1rqrj150mr04j7ib71lfdlgbf235fg8d70g8mszqf7ik7a")))) (build-system gnu-build-system) (arguments ;; The build system appears not to be parallel-safe. @@ -2140,7 +2140,7 @@ libxml to ease remote use of the RESTful API.") (define-public libsoup (package (name "libsoup") - (version "2.54.1") + (version "2.56.0") (source (origin (method url-fetch) (uri (string-append "mirror://gnome/sources/libsoup/" @@ -2148,7 +2148,7 @@ libxml to ease remote use of the RESTful API.") name "-" version ".tar.xz")) (sha256 (base32 - "0cyn5pq4xl1gb8413h2p4d5wrn558dc054zhwmk4swrl40ijrd27")))) + "1r8zz270qdg92gbsvy61d51y1cj7hp059h2f4xpvqiw2vrqnn8fq")))) (build-system gnu-build-system) (outputs '("out" "doc")) (arguments diff --git a/gnu/packages/gtk.scm b/gnu/packages/gtk.scm index e9aaa461f2..fc4677c247 100644 --- a/gnu/packages/gtk.scm +++ b/gnu/packages/gtk.scm @@ -102,7 +102,6 @@ tools have full access to view and control running applications.") (define-public cairo (package (name "cairo") - (replacement cairo/fixed) (version "1.14.6") (source (origin (method url-fetch) @@ -110,7 +109,8 @@ tools have full access to view and control running applications.") version ".tar.xz")) (sha256 (base32 - "0lmjlzmghmr27y615px9hkm552x7ap6pmq9mfbzr6smp8y2b6g31")))) + "0lmjlzmghmr27y615px9hkm552x7ap6pmq9mfbzr6smp8y2b6g31")) + (patches (search-patches "cairo-CVE-2016-9082.patch")))) (build-system gnu-build-system) (propagated-inputs `(("fontconfig" ,fontconfig) @@ -156,10 +156,6 @@ affine transformation (scale, rotation, shear, etc.).") (package (inherit cairo) (name "cairo-xcb") - (source (origin - (inherit (package-source cairo)) - (patches (search-patches "cairo-CVE-2016-9082.patch")))) - (replacement #f) (inputs `(("mesa" ,mesa) ,@(package-inputs cairo))) @@ -169,17 +165,10 @@ affine transformation (scale, rotation, shear, etc.).") '("--enable-xlib-xcb" "--enable-gl" "--enable-egl"))) (synopsis "2D graphics library (with X11 support)"))) -(define cairo/fixed - (package - (inherit cairo) - (source (origin - (inherit (package-source cairo)) - (patches (search-patches "cairo-CVE-2016-9082.patch")))))) - (define-public harfbuzz (package (name "harfbuzz") - (version "1.2.4") + (version "1.3.3") (source (origin (method url-fetch) (uri (string-append "https://www.freedesktop.org/software/" @@ -187,7 +176,7 @@ affine transformation (scale, rotation, shear, etc.).") version ".tar.bz2")) (sha256 (base32 - "14g4kpph8hgplkm954daxiymxx0vicfq7b7svvdsx54g5bqvv7a4")))) + "1jdkdjvci5d6r26vimsz24hz3xqqrk5xq40n693jn4m42mqrh816")))) (build-system gnu-build-system) (outputs '("out" "bin")) ; 160K, only hb-view depend on cairo @@ -212,7 +201,7 @@ affine transformation (scale, rotation, shear, etc.).") "HarfBuzz is an OpenType text shaping engine.") (license (license:x11-style "file://COPYING" "See 'COPYING' in the distribution.")) - (home-page "http://www.freedesktop.org/wiki/Software/HarfBuzz/"))) + (home-page "https://www.freedesktop.org/wiki/Software/HarfBuzz/"))) (define-public pango (package diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm index 22f711606d..4967f83ed9 100644 --- a/gnu/packages/image.scm +++ b/gnu/packages/image.scm @@ -38,6 +38,8 @@ #:use-module (gnu packages compression) #:use-module (gnu packages documentation) #:use-module (gnu packages fontutils) + ;; To provide gcc@5 and gcc@6, to work around <http://bugs.gnu.org/24703>. + #:use-module (gnu packages gcc) #:use-module (gnu packages gettext) #:use-module (gnu packages ghostscript) #:use-module (gnu packages gl) @@ -246,25 +248,14 @@ extracting icontainer icon files.") (define-public libtiff (package (name "libtiff") - (replacement libtiff-4.0.7) - (version "4.0.6") + (version "4.0.7") (source (origin (method url-fetch) - (uri (string-append "ftp://ftp.remotesensing.org/pub/libtiff/tiff-" - version ".tar.gz")) - (sha256 (base32 - "136nf1rj9dp5jgv1p7z4dk0xy3wki1w0vfjbk82f645m0w4samsd")) - (patches (search-patches - "libtiff-oob-accesses-in-decode.patch" - "libtiff-oob-write-in-nextdecode.patch" - "libtiff-CVE-2015-8665+CVE-2015-8683.patch" - "libtiff-CVE-2016-3623.patch" - "libtiff-CVE-2016-3945.patch" - "libtiff-CVE-2016-3990.patch" - "libtiff-CVE-2016-3991.patch" - "libtiff-CVE-2016-5314.patch" - "libtiff-CVE-2016-5321.patch" - "libtiff-CVE-2016-5323.patch")))) + (uri (string-append "ftp://download.osgeo.org/libtiff/tiff-" + version ".tar.gz")) + (sha256 + (base32 + "06ghqhr4db1ssq0acyyz49gr8k41gzw6pqb6mbn5r7jqp77s4hwz")))) (build-system gnu-build-system) (outputs '("out" "doc")) ;1.3 MiB of HTML documentation @@ -274,6 +265,9 @@ extracting icontainer icon files.") (assoc-ref %outputs "doc") "/share/doc/" ,name "-" ,version)))) + ;; Build with a patched GCC to work around <http://bugs.gnu.org/24703>. + (native-inputs + `(("gcc@5" ,gcc-5))) (inputs `(("zlib" ,zlib) ("libjpeg" ,libjpeg))) (synopsis "Library for handling TIFF files") @@ -284,20 +278,7 @@ Included are a library, libtiff, for reading and writing TIFF and a small collection of tools for doing simple manipulations of TIFF images.") (license (license:non-copyleft "file://COPYRIGHT" "See COPYRIGHT in the distribution.")) - (home-page "http://www.remotesensing.org/libtiff/"))) - -(define libtiff-4.0.7 - (package - (inherit libtiff) - (version "4.0.7") - (source (origin - (method url-fetch) - (uri (string-append "ftp://download.osgeo.org/libtiff/tiff-" - version ".tar.gz")) - (sha256 - (base32 - "06ghqhr4db1ssq0acyyz49gr8k41gzw6pqb6mbn5r7jqp77s4hwz")))) - (home-page "http://www.simplesystems.org/libtiff/"))) + (home-page "http://www.simplesystems.org/libtiff/"))) (define-public libwmf (package diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm index 0e00a8f5f8..5fc355d12a 100644 --- a/gnu/packages/linux.scm +++ b/gnu/packages/linux.scm @@ -2503,7 +2503,7 @@ Bluetooth audio output devices like headphones or loudspeakers.") (define-public bluez (package (name "bluez") - (version "5.40") + (version "5.43") (source (origin (method url-fetch) (uri (string-append @@ -2511,7 +2511,7 @@ Bluetooth audio output devices like headphones or loudspeakers.") version ".tar.xz")) (sha256 (base32 - "09ywk3lvgis0nbi0d5z8d4qp5r33lzwnd6bdakacmbsm420qpnns")))) + "05cdnpz0w2lwq2x5ba87q1h2wgb4lfnpbnbh6p7499hx59fw1j8n")))) (build-system gnu-build-system) (arguments '(#:configure-flags diff --git a/gnu/packages/patches/libepoxy-gl-null-checks.patch b/gnu/packages/patches/libepoxy-gl-null-checks.patch new file mode 100644 index 0000000000..bdc4b05989 --- /dev/null +++ b/gnu/packages/patches/libepoxy-gl-null-checks.patch @@ -0,0 +1,54 @@ +This patch from <https://bugzilla.redhat.com/show_bug.cgi?id=1395366> adds NULL +checks to avoid crashes when GL support is missing, as is the case when running +Xvfb. + +Upstream issue: <https://github.com/anholt/libepoxy/issues/72>. + +diff -ur libepoxy-1.3.1/src/dispatch_common.c libepoxy-1.3.1/src/dispatch_common.c +--- libepoxy-1.3.1/src/dispatch_common.c 2015-07-15 19:46:36.000000000 -0400 ++++ libepoxy-1.3.1/src/dispatch_common.c 2016-11-16 09:03:52.809066247 -0500 +@@ -348,6 +348,8 @@ + epoxy_extension_in_string(const char *extension_list, const char *ext) + { + const char *ptr = extension_list; ++ if (! ptr) return false; ++ if (! ext) return false; + int len = strlen(ext); + + /* Make sure that don't just find an extension with our name as a prefix. */ +@@ -380,6 +382,7 @@ + + for (i = 0; i < num_extensions; i++) { + const char *gl_ext = (const char *)glGetStringi(GL_EXTENSIONS, i); ++ if (! gl_ext) return false; + if (strcmp(ext, gl_ext) == 0) + return true; + } +diff -ur libepoxy-1.3.1/src/dispatch_egl.c libepoxy-1.3.1/src/dispatch_egl.c +--- libepoxy-1.3.1/src/dispatch_egl.c 2015-07-15 19:46:36.000000000 -0400 ++++ libepoxy-1.3.1/src/dispatch_egl.c 2016-11-16 08:40:34.069358709 -0500 +@@ -46,6 +46,7 @@ + int ret; + + version_string = eglQueryString(dpy, EGL_VERSION); ++ if (! version_string) return 0; + ret = sscanf(version_string, "%d.%d", &major, &minor); + assert(ret == 2); + return major * 10 + minor; +diff -ur libepoxy-1.3.1/src/dispatch_glx.c libepoxy-1.3.1/src/dispatch_glx.c +--- libepoxy-1.3.1/src/dispatch_glx.c 2015-07-15 19:46:36.000000000 -0400 ++++ libepoxy-1.3.1/src/dispatch_glx.c 2016-11-16 08:41:03.065730370 -0500 +@@ -57,11 +57,13 @@ + int ret; + + version_string = glXQueryServerString(dpy, screen, GLX_VERSION); ++ if (! version_string) return 0; + ret = sscanf(version_string, "%d.%d", &server_major, &server_minor); + assert(ret == 2); + server = server_major * 10 + server_minor; + + version_string = glXGetClientString(dpy, GLX_VERSION); ++ if (! version_string) return 0; + ret = sscanf(version_string, "%d.%d", &client_major, &client_minor); + assert(ret == 2); + client = client_major * 10 + client_minor; diff --git a/gnu/packages/patches/libtiff-CVE-2015-8665+CVE-2015-8683.patch b/gnu/packages/patches/libtiff-CVE-2015-8665+CVE-2015-8683.patch deleted file mode 100644 index 811516dbe9..0000000000 --- a/gnu/packages/patches/libtiff-CVE-2015-8665+CVE-2015-8683.patch +++ /dev/null @@ -1,107 +0,0 @@ -2015-12-26 Even Rouault <even.rouault at spatialys.com> - - * libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage - interface in case of unsupported values of SamplesPerPixel/ExtraSamples - for LogLUV / CIELab. Add explicit call to TIFFRGBAImageOK() in - TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by limingxing and - CVE-2015-8683 reported by zzf of Alibaba. - -diff -u -r1.93 -r1.94 ---- libtiff/libtiff/tif_getimage.c 22 Nov 2015 15:31:03 -0000 1.93 -+++ libtiff/libtiff/tif_getimage.c 26 Dec 2015 17:32:03 -0000 1.94 -@@ -182,20 +182,22 @@ - "Planarconfiguration", td->td_planarconfig); - return (0); - } -- if( td->td_samplesperpixel != 3 ) -+ if( td->td_samplesperpixel != 3 || colorchannels != 3 ) - { - sprintf(emsg, -- "Sorry, can not handle image with %s=%d", -- "Samples/pixel", td->td_samplesperpixel); -+ "Sorry, can not handle image with %s=%d, %s=%d", -+ "Samples/pixel", td->td_samplesperpixel, -+ "colorchannels", colorchannels); - return 0; - } - break; - case PHOTOMETRIC_CIELAB: -- if( td->td_samplesperpixel != 3 || td->td_bitspersample != 8 ) -+ if( td->td_samplesperpixel != 3 || colorchannels != 3 || td->td_bitspersample != 8 ) - { - sprintf(emsg, -- "Sorry, can not handle image with %s=%d and %s=%d", -+ "Sorry, can not handle image with %s=%d, %s=%d and %s=%d", - "Samples/pixel", td->td_samplesperpixel, -+ "colorchannels", colorchannels, - "Bits/sample", td->td_bitspersample); - return 0; - } -@@ -255,6 +257,9 @@ - int colorchannels; - uint16 *red_orig, *green_orig, *blue_orig; - int n_color; -+ -+ if( !TIFFRGBAImageOK(tif, emsg) ) -+ return 0; - - /* Initialize to normal values */ - img->row_offset = 0; -@@ -2509,29 +2514,33 @@ - case PHOTOMETRIC_RGB: - switch (img->bitspersample) { - case 8: -- if (img->alpha == EXTRASAMPLE_ASSOCALPHA) -+ if (img->alpha == EXTRASAMPLE_ASSOCALPHA && -+ img->samplesperpixel >= 4) - img->put.contig = putRGBAAcontig8bittile; -- else if (img->alpha == EXTRASAMPLE_UNASSALPHA) -+ else if (img->alpha == EXTRASAMPLE_UNASSALPHA && -+ img->samplesperpixel >= 4) - { - if (BuildMapUaToAa(img)) - img->put.contig = putRGBUAcontig8bittile; - } -- else -+ else if( img->samplesperpixel >= 3 ) - img->put.contig = putRGBcontig8bittile; - break; - case 16: -- if (img->alpha == EXTRASAMPLE_ASSOCALPHA) -+ if (img->alpha == EXTRASAMPLE_ASSOCALPHA && -+ img->samplesperpixel >=4 ) - { - if (BuildMapBitdepth16To8(img)) - img->put.contig = putRGBAAcontig16bittile; - } -- else if (img->alpha == EXTRASAMPLE_UNASSALPHA) -+ else if (img->alpha == EXTRASAMPLE_UNASSALPHA && -+ img->samplesperpixel >=4 ) - { - if (BuildMapBitdepth16To8(img) && - BuildMapUaToAa(img)) - img->put.contig = putRGBUAcontig16bittile; - } -- else -+ else if( img->samplesperpixel >=3 ) - { - if (BuildMapBitdepth16To8(img)) - img->put.contig = putRGBcontig16bittile; -@@ -2540,7 +2549,7 @@ - } - break; - case PHOTOMETRIC_SEPARATED: -- if (buildMap(img)) { -+ if (img->samplesperpixel >=4 && buildMap(img)) { - if (img->bitspersample == 8) { - if (!img->Map) - img->put.contig = putRGBcontig8bitCMYKtile; -@@ -2636,7 +2645,7 @@ - } - break; - case PHOTOMETRIC_CIELAB: -- if (buildMap(img)) { -+ if (img->samplesperpixel == 3 && buildMap(img)) { - if (img->bitspersample == 8) - img->put.contig = initCIELabConversion(img); - break; diff --git a/gnu/packages/patches/libtiff-CVE-2016-3623.patch b/gnu/packages/patches/libtiff-CVE-2016-3623.patch deleted file mode 100644 index 08705861e3..0000000000 --- a/gnu/packages/patches/libtiff-CVE-2016-3623.patch +++ /dev/null @@ -1,30 +0,0 @@ -Fix CVE-2016-3623. - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3623 -http://bugzilla.maptools.org/show_bug.cgi?id=2569 - -Patch extracted from upstream CVS repo with: -$ cvs diff -u -r1.16 -r1.17 tools/rgb2ycbcr.c - -Index: tools/rgb2ycbcr.c -=================================================================== -RCS file: /cvs/maptools/cvsroot/libtiff/tools/rgb2ycbcr.c,v -retrieving revision 1.16 -retrieving revision 1.17 -diff -u -r1.16 -r1.17 ---- libtiff/tools/rgb2ycbcr.c 21 Jun 2015 01:09:10 -0000 1.16 -+++ libtiff/tools/rgb2ycbcr.c 15 Aug 2016 21:26:56 -0000 1.17 -@@ -95,9 +95,13 @@ - break; - case 'h': - horizSubSampling = atoi(optarg); -+ if( horizSubSampling != 1 && horizSubSampling != 2 && horizSubSampling != 4 ) -+ usage(-1); - break; - case 'v': - vertSubSampling = atoi(optarg); -+ if( vertSubSampling != 1 && vertSubSampling != 2 && vertSubSampling != 4 ) -+ usage(-1); - break; - case 'r': - rowsperstrip = atoi(optarg); diff --git a/gnu/packages/patches/libtiff-CVE-2016-3945.patch b/gnu/packages/patches/libtiff-CVE-2016-3945.patch deleted file mode 100644 index 8ec62bab99..0000000000 --- a/gnu/packages/patches/libtiff-CVE-2016-3945.patch +++ /dev/null @@ -1,94 +0,0 @@ -Fix CVE-2016-3945 (integer overflow in size of allocated -buffer, when -b mode is enabled, that could result in out-of-bounds -write). - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3945 -http://bugzilla.maptools.org/show_bug.cgi?id=2545 - -Patch extracted from upstream CVS repo with: -$ cvs diff -u -r1.21 -r1.22 tools/tiff2rgba.c - -Index: tools/tiff2rgba.c -=================================================================== -RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiff2rgba.c,v -retrieving revision 1.21 -retrieving revision 1.22 -diff -u -r1.21 -r1.22 ---- libtiff/tools/tiff2rgba.c 21 Jun 2015 01:09:10 -0000 1.21 -+++ libtiff/tools/tiff2rgba.c 15 Aug 2016 20:06:41 -0000 1.22 -@@ -147,6 +147,7 @@ - uint32 row, col; - uint32 *wrk_line; - int ok = 1; -+ uint32 rastersize, wrk_linesize; - - TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); - TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height); -@@ -163,7 +164,13 @@ - /* - * Allocate tile buffer - */ -- raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32)); -+ rastersize = tile_width * tile_height * sizeof (uint32); -+ if (tile_width != (rastersize / tile_height) / sizeof( uint32)) -+ { -+ TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer"); -+ exit(-1); -+ } -+ raster = (uint32*)_TIFFmalloc(rastersize); - if (raster == 0) { - TIFFError(TIFFFileName(in), "No space for raster buffer"); - return (0); -@@ -173,7 +180,13 @@ - * Allocate a scanline buffer for swapping during the vertical - * mirroring pass. - */ -- wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32)); -+ wrk_linesize = tile_width * sizeof (uint32); -+ if (tile_width != wrk_linesize / sizeof (uint32)) -+ { -+ TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer"); -+ exit(-1); -+ } -+ wrk_line = (uint32*)_TIFFmalloc(wrk_linesize); - if (!wrk_line) { - TIFFError(TIFFFileName(in), "No space for raster scanline buffer"); - ok = 0; -@@ -249,6 +262,7 @@ - uint32 row; - uint32 *wrk_line; - int ok = 1; -+ uint32 rastersize, wrk_linesize; - - TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); - TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height); -@@ -263,7 +277,13 @@ - /* - * Allocate strip buffer - */ -- raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32)); -+ rastersize = width * rowsperstrip * sizeof (uint32); -+ if (width != (rastersize / rowsperstrip) / sizeof( uint32)) -+ { -+ TIFFError(TIFFFileName(in), "Integer overflow when calculating raster buffer"); -+ exit(-1); -+ } -+ raster = (uint32*)_TIFFmalloc(rastersize); - if (raster == 0) { - TIFFError(TIFFFileName(in), "No space for raster buffer"); - return (0); -@@ -273,7 +293,13 @@ - * Allocate a scanline buffer for swapping during the vertical - * mirroring pass. - */ -- wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32)); -+ wrk_linesize = width * sizeof (uint32); -+ if (width != wrk_linesize / sizeof (uint32)) -+ { -+ TIFFError(TIFFFileName(in), "Integer overflow when calculating wrk_line buffer"); -+ exit(-1); -+ } -+ wrk_line = (uint32*)_TIFFmalloc(wrk_linesize); - if (!wrk_line) { - TIFFError(TIFFFileName(in), "No space for raster scanline buffer"); - ok = 0; diff --git a/gnu/packages/patches/libtiff-CVE-2016-3990.patch b/gnu/packages/patches/libtiff-CVE-2016-3990.patch deleted file mode 100644 index 7641c3073b..0000000000 --- a/gnu/packages/patches/libtiff-CVE-2016-3990.patch +++ /dev/null @@ -1,31 +0,0 @@ -Fix CVE-2016-3990 (write buffer overflow in PixarLogEncode if more input -samples are provided than expected by PixarLogSetupEncode). - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3990 -http://bugzilla.maptools.org/show_bug.cgi?id=2544 - -Patch extracted from upstream CVS repo with: -$ cvs diff -u -r1.45 -r1.46 libtiff/tif_pixarlog.c - -Index: libtiff/tif_pixarlog.c -=================================================================== -RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_pixarlog.c,v -retrieving revision 1.45 -retrieving revision 1.46 -diff -u -r1.45 -r1.46 ---- libtiff/libtiff/tif_pixarlog.c 28 Jun 2016 15:37:33 -0000 1.45 -+++ libtiff/libtiff/tif_pixarlog.c 15 Aug 2016 20:49:48 -0000 1.46 -@@ -1141,6 +1141,13 @@ - } - - llen = sp->stride * td->td_imagewidth; -+ /* Check against the number of elements (of size uint16) of sp->tbuf */ -+ if( n > td->td_rowsperstrip * llen ) -+ { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Too many input bytes provided"); -+ return 0; -+ } - - for (i = 0, up = sp->tbuf; i < n; i += llen, up += llen) { - switch (sp->user_datafmt) { diff --git a/gnu/packages/patches/libtiff-CVE-2016-3991.patch b/gnu/packages/patches/libtiff-CVE-2016-3991.patch deleted file mode 100644 index cb05f0007f..0000000000 --- a/gnu/packages/patches/libtiff-CVE-2016-3991.patch +++ /dev/null @@ -1,123 +0,0 @@ -Fix CVE-2016-3991 (out-of-bounds write in loadImage()). - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3991 -http://bugzilla.maptools.org/show_bug.cgi?id=2543 - -Patch extracted from upstream CVS repo with: -$ cvs diff -u -r1.37 -r1.38 tools/tiffcrop.c - -Index: tools/tiffcrop.c -=================================================================== -RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v -retrieving revision 1.37 -retrieving revision 1.38 -diff -u -r1.37 -r1.38 ---- libtiff/tools/tiffcrop.c 11 Jul 2016 21:38:31 -0000 1.37 -+++ libtiff/tools/tiffcrop.c 15 Aug 2016 21:05:40 -0000 1.38 -@@ -798,6 +798,11 @@ - } - - tile_buffsize = tilesize; -+ if (tilesize == 0 || tile_rowsize == 0) -+ { -+ TIFFError("readContigTilesIntoBuffer", "Tile size or tile rowsize is zero"); -+ exit(-1); -+ } - - if (tilesize < (tsize_t)(tl * tile_rowsize)) - { -@@ -807,7 +812,12 @@ - tilesize, tl * tile_rowsize); - #endif - tile_buffsize = tl * tile_rowsize; -- } -+ if (tl != (tile_buffsize / tile_rowsize)) -+ { -+ TIFFError("readContigTilesIntoBuffer", "Integer overflow when calculating buffer size."); -+ exit(-1); -+ } -+ } - - tilebuf = _TIFFmalloc(tile_buffsize); - if (tilebuf == 0) -@@ -1210,6 +1220,12 @@ - !TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps) ) - return 1; - -+ if (tilesize == 0 || tile_rowsize == 0 || tl == 0 || tw == 0) -+ { -+ TIFFError("writeBufferToContigTiles", "Tile size, tile row size, tile width, or tile length is zero"); -+ exit(-1); -+ } -+ - tile_buffsize = tilesize; - if (tilesize < (tsize_t)(tl * tile_rowsize)) - { -@@ -1219,6 +1235,11 @@ - tilesize, tl * tile_rowsize); - #endif - tile_buffsize = tl * tile_rowsize; -+ if (tl != tile_buffsize / tile_rowsize) -+ { -+ TIFFError("writeBufferToContigTiles", "Integer overflow when calculating buffer size"); -+ exit(-1); -+ } - } - - tilebuf = _TIFFmalloc(tile_buffsize); -@@ -5945,12 +5966,27 @@ - TIFFGetField(in, TIFFTAG_TILELENGTH, &tl); - - tile_rowsize = TIFFTileRowSize(in); -+ if (ntiles == 0 || tlsize == 0 || tile_rowsize == 0) -+ { -+ TIFFError("loadImage", "File appears to be tiled, but the number of tiles, tile size, or tile rowsize is zero."); -+ exit(-1); -+ } - buffsize = tlsize * ntiles; -+ if (tlsize != (buffsize / ntiles)) -+ { -+ TIFFError("loadImage", "Integer overflow when calculating buffer size"); -+ exit(-1); -+ } - -- - if (buffsize < (uint32)(ntiles * tl * tile_rowsize)) - { - buffsize = ntiles * tl * tile_rowsize; -+ if (ntiles != (buffsize / tl / tile_rowsize)) -+ { -+ TIFFError("loadImage", "Integer overflow when calculating buffer size"); -+ exit(-1); -+ } -+ - #ifdef DEBUG2 - TIFFError("loadImage", - "Tilesize %u is too small, using ntiles * tilelength * tilerowsize %lu", -@@ -5969,8 +6005,25 @@ - TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rowsperstrip); - stsize = TIFFStripSize(in); - nstrips = TIFFNumberOfStrips(in); -+ if (nstrips == 0 || stsize == 0) -+ { -+ TIFFError("loadImage", "File appears to be striped, but the number of stipes or stripe size is zero."); -+ exit(-1); -+ } -+ - buffsize = stsize * nstrips; -- -+ if (stsize != (buffsize / nstrips)) -+ { -+ TIFFError("loadImage", "Integer overflow when calculating buffer size"); -+ exit(-1); -+ } -+ uint32 buffsize_check; -+ buffsize_check = ((length * width * spp * bps) + 7); -+ if (length != ((buffsize_check - 7) / width / spp / bps)) -+ { -+ TIFFError("loadImage", "Integer overflow detected."); -+ exit(-1); -+ } - if (buffsize < (uint32) (((length * width * spp * bps) + 7) / 8)) - { - buffsize = ((length * width * spp * bps) + 7) / 8; diff --git a/gnu/packages/patches/libtiff-CVE-2016-5314.patch b/gnu/packages/patches/libtiff-CVE-2016-5314.patch deleted file mode 100644 index e5380f8639..0000000000 --- a/gnu/packages/patches/libtiff-CVE-2016-5314.patch +++ /dev/null @@ -1,45 +0,0 @@ -Fix CVE-2016-5314. - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5314 -bugzilla.maptools.org/show_bug.cgi?id=2554 - -Patch extracted from upstream CVS repo with: -$ cvs diff -u -r1.43 -r1.44 libtiff/tif_pixarlog.c - -Index: libtiff/tif_pixarlog.c -=================================================================== -RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_pixarlog.c,v -retrieving revision 1.43 -retrieving revision 1.44 -diff -u -r1.43 -r1.44 ---- libtiff/libtiff/tif_pixarlog.c 27 Dec 2015 20:14:11 -0000 1.43 -+++ libtiff/libtiff/tif_pixarlog.c 28 Jun 2016 15:12:19 -0000 1.44 -@@ -459,6 +459,7 @@ - typedef struct { - TIFFPredictorState predict; - z_stream stream; -+ tmsize_t tbuf_size; /* only set/used on reading for now */ - uint16 *tbuf; - uint16 stride; - int state; -@@ -694,6 +695,7 @@ - sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size); - if (sp->tbuf == NULL) - return (0); -+ sp->tbuf_size = tbuf_size; - if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) - sp->user_datafmt = PixarLogGuessDataFmt(td); - if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) { -@@ -783,6 +785,12 @@ - TIFFErrorExt(tif->tif_clientdata, module, "ZLib cannot deal with buffers this size"); - return (0); - } -+ /* Check that we will not fill more than what was allocated */ -+ if (sp->stream.avail_out > sp->tbuf_size) -+ { -+ TIFFErrorExt(tif->tif_clientdata, module, "sp->stream.avail_out > sp->tbuf_size"); -+ return (0); -+ } - do { - int state = inflate(&sp->stream, Z_PARTIAL_FLUSH); - if (state == Z_STREAM_END) { diff --git a/gnu/packages/patches/libtiff-CVE-2016-5321.patch b/gnu/packages/patches/libtiff-CVE-2016-5321.patch deleted file mode 100644 index 2afca18e1d..0000000000 --- a/gnu/packages/patches/libtiff-CVE-2016-5321.patch +++ /dev/null @@ -1,25 +0,0 @@ -Fix CVE-2016-5321. - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5321 -http://bugzilla.maptools.org/show_bug.cgi?id=2558 - -Patch extracted from upstream CVS repo with: -$ cvs diff -u -r1.35 -r1.36 tools/tiffcrop.c - -Index: tools/tiffcrop.c -=================================================================== -RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v -retrieving revision 1.35 -retrieving revision 1.36 -diff -u -r1.35 -r1.36 ---- libtiff/tools/tiffcrop.c 19 Aug 2015 02:31:04 -0000 1.35 -+++ libtiff/tools/tiffcrop.c 11 Jul 2016 21:26:03 -0000 1.36 -@@ -989,7 +989,7 @@ - nrow = (row + tl > imagelength) ? imagelength - row : tl; - for (col = 0; col < imagewidth; col += tw) - { -- for (s = 0; s < spp; s++) -+ for (s = 0; s < spp && s < MAX_SAMPLES; s++) - { /* Read each plane of a tile set into srcbuffs[s] */ - tbytes = TIFFReadTile(in, srcbuffs[s], col, row, 0, s); - if (tbytes < 0 && !ignore) diff --git a/gnu/packages/patches/libtiff-CVE-2016-5323.patch b/gnu/packages/patches/libtiff-CVE-2016-5323.patch deleted file mode 100644 index 8b2a043d29..0000000000 --- a/gnu/packages/patches/libtiff-CVE-2016-5323.patch +++ /dev/null @@ -1,88 +0,0 @@ -Fix CVE-2016-5323. - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5323 -http://bugzilla.maptools.org/show_bug.cgi?id=2559 - -Patch extracted from upstream CVS repo with: -$ cvs diff -u -r1.36 -r1.37 tools/tiffcrop.c - -Index: tools/tiffcrop.c -=================================================================== -RCS file: /cvs/maptools/cvsroot/libtiff/tools/tiffcrop.c,v -retrieving revision 1.36 -retrieving revision 1.37 -diff -u -r1.36 -r1.37 ---- libtiff/tools/tiffcrop.c 11 Jul 2016 21:26:03 -0000 1.36 -+++ libtiff/tools/tiffcrop.c 11 Jul 2016 21:38:31 -0000 1.37 -@@ -3738,7 +3738,7 @@ - - matchbits = maskbits << (8 - src_bit - bps); - /* load up next sample from each plane */ -- for (s = 0; s < spp; s++) -+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) - { - src = in[s] + src_offset + src_byte; - buff1 = ((*src) & matchbits) << (src_bit); -@@ -3837,7 +3837,7 @@ - src_bit = bit_offset % 8; - - matchbits = maskbits << (16 - src_bit - bps); -- for (s = 0; s < spp; s++) -+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) - { - src = in[s] + src_offset + src_byte; - if (little_endian) -@@ -3947,7 +3947,7 @@ - src_bit = bit_offset % 8; - - matchbits = maskbits << (32 - src_bit - bps); -- for (s = 0; s < spp; s++) -+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) - { - src = in[s] + src_offset + src_byte; - if (little_endian) -@@ -4073,7 +4073,7 @@ - src_bit = bit_offset % 8; - - matchbits = maskbits << (64 - src_bit - bps); -- for (s = 0; s < spp; s++) -+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) - { - src = in[s] + src_offset + src_byte; - if (little_endian) -@@ -4263,7 +4263,7 @@ - - matchbits = maskbits << (8 - src_bit - bps); - /* load up next sample from each plane */ -- for (s = 0; s < spp; s++) -+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) - { - src = in[s] + src_offset + src_byte; - buff1 = ((*src) & matchbits) << (src_bit); -@@ -4362,7 +4362,7 @@ - src_bit = bit_offset % 8; - - matchbits = maskbits << (16 - src_bit - bps); -- for (s = 0; s < spp; s++) -+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) - { - src = in[s] + src_offset + src_byte; - if (little_endian) -@@ -4471,7 +4471,7 @@ - src_bit = bit_offset % 8; - - matchbits = maskbits << (32 - src_bit - bps); -- for (s = 0; s < spp; s++) -+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) - { - src = in[s] + src_offset + src_byte; - if (little_endian) -@@ -4597,7 +4597,7 @@ - src_bit = bit_offset % 8; - - matchbits = maskbits << (64 - src_bit - bps); -- for (s = 0; s < spp; s++) -+ for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) - { - src = in[s] + src_offset + src_byte; - if (little_endian) diff --git a/gnu/packages/patches/libtiff-oob-accesses-in-decode.patch b/gnu/packages/patches/libtiff-oob-accesses-in-decode.patch deleted file mode 100644 index 3fea745056..0000000000 --- a/gnu/packages/patches/libtiff-oob-accesses-in-decode.patch +++ /dev/null @@ -1,171 +0,0 @@ -2015-12-27 Even Rouault <even.rouault at spatialys.com> - - * libtiff/tif_luv.c: fix potential out-of-bound writes in decode - functions in non debug builds by replacing assert()s by regular if - checks (bugzilla #2522). - Fix potential out-of-bound reads in case of short input data. - -diff -u -r1.40 -r1.41 ---- libtiff/libtiff/tif_luv.c 21 Jun 2015 01:09:09 -0000 1.40 -+++ libtiff/libtiff/tif_luv.c 27 Dec 2015 16:25:11 -0000 1.41 -@@ -1,4 +1,4 @@ --/* $Id: tif_luv.c,v 1.40 2015-06-21 01:09:09 bfriesen Exp $ */ -+/* $Id: tif_luv.c,v 1.41 2015-12-27 16:25:11 erouault Exp $ */ - - /* - * Copyright (c) 1997 Greg Ward Larson -@@ -202,7 +202,11 @@ - if (sp->user_datafmt == SGILOGDATAFMT_16BIT) - tp = (int16*) op; - else { -- assert(sp->tbuflen >= npixels); -+ if(sp->tbuflen < npixels) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Translation buffer too short"); -+ return (0); -+ } - tp = (int16*) sp->tbuf; - } - _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0])); -@@ -211,9 +215,11 @@ - cc = tif->tif_rawcc; - /* get each byte string */ - for (shft = 2*8; (shft -= 8) >= 0; ) { -- for (i = 0; i < npixels && cc > 0; ) -+ for (i = 0; i < npixels && cc > 0; ) { - if (*bp >= 128) { /* run */ -- rc = *bp++ + (2-128); /* TODO: potential input buffer overrun when decoding corrupt or truncated data */ -+ if( cc < 2 ) -+ break; -+ rc = *bp++ + (2-128); - b = (int16)(*bp++ << shft); - cc -= 2; - while (rc-- && i < npixels) -@@ -223,6 +229,7 @@ - while (--cc && rc-- && i < npixels) - tp[i++] |= (int16)*bp++ << shft; - } -+ } - if (i != npixels) { - #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) - TIFFErrorExt(tif->tif_clientdata, module, -@@ -268,13 +275,17 @@ - if (sp->user_datafmt == SGILOGDATAFMT_RAW) - tp = (uint32 *)op; - else { -- assert(sp->tbuflen >= npixels); -+ if(sp->tbuflen < npixels) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Translation buffer too short"); -+ return (0); -+ } - tp = (uint32 *) sp->tbuf; - } - /* copy to array of uint32 */ - bp = (unsigned char*) tif->tif_rawcp; - cc = tif->tif_rawcc; -- for (i = 0; i < npixels && cc > 0; i++) { -+ for (i = 0; i < npixels && cc >= 3; i++) { - tp[i] = bp[0] << 16 | bp[1] << 8 | bp[2]; - bp += 3; - cc -= 3; -@@ -325,7 +336,11 @@ - if (sp->user_datafmt == SGILOGDATAFMT_RAW) - tp = (uint32*) op; - else { -- assert(sp->tbuflen >= npixels); -+ if(sp->tbuflen < npixels) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Translation buffer too short"); -+ return (0); -+ } - tp = (uint32*) sp->tbuf; - } - _TIFFmemset((void*) tp, 0, npixels*sizeof (tp[0])); -@@ -334,11 +349,13 @@ - cc = tif->tif_rawcc; - /* get each byte string */ - for (shft = 4*8; (shft -= 8) >= 0; ) { -- for (i = 0; i < npixels && cc > 0; ) -+ for (i = 0; i < npixels && cc > 0; ) { - if (*bp >= 128) { /* run */ -+ if( cc < 2 ) -+ break; - rc = *bp++ + (2-128); - b = (uint32)*bp++ << shft; -- cc -= 2; /* TODO: potential input buffer overrun when decoding corrupt or truncated data */ -+ cc -= 2; - while (rc-- && i < npixels) - tp[i++] |= b; - } else { /* non-run */ -@@ -346,6 +363,7 @@ - while (--cc && rc-- && i < npixels) - tp[i++] |= (uint32)*bp++ << shft; - } -+ } - if (i != npixels) { - #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) - TIFFErrorExt(tif->tif_clientdata, module, -@@ -413,6 +431,7 @@ - static int - LogL16Encode(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) - { -+ static const char module[] = "LogL16Encode"; - LogLuvState* sp = EncoderState(tif); - int shft; - tmsize_t i; -@@ -433,7 +452,11 @@ - tp = (int16*) bp; - else { - tp = (int16*) sp->tbuf; -- assert(sp->tbuflen >= npixels); -+ if(sp->tbuflen < npixels) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Translation buffer too short"); -+ return (0); -+ } - (*sp->tfunc)(sp, bp, npixels); - } - /* compress each byte string */ -@@ -506,6 +529,7 @@ - static int - LogLuvEncode24(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) - { -+ static const char module[] = "LogLuvEncode24"; - LogLuvState* sp = EncoderState(tif); - tmsize_t i; - tmsize_t npixels; -@@ -521,7 +545,11 @@ - tp = (uint32*) bp; - else { - tp = (uint32*) sp->tbuf; -- assert(sp->tbuflen >= npixels); -+ if(sp->tbuflen < npixels) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Translation buffer too short"); -+ return (0); -+ } - (*sp->tfunc)(sp, bp, npixels); - } - /* write out encoded pixels */ -@@ -553,6 +581,7 @@ - static int - LogLuvEncode32(TIFF* tif, uint8* bp, tmsize_t cc, uint16 s) - { -+ static const char module[] = "LogLuvEncode32"; - LogLuvState* sp = EncoderState(tif); - int shft; - tmsize_t i; -@@ -574,7 +603,11 @@ - tp = (uint32*) bp; - else { - tp = (uint32*) sp->tbuf; -- assert(sp->tbuflen >= npixels); -+ if(sp->tbuflen < npixels) { -+ TIFFErrorExt(tif->tif_clientdata, module, -+ "Translation buffer too short"); -+ return (0); -+ } - (*sp->tfunc)(sp, bp, npixels); - } - /* compress each byte string */ diff --git a/gnu/packages/patches/libtiff-oob-write-in-nextdecode.patch b/gnu/packages/patches/libtiff-oob-write-in-nextdecode.patch deleted file mode 100644 index 50657b667c..0000000000 --- a/gnu/packages/patches/libtiff-oob-write-in-nextdecode.patch +++ /dev/null @@ -1,49 +0,0 @@ -2015-12-27 Even Rouault <even.rouault at spatialys.com> - - * libtiff/tif_next.c: fix potential out-of-bound write in NeXTDecode() - triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif - (bugzilla #2508) - -diff -u -r1.16 -r1.18 ---- libtiff/libtiff/tif_next.c 29 Dec 2014 12:09:11 -0000 1.16 -+++ libtiff/libtiff/tif_next.c 27 Dec 2015 17:14:52 -0000 1.18 -@@ -1,4 +1,4 @@ --/* $Id: tif_next.c,v 1.16 2014-12-29 12:09:11 erouault Exp $ */ -+/* $Id: tif_next.c,v 1.18 2015-12-27 17:14:52 erouault Exp $ */ - - /* - * Copyright (c) 1988-1997 Sam Leffler -@@ -37,7 +37,7 @@ - case 0: op[0] = (unsigned char) ((v) << 6); break; \ - case 1: op[0] |= (v) << 4; break; \ - case 2: op[0] |= (v) << 2; break; \ -- case 3: *op++ |= (v); break; \ -+ case 3: *op++ |= (v); op_offset++; break; \ - } \ - } - -@@ -103,6 +103,7 @@ - } - default: { - uint32 npixels = 0, grey; -+ tmsize_t op_offset = 0; - uint32 imagewidth = tif->tif_dir.td_imagewidth; - if( isTiled(tif) ) - imagewidth = tif->tif_dir.td_tilewidth; -@@ -122,10 +123,15 @@ - * bounds, potentially resulting in a security - * issue. - */ -- while (n-- > 0 && npixels < imagewidth) -+ while (n-- > 0 && npixels < imagewidth && op_offset < scanline) - SETPIXEL(op, grey); - if (npixels >= imagewidth) - break; -+ if (op_offset >= scanline ) { -+ TIFFErrorExt(tif->tif_clientdata, module, "Invalid data for scanline %ld", -+ (long) tif->tif_row); -+ return (0); -+ } - if (cc == 0) - goto bad; - n = *bp++, cc--; diff --git a/gnu/packages/patches/mupdf-CVE-2016-6265.patch b/gnu/packages/patches/mupdf-CVE-2016-6265.patch deleted file mode 100644 index 58f5c3726c..0000000000 --- a/gnu/packages/patches/mupdf-CVE-2016-6265.patch +++ /dev/null @@ -1,30 +0,0 @@ -Fix CVE-2016-6265 (use after free in pdf_load_xref()). - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6265 -https://security-tracker.debian.org/tracker/CVE-2016-6265 - -Patch copied from upstream source repository: - -http://git.ghostscript.com/?p=mupdf.git;h=fa1936405b6a84e5c9bb440912c23d532772f958 - -diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c -index 576c315..3222599 100644 ---- a/source/pdf/pdf-xref.c -+++ b/source/pdf/pdf-xref.c -@@ -1184,8 +1184,14 @@ pdf_load_xref(fz_context *ctx, pdf_document *doc, pdf_lexbuf *buf) - fz_throw(ctx, FZ_ERROR_GENERIC, "object offset out of range: %d (%d 0 R)", (int)entry->ofs, i); - } - if (entry->type == 'o') -- if (entry->ofs <= 0 || entry->ofs >= xref_len || pdf_get_xref_entry(ctx, doc, entry->ofs)->type != 'n') -- fz_throw(ctx, FZ_ERROR_GENERIC, "invalid reference to an objstm that does not exist: %d (%d 0 R)", (int)entry->ofs, i); -+ { -+ /* Read this into a local variable here, because pdf_get_xref_entry -+ * may solidify the xref, hence invalidating "entry", meaning we -+ * need a stashed value for the throw. */ -+ fz_off_t ofs = entry->ofs; -+ if (ofs <= 0 || ofs >= xref_len || pdf_get_xref_entry(ctx, doc, ofs)->type != 'n') -+ fz_throw(ctx, FZ_ERROR_GENERIC, "invalid reference to an objstm that does not exist: %d (%d 0 R)", (int)ofs, i); -+ } - } - } - diff --git a/gnu/packages/patches/mupdf-CVE-2016-6525.patch b/gnu/packages/patches/mupdf-CVE-2016-6525.patch deleted file mode 100644 index 370af5ade6..0000000000 --- a/gnu/packages/patches/mupdf-CVE-2016-6525.patch +++ /dev/null @@ -1,21 +0,0 @@ -Fix CVE-2016-6525 (heap overflow in pdf_load_mesh_params()). - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6525 -https://security-tracker.debian.org/tracker/CVE-2016-6525 - -Patch copied from upstream source repository: -http://git.ghostscript.com/?p=mupdf.git;h=39b0f07dd960f34e7e6bf230ffc3d87c41ef0f2e - -diff --git a/source/pdf/pdf-shade.c b/source/pdf/pdf-shade.c -index 7815b3c..6e25efa 100644 ---- a/source/pdf/pdf-shade.c -+++ b/source/pdf/pdf-shade.c -@@ -206,7 +206,7 @@ pdf_load_mesh_params(fz_context *ctx, pdf_document *doc, fz_shade *shade, pdf_ob - obj = pdf_dict_get(ctx, dict, PDF_NAME_Decode); - if (pdf_array_len(ctx, obj) >= 6) - { -- n = (pdf_array_len(ctx, obj) - 4) / 2; -+ n = fz_mini(FZ_MAX_COLORS, (pdf_array_len(ctx, obj) - 4) / 2); - shade->u.m.x0 = pdf_to_real(ctx, pdf_array_get(ctx, obj, 0)); - shade->u.m.x1 = pdf_to_real(ctx, pdf_array_get(ctx, obj, 1)); - shade->u.m.y0 = pdf_to_real(ctx, pdf_array_get(ctx, obj, 2)); diff --git a/gnu/packages/patches/mupdf-CVE-2016-7504.patch b/gnu/packages/patches/mupdf-CVE-2016-7504.patch deleted file mode 100644 index 4bbb4411c0..0000000000 --- a/gnu/packages/patches/mupdf-CVE-2016-7504.patch +++ /dev/null @@ -1,99 +0,0 @@ -Fix CVE-2016-7504: -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7504 -http://bugs.ghostscript.com/show_bug.cgi?id=697142 - -Patch copied from upstream source repository: -http://git.ghostscript.com/?p=mujs.git;a=commitdiff;h=5c337af4b3df80cf967e4f9f6a21522de84b392a - -From 5c337af4b3df80cf967e4f9f6a21522de84b392a Mon Sep 17 00:00:00 2001 -From: Tor Andersson <tor.andersson@artifex.com> -Date: Wed, 21 Sep 2016 16:01:08 +0200 -Subject: [PATCH] Fix bug 697142: Stale string pointer stored in regexp object. - -Make sure to make a copy of the source pattern string. -A case we missed when adding short and memory strings to the runtime. -The code assumed all strings passed to it were either literal or interned. ---- - jsgc.c | 4 +++- - jsi.h | 1 + - jsregexp.c | 2 +- - jsrun.c | 8 ++++++++ - jsvalue.h | 2 +- - 5 files changed, 14 insertions(+), 3 deletions(-) - -diff --git a/jsgc.c b/jsgc.c -index 9bd6482..4f7e7dc 100644 ---- a/thirdparty/mujs/jsgc.c -+++ b/thirdparty/mujs/jsgc.c -@@ -44,8 +44,10 @@ static void jsG_freeobject(js_State *J, js_Object *obj) - { - if (obj->head) - jsG_freeproperty(J, obj->head); -- if (obj->type == JS_CREGEXP) -+ if (obj->type == JS_CREGEXP) { -+ js_free(J, obj->u.r.source); - js_regfree(obj->u.r.prog); -+ } - if (obj->type == JS_CITERATOR) - jsG_freeiterator(J, obj->u.iter.head); - if (obj->type == JS_CUSERDATA && obj->u.user.finalize) -diff --git a/jsi.h b/jsi.h -index 7d9f7c7..e855045 100644 ---- a/thirdparty/mujs/jsi.h -+++ b/thirdparty/mujs/jsi.h -@@ -79,6 +79,7 @@ typedef unsigned short js_Instruction; - - /* String interning */ - -+char *js_strdup(js_State *J, const char *s); - const char *js_intern(js_State *J, const char *s); - void jsS_dumpstrings(js_State *J); - void jsS_freestrings(js_State *J); -diff --git a/jsregexp.c b/jsregexp.c -index 2a056b7..a2d5156 100644 ---- a/thirdparty/mujs/jsregexp.c -+++ b/thirdparty/mujs/jsregexp.c -@@ -21,7 +21,7 @@ void js_newregexp(js_State *J, const char *pattern, int flags) - js_syntaxerror(J, "regular expression: %s", error); - - obj->u.r.prog = prog; -- obj->u.r.source = pattern; -+ obj->u.r.source = js_strdup(J, pattern); - obj->u.r.flags = flags; - obj->u.r.last = 0; - js_pushobject(J, obj); -diff --git a/jsrun.c b/jsrun.c -index 2648c4c..ee80845 100644 ---- a/thirdparty/mujs/jsrun.c -+++ b/thirdparty/mujs/jsrun.c -@@ -45,6 +45,14 @@ void *js_realloc(js_State *J, void *ptr, int size) - return ptr; - } - -+char *js_strdup(js_State *J, const char *s) -+{ -+ int n = strlen(s) + 1; -+ char *p = js_malloc(J, n); -+ memcpy(p, s, n); -+ return p; -+} -+ - void js_free(js_State *J, void *ptr) - { - J->alloc(J->actx, ptr, 0); -diff --git a/jsvalue.h b/jsvalue.h -index 6cfbd89..8fb5016 100644 ---- a/thirdparty/mujs/jsvalue.h -+++ b/thirdparty/mujs/jsvalue.h -@@ -71,7 +71,7 @@ struct js_String - struct js_Regexp - { - void *prog; -- const char *source; -+ char *source; - unsigned short flags; - unsigned short last; - }; --- -2.10.2 - diff --git a/gnu/packages/patches/mupdf-CVE-2016-7505.patch b/gnu/packages/patches/mupdf-CVE-2016-7505.patch deleted file mode 100644 index 15e4f374d6..0000000000 --- a/gnu/packages/patches/mupdf-CVE-2016-7505.patch +++ /dev/null @@ -1,32 +0,0 @@ -Fix CVE-2016-7505: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7505 -http://bugs.ghostscript.com/show_bug.cgi?id=697140 - -Patch copied from upstream source repository: -http://git.ghostscript.com/?p=mujs.git;a=commitdiff;h=8c805b4eb19cf2af689c860b77e6111d2ee439d5 - -From 8c805b4eb19cf2af689c860b77e6111d2ee439d5 Mon Sep 17 00:00:00 2001 -From: Tor Andersson <tor.andersson@artifex.com> -Date: Wed, 21 Sep 2016 15:21:04 +0200 -Subject: [PATCH] Fix bug 697140: Overflow check in ascii division in strtod. - ---- - jsdtoa.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/jsdtoa.c b/jsdtoa.c -index 2e52368..920c1a7 100644 ---- a/thirdparty/mujs/jsdtoa.c -+++ b/thirdparty/mujs/jsdtoa.c -@@ -735,6 +735,7 @@ xx: - n -= c<<b; - *p++ = c + '0'; - (*na)++; -+ if (*na >= Ndig) break; /* abort if overflowing */ - } - *p = 0; - } --- -2.10.2 - diff --git a/gnu/packages/patches/mupdf-CVE-2016-7506.patch b/gnu/packages/patches/mupdf-CVE-2016-7506.patch deleted file mode 100644 index 733249acaa..0000000000 --- a/gnu/packages/patches/mupdf-CVE-2016-7506.patch +++ /dev/null @@ -1,42 +0,0 @@ -Fix CVE-2016-7506: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7506 -http://bugs.ghostscript.com/show_bug.cgi?id=697141 - -Patch copied from upstream source repository: -http://git.ghostscript.com/?p=mujs.git;a=commitdiff;h=5000749f5afe3b956fc916e407309de840997f4a - -From 5000749f5afe3b956fc916e407309de840997f4a Mon Sep 17 00:00:00 2001 -From: Tor Andersson <tor.andersson@artifex.com> -Date: Wed, 21 Sep 2016 16:02:11 +0200 -Subject: [PATCH] Fix bug 697141: buffer overrun in regexp string substitution. - -A '$' escape at the end of the string would read past the zero terminator -when looking for the escaped character. ---- - jsstring.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/jsstring.c b/jsstring.c -index 66f6a89..0209a8e 100644 ---- a/thirdparty/mujs/jsstring.c -+++ b/thirdparty/mujs/jsstring.c -@@ -421,6 +421,7 @@ loop: - while (*r) { - if (*r == '$') { - switch (*(++r)) { -+ case 0: --r; /* end of string; back up and fall through */ - case '$': js_putc(J, &sb, '$'); break; - case '`': js_putm(J, &sb, source, s); break; - case '\'': js_puts(J, &sb, s + n); break; -@@ -516,6 +517,7 @@ static void Sp_replace_string(js_State *J) - while (*r) { - if (*r == '$') { - switch (*(++r)) { -+ case 0: --r; /* end of string; back up and fall through */ - case '$': js_putc(J, &sb, '$'); break; - case '&': js_putm(J, &sb, s, s + n); break; - case '`': js_putm(J, &sb, source, s); break; --- -2.10.2 - diff --git a/gnu/packages/patches/mupdf-CVE-2016-7563.patch b/gnu/packages/patches/mupdf-CVE-2016-7563.patch deleted file mode 100644 index 288c9ab2df..0000000000 --- a/gnu/packages/patches/mupdf-CVE-2016-7563.patch +++ /dev/null @@ -1,37 +0,0 @@ -Fix CVE-2016-7563: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7563 -http://bugs.ghostscript.com/show_bug.cgi?id=697136 - -Patch copied from upstream source repository: -http://git.ghostscript.com/?p=mujs.git;a=commitdiff;h=f8234d830e17fc5e8fe09eb76d86dad3f6233c59 - -From f8234d830e17fc5e8fe09eb76d86dad3f6233c59 Mon Sep 17 00:00:00 2001 -From: Tor Andersson <tor.andersson@artifex.com> -Date: Tue, 20 Sep 2016 17:11:32 +0200 -Subject: [PATCH] Fix bug 697136. - -We were unconditionally reading the next character if we encountered -a '*' in a multi-line comment; possibly reading past the end of -the input. ---- - jslex.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/jslex.c b/jslex.c -index 7b80800..cbd0eeb 100644 ---- a/thirdparty/mujs/jslex.c -+++ b/thirdparty/mujs/jslex.c -@@ -225,7 +225,8 @@ static int lexcomment(js_State *J) - if (jsY_accept(J, '/')) - return 0; - } -- jsY_next(J); -+ else -+ jsY_next(J); - } - return -1; - } --- -2.10.2 - diff --git a/gnu/packages/patches/mupdf-CVE-2016-7564.patch b/gnu/packages/patches/mupdf-CVE-2016-7564.patch deleted file mode 100644 index c2ce33d1df..0000000000 --- a/gnu/packages/patches/mupdf-CVE-2016-7564.patch +++ /dev/null @@ -1,34 +0,0 @@ -Fix CVE-2016-7564: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7564 -http://bugs.ghostscript.com/show_bug.cgi?id=697137 - -Patch copied from upstream source repository: -http://git.ghostscript.com/?p=mujs.git;a=commitdiff;h=a3a4fe840b80706c706e86160352af5936f292d8 - -From a3a4fe840b80706c706e86160352af5936f292d8 Mon Sep 17 00:00:00 2001 -From: Tor Andersson <tor.andersson@artifex.com> -Date: Tue, 20 Sep 2016 17:19:06 +0200 -Subject: [PATCH] Fix bug 697137: off by one in string length calculation. - -We were not allocating space for the terminating zero byte. ---- - jsfunction.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/jsfunction.c b/jsfunction.c -index 8b5b18e..28f7aa7 100644 ---- a/thirdparty/mujs/jsfunction.c -+++ b/thirdparty/mujs/jsfunction.c -@@ -61,7 +61,7 @@ static void Fp_toString(js_State *J) - n += strlen(F->name); - for (i = 0; i < F->numparams; ++i) - n += strlen(F->vartab[i]) + 1; -- s = js_malloc(J, n); -+ s = js_malloc(J, n + 1); - strcpy(s, "function "); - strcat(s, F->name); - strcat(s, "("); --- -2.10.2 - diff --git a/gnu/packages/patches/mupdf-CVE-2016-8674.patch b/gnu/packages/patches/mupdf-CVE-2016-8674.patch deleted file mode 100644 index 2a35619761..0000000000 --- a/gnu/packages/patches/mupdf-CVE-2016-8674.patch +++ /dev/null @@ -1,165 +0,0 @@ -Fix CVE-2016-8674 (use-after-free in pdf_to_num()). - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8674 -https://security-tracker.debian.org/tracker/CVE-2016-8674 - -Patch adapted from upstream source repository: -http://git.ghostscript.com/?p=mupdf.git;h=1e03c06456d997435019fb3526fa2d4be7dbc6ec - -diff --git a/include/mupdf/pdf/document.h b/include/mupdf/pdf/document.h -index f8ef0cd..e8345b7 100644 ---- a/include/mupdf/pdf/document.h -+++ b/include/mupdf/pdf/document.h -@@ -258,6 +258,10 @@ struct pdf_document_s - fz_font **type3_fonts; - - pdf_resource_tables *resources; -+ -+ int orphans_max; -+ int orphans_count; -+ pdf_obj **orphans; - }; - - /* -diff --git a/include/mupdf/pdf/object.h b/include/mupdf/pdf/object.h -index 346a2f1..02d4119 100644 ---- a/include/mupdf/pdf/object.h -+++ b/include/mupdf/pdf/object.h -@@ -109,6 +109,7 @@ pdf_obj *pdf_dict_gets(fz_context *ctx, pdf_obj *dict, const char *key); - pdf_obj *pdf_dict_getsa(fz_context *ctx, pdf_obj *dict, const char *key, const char *abbrev); - void pdf_dict_put(fz_context *ctx, pdf_obj *dict, pdf_obj *key, pdf_obj *val); - void pdf_dict_put_drop(fz_context *ctx, pdf_obj *dict, pdf_obj *key, pdf_obj *val); -+void pdf_dict_get_put_drop(fz_context *ctx, pdf_obj *dict, pdf_obj *key, pdf_obj *val, pdf_obj **old_val); - void pdf_dict_puts(fz_context *ctx, pdf_obj *dict, const char *key, pdf_obj *val); - void pdf_dict_puts_drop(fz_context *ctx, pdf_obj *dict, const char *key, pdf_obj *val); - void pdf_dict_putp(fz_context *ctx, pdf_obj *dict, const char *path, pdf_obj *val); -diff --git a/source/pdf/pdf-object.c b/source/pdf/pdf-object.c -index f2e4551..a0d0d8e 100644 ---- a/source/pdf/pdf-object.c -+++ b/source/pdf/pdf-object.c -@@ -1240,9 +1240,13 @@ pdf_dict_geta(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *abbrev) - return pdf_dict_get(ctx, obj, abbrev); - } - --void --pdf_dict_put(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *val) -+static void -+pdf_dict_get_put(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *val, pdf_obj **old_val) - { -+ -+ if (old_val) -+ *old_val = NULL; -+ - RESOLVE(obj); - if (obj >= PDF_OBJ__LIMIT) - { -@@ -1282,7 +1286,10 @@ pdf_dict_put(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *val) - { - pdf_obj *d = DICT(obj)->items[i].v; - DICT(obj)->items[i].v = pdf_keep_obj(ctx, val); -- pdf_drop_obj(ctx, d); -+ if (old_val) -+ *old_val = d; -+ else -+ pdf_drop_obj(ctx, d); - } - } - else -@@ -1305,10 +1312,27 @@ pdf_dict_put(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *val) - } - - void -+pdf_dict_put(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *val) -+{ -+ pdf_dict_get_put(ctx, obj, key, val, NULL); -+} -+ -+void - pdf_dict_put_drop(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *val) - { - fz_try(ctx) -- pdf_dict_put(ctx, obj, key, val); -+ pdf_dict_get_put(ctx, obj, key, val, NULL); -+ fz_always(ctx) -+ pdf_drop_obj(ctx, val); -+ fz_catch(ctx) -+ fz_rethrow(ctx); -+} -+ -+void -+pdf_dict_get_put_drop(fz_context *ctx, pdf_obj *obj, pdf_obj *key, pdf_obj *val, pdf_obj **old_val) -+{ -+ fz_try(ctx) -+ pdf_dict_get_put(ctx, obj, key, val, old_val); - fz_always(ctx) - pdf_drop_obj(ctx, val); - fz_catch(ctx) -diff --git a/source/pdf/pdf-repair.c b/source/pdf/pdf-repair.c -index fdd4648..212c8b7 100644 ---- a/source/pdf/pdf-repair.c -+++ b/source/pdf/pdf-repair.c -@@ -259,6 +259,27 @@ pdf_repair_obj_stm(fz_context *ctx, pdf_document *doc, int num, int gen) - } - } - -+static void -+orphan_object(fz_context *ctx, pdf_document *doc, pdf_obj *obj) -+{ -+ if (doc->orphans_count == doc->orphans_max) -+ { -+ int new_max = (doc->orphans_max ? doc->orphans_max*2 : 32); -+ -+ fz_try(ctx) -+ { -+ doc->orphans = fz_resize_array(ctx, doc->orphans, new_max, sizeof(*doc->orphans)); -+ doc->orphans_max = new_max; -+ } -+ fz_catch(ctx) -+ { -+ pdf_drop_obj(ctx, obj); -+ fz_rethrow(ctx); -+ } -+ } -+ doc->orphans[doc->orphans_count++] = obj; -+} -+ - void - pdf_repair_xref(fz_context *ctx, pdf_document *doc) - { -@@ -520,12 +541,13 @@ pdf_repair_xref(fz_context *ctx, pdf_document *doc) - /* correct stream length for unencrypted documents */ - if (!encrypt && list[i].stm_len >= 0) - { -+ pdf_obj *old_obj = NULL; - dict = pdf_load_object(ctx, doc, list[i].num, list[i].gen); - - length = pdf_new_int(ctx, doc, list[i].stm_len); -- pdf_dict_put(ctx, dict, PDF_NAME_Length, length); -- pdf_drop_obj(ctx, length); -- -+ pdf_dict_get_put_drop(ctx, dict, PDF_NAME_Length, length, &old_obj); -+ if (old_obj) -+ orphan_object(ctx, doc, old_obj); - pdf_drop_obj(ctx, dict); - } - } -diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c -index 3de1cd2..6682741 100644 ---- a/source/pdf/pdf-xref.c -+++ b/source/pdf/pdf-xref.c -@@ -1626,6 +1626,12 @@ pdf_close_document(fz_context *ctx, pdf_document *doc) - - pdf_drop_resource_tables(ctx, doc); - -+ for (i = 0; i < doc->orphans_count; i++) -+ { -+ pdf_drop_obj(ctx, doc->orphans[i]); -+ } -+ fz_free(ctx, doc->orphans); -+ - fz_free(ctx, doc); - } - --- -2.10.1 - diff --git a/gnu/packages/patches/mupdf-CVE-2016-9017.patch b/gnu/packages/patches/mupdf-CVE-2016-9017.patch deleted file mode 100644 index 1e2b7c3258..0000000000 --- a/gnu/packages/patches/mupdf-CVE-2016-9017.patch +++ /dev/null @@ -1,46 +0,0 @@ -Fix CVE-2016-9017: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9107 -http://bugs.ghostscript.com/show_bug.cgi?id=697171 - -Patch copied from upstream source repository: -http://git.ghostscript.com/?p=mujs.git;a=commitdiff;h=a5c747f1d40e8d6659a37a8d25f13fb5acf8e767 - -From a5c747f1d40e8d6659a37a8d25f13fb5acf8e767 Mon Sep 17 00:00:00 2001 -From: Tor Andersson <tor.andersson@artifex.com> -Date: Tue, 25 Oct 2016 14:08:27 +0200 -Subject: [PATCH] Fix 697171: missed an operand in the bytecode debugger dump. - ---- - jscompile.h | 2 +- - jsdump.c | 1 + - 2 files changed, 2 insertions(+), 1 deletion(-) - -diff --git a/jscompile.h b/jscompile.h -index 802cc9e..3054d13 100644 ---- a/thirdparty/mujs/jscompile.h -+++ b/thirdparty/mujs/jscompile.h -@@ -21,7 +21,7 @@ enum js_OpCode - - OP_NEWARRAY, - OP_NEWOBJECT, -- OP_NEWREGEXP, -+ OP_NEWREGEXP, /* -S,opts- <regexp> */ - - OP_UNDEF, - OP_NULL, -diff --git a/jsdump.c b/jsdump.c -index 1c51c29..37ad88c 100644 ---- a/thirdparty/mujs/jsdump.c -+++ b/thirdparty/mujs/jsdump.c -@@ -750,6 +750,7 @@ void jsC_dumpfunction(js_State *J, js_Function *F) - case OP_INITVAR: - case OP_DEFVAR: - case OP_GETVAR: -+ case OP_HASVAR: - case OP_SETVAR: - case OP_DELVAR: - case OP_GETPROP_S: --- -2.10.2 - diff --git a/gnu/packages/patches/mupdf-CVE-2016-9136.patch b/gnu/packages/patches/mupdf-CVE-2016-9136.patch deleted file mode 100644 index 1f68839a52..0000000000 --- a/gnu/packages/patches/mupdf-CVE-2016-9136.patch +++ /dev/null @@ -1,32 +0,0 @@ -Fix CVE-2016-9136: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9136 -http://bugs.ghostscript.com/show_bug.cgi?id=697244 - -Patch copied from upstream source repository: -http://git.ghostscript.com/?p=mujs.git;a=commitdiff;h=a0ceaf5050faf419401fe1b83acfa950ec8a8a89 -From a0ceaf5050faf419401fe1b83acfa950ec8a8a89 Mon Sep 17 00:00:00 2001 -From: Tor Andersson <tor.andersson@artifex.com> -Date: Mon, 31 Oct 2016 13:05:37 +0100 -Subject: [PATCH] Fix 697244: Check for incomplete escape sequence at end of - input. - ---- - jslex.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/jslex.c b/jslex.c -index cbd0eeb..aaafdac 100644 ---- a/thirdparty/mujs/jslex.c -+++ b/thirdparty/mujs/jslex.c -@@ -377,6 +377,7 @@ static int lexescape(js_State *J) - return 0; - - switch (J->lexchar) { -+ case 0: jsY_error(J, "unterminated escape sequence"); - case 'u': - jsY_next(J); - if (!jsY_ishex(J->lexchar)) return 1; else { x |= jsY_tohex(J->lexchar) << 12; jsY_next(J); } --- -2.10.2 - diff --git a/gnu/packages/patches/mupdf-build-with-openjpeg-2.1.patch b/gnu/packages/patches/mupdf-build-with-openjpeg-2.1.patch index cd8136b701..d97c1cb348 100644 --- a/gnu/packages/patches/mupdf-build-with-openjpeg-2.1.patch +++ b/gnu/packages/patches/mupdf-build-with-openjpeg-2.1.patch @@ -27,12 +27,3 @@ index 6b92e5c..72dea50 100644 #include <openjpeg.h> static void fz_opj_error_callback(const char *msg, void *client_data) -@@ -117,7 +109,7 @@ fz_load_jpx(fz_context *ctx, unsigned char *data, int size, fz_colorspace *defcs - opj_stream_set_read_function(stream, fz_opj_stream_read); - opj_stream_set_skip_function(stream, fz_opj_stream_skip); - opj_stream_set_seek_function(stream, fz_opj_stream_seek); -- opj_stream_set_user_data(stream, &sb); -+ opj_stream_set_user_data(stream, &sb, NULL); - /* Set the length to avoid an assert */ - opj_stream_set_user_data_length(stream, size); - diff --git a/gnu/packages/patches/ruby-symlinkfix.patch b/gnu/packages/patches/ruby-symlinkfix.patch deleted file mode 100644 index 16beecc97a..0000000000 --- a/gnu/packages/patches/ruby-symlinkfix.patch +++ /dev/null @@ -1,53 +0,0 @@ -Fix symlinks to '..' to fix rubygems improperly expanding symlinked -paths. Without this fix, some gems fail to install. This patch is applied in -rubygems 2.5.2, but ruby version 2.3.1 bundles an older version of rubygems -(2.5.1). - ---- a/lib/rubygems/package.rb -+++ b/lib/rubygems/package.rb -@@ -383,7 +383,7 @@ def extract_tar_gz io, destination_dir, pattern = "*" # :nodoc: - FileUtils.chmod entry.header.mode, destination - end if entry.file? - -- File.symlink(install_location(entry.header.linkname, destination_dir), destination) if entry.symlink? -+ File.symlink(entry.header.linkname, destination) if entry.symlink? - - verbose destination - end -diff --git a/test/rubygems/test_gem_package.rb b/test/rubygems/test_gem_package.rb -index 7848bc2..f287bd3 100644 ---- a/test/rubygems/test_gem_package.rb -+++ b/test/rubygems/test_gem_package.rb -@@ -428,19 +428,25 @@ def test_extract_tar_gz_absolute - "#{@destination} is not allowed", e.message) - end - -- def test_extract_tar_gz_symlink_absolute -+ def test_extract_tar_gz_symlink_relative_path -+ skip 'symlink not supported' if Gem.win_platform? -+ - package = Gem::Package.new @gem - - tgz_io = util_tar_gz do |tar| -- tar.add_symlink 'code.rb', '/absolute.rb', 0644 -+ tar.add_file 'relative.rb', 0644 do |io| io.write 'hi' end -+ tar.mkdir 'lib', 0755 -+ tar.add_symlink 'lib/foo.rb', '../relative.rb', 0644 - end - -- e = assert_raises Gem::Package::PathError do -- package.extract_tar_gz tgz_io, @destination -- end -+ package.extract_tar_gz tgz_io, @destination - -- assert_equal("installing into parent path /absolute.rb of " + -- "#{@destination} is not allowed", e.message) -+ extracted = File.join @destination, 'lib/foo.rb' -+ assert_path_exists extracted -+ assert_equal '../relative.rb', -+ File.readlink(extracted) -+ assert_equal 'hi', -+ File.read(extracted) - end - - def test_extract_tar_gz_directory diff --git a/gnu/packages/pdf.scm b/gnu/packages/pdf.scm index b95fe5e0cf..3f329c5426 100644 --- a/gnu/packages/pdf.scm +++ b/gnu/packages/pdf.scm @@ -95,17 +95,6 @@ ;; To build poppler-glib (as needed by Evince), we need Cairo and ;; GLib. But of course, that Cairo must not depend on Poppler. ("cairo" ,(package (inherit cairo) - (replacement - (package - (inherit cairo) - (replacement #f) - (source - (origin - (inherit (package-source cairo)) - (patches (search-patches - "cairo-CVE-2016-9082.patch")))) - (inputs (alist-delete "poppler" - (package-inputs cairo))))) (inputs (alist-delete "poppler" (package-inputs cairo))))) ("glib" ,glib))) @@ -490,7 +479,7 @@ extracting content or merging files.") (define-public mupdf (package (name "mupdf") - (version "1.9a") + (version "1.10a") (source (origin (method url-fetch) @@ -498,18 +487,8 @@ extracting content or merging files.") name "-" version "-source.tar.gz")) (sha256 (base32 - "1k64pdapyj8a336jw3j61fhn0rp4q6az7d0dqp9r5n3d9rgwa5c0")) - (patches (search-patches "mupdf-build-with-openjpeg-2.1.patch" - "mupdf-CVE-2016-6265.patch" - "mupdf-CVE-2016-6525.patch" - "mupdf-CVE-2016-7504.patch" - "mupdf-CVE-2016-7505.patch" - "mupdf-CVE-2016-7506.patch" - "mupdf-CVE-2016-7563.patch" - "mupdf-CVE-2016-7564.patch" - "mupdf-CVE-2016-8674.patch" - "mupdf-CVE-2016-9017.patch" - "mupdf-CVE-2016-9136.patch")) + "0dm8wcs8i29aibzkqkrn8kcnk4q0kd1v66pg48h5c3qqp4v1zk5a")) + (patches (search-patches "mupdf-build-with-openjpeg-2.1.patch")) (modules '((guix build utils))) (snippet ;; Delete all the bundled libraries except for mujs, which is diff --git a/gnu/packages/ruby.scm b/gnu/packages/ruby.scm index f7b0903478..c87f8b309f 100644 --- a/gnu/packages/ruby.scm +++ b/gnu/packages/ruby.scm @@ -1,6 +1,6 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2014, 2015 Pjotr Prins <pjotr.guix@thebird.nl> -;;; Copyright © 2014, 2015 Ludovic Courtès <ludo@gnu.org> +;;; Copyright © 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org> ;;; Copyright © 2014, 2015 Mark H Weaver <mhw@netris.org> ;;; Copyright © 2014, 2015 David Thompson <davet@gnu.org> ;;; Copyright © 2015 Ricardo Wurmus <rekado@elephly.net> @@ -47,8 +47,7 @@ (define-public ruby (package (name "ruby") - (replacement ruby-2.3.3) - (version "2.3.1") + (version "2.3.3") (source (origin (method url-fetch) @@ -57,9 +56,8 @@ "/ruby-" version ".tar.xz")) (sha256 (base32 - "0f3395q7pd2hrl2gv26bib80038sjawxgmhl9zn22fjs9m9va9b7")) + "1p0rfk0blrbfjcnv0vb0ha4hxflgkfhv9zbzp4vvld2pi31ahkqs")) (modules '((guix build utils))) - (patches (search-patches "ruby-symlinkfix.patch")) (snippet `(begin ;; Remove bundled libffi (delete-file-recursively "ext/fiddle/libffi-3.2.1") @@ -102,25 +100,6 @@ a focus on simplicity and productivity.") (home-page "https://ruby-lang.org") (license license:ruby))) -(define ruby-2.3.3 - (package - (inherit ruby) - (version "2.3.3") - (source - (origin - (method url-fetch) - (uri (string-append "http://cache.ruby-lang.org/pub/ruby/" - (version-major+minor version) - "/ruby-" version ".tar.xz")) - (sha256 - (base32 - "1p0rfk0blrbfjcnv0vb0ha4hxflgkfhv9zbzp4vvld2pi31ahkqs")) - (modules '((guix build utils))) - (snippet `(begin - ;; Remove bundled libffi - (delete-file-recursively "ext/fiddle/libffi-3.2.1") - #t)))))) - (define-public ruby-2.2 (package (inherit ruby) (replacement #f) @@ -1447,8 +1426,8 @@ conversion to (X)HTML.") (add-before 'check 'use-latest-redcarpet (lambda _ (substitute* "mocha.gemspec" - (("<redcarpet>, \\[\"~> 1\"\\]") - "<redcarpet>, [\">= 3\"]")) + (("<redcarpet>.freeze, \\[\"~> 1\"\\]") + "<redcarpet>.freeze, [\">= 3\"]")) #t)) (add-before 'check 'hardcode-version (lambda _ @@ -2225,28 +2204,27 @@ current line in an external editor.") (define-public ruby-sdoc (package (name "ruby-sdoc") - (version "0.4.1") + (version "0.4.2") (source (origin (method url-fetch) (uri (rubygems-uri "sdoc" version)) (sha256 (base32 - "16xyfair1j4irfkd6sxvmdcak957z71lwkvhglrznfpkalfnqyqp")))) + "0qhvy10vnmrqcgh8494m13kd5ag9c3sczzhfasv8j0294ylk679n")))) (build-system ruby-build-system) (arguments `(#:phases (modify-phases %standard-phases - (add-after 'build 'relax-minitest-requirement + (add-before 'check 'set-rubylib (lambda _ - (substitute* "sdoc.gemspec" - (("<minitest>, \\[\"~> 4\\.0\"\\]") - "<minitest>, [\">= 4.0\"]")) + (setenv "RUBYLIB" "lib") #t))))) (propagated-inputs `(("ruby-json" ,ruby-json))) (native-inputs `(("bundler" ,bundler) - ("ruby-minitest" ,ruby-minitest))) + ("ruby-minitest" ,ruby-minitest) + ("ruby-hoe" ,ruby-hoe))) (synopsis "Generate searchable RDoc documentation") (description "SDoc is an RDoc documentation generator to build searchable HTML @@ -3514,7 +3492,7 @@ support to both Ruby and JRuby. It uses @code{unf_ext} on CRuby and "Bundler::GemHelper.gemspec.version")) ;; Loosen unnecessarily strict test-unit version specification. (substitute* "domain_name.gemspec" - (("<test-unit>, \\[\\\"~> 2.5.5") "<test-unit>, [\">0")) + (("<test-unit>.freeze, \\[\\\"~> 2.5.5") "<test-unit>, [\">0")) #t))))) (propagated-inputs `(("ruby-unf" ,ruby-unf))) diff --git a/gnu/packages/swig.scm b/gnu/packages/swig.scm index a615796745..acf0529377 100644 --- a/gnu/packages/swig.scm +++ b/gnu/packages/swig.scm @@ -31,7 +31,7 @@ (define-public swig (package (name "swig") - (version "3.0.5") + (version "3.0.10") (source (origin (method url-fetch) (uri (string-append "mirror://sourceforge/" name "/" name "/" @@ -39,7 +39,7 @@ name "-" version ".tar.gz")) (sha256 (base32 - "0g1a69vrqxgsnr1wkx851ljn73a2x3jqzxa66s2l3w0kyblbjk4z")))) + "0k7ljh07rla6223lhvljgg881b2qr7hmrfgic9a0j1pckpislf99")))) (build-system gnu-build-system) (native-inputs `(("boost" ,boost) ("pcre" ,pcre "bin"))) ;for 'pcre-config' diff --git a/gnu/packages/xdisorg.scm b/gnu/packages/xdisorg.scm index 3d1108d42e..4633b5159e 100644 --- a/gnu/packages/xdisorg.scm +++ b/gnu/packages/xdisorg.scm @@ -241,7 +241,6 @@ following the mouse.") (package (name "pixman") (version "0.34.0") - (replacement pixman/fixed) (source (origin (method url-fetch) (uri (string-append @@ -249,7 +248,8 @@ following the mouse.") version ".tar.gz")) (sha256 (base32 - "13m842m9ffac3m9r0b4lvwjhwzg3w4353djkjpf00s0wnm4v5di1")))) + "13m842m9ffac3m9r0b4lvwjhwzg3w4353djkjpf00s0wnm4v5di1")) + (patches (search-patches "pixman-CVE-2016-5296.patch")))) (build-system gnu-build-system) (inputs `(("libpng" ,libpng) @@ -263,14 +263,6 @@ manipulation, providing features such as image compositing and trapezoid rasterisation.") (license license:x11))) -(define pixman/fixed - (package - (inherit pixman) - (source (origin - (inherit (package-source pixman)) - (patches (search-patches "pixman-CVE-2016-5296.patch")))))) - - (define-public libdrm (package (name "libdrm") diff --git a/gnu/packages/xorg.scm b/gnu/packages/xorg.scm index fc721cafbd..3a72843b13 100644 --- a/gnu/packages/xorg.scm +++ b/gnu/packages/xorg.scm @@ -4923,7 +4923,7 @@ new API's in libXft, or the legacy API's in libX11.") (define-public libxi (package (name "libxi") - (version "1.7.7") + (version "1.7.8") (source (origin (method url-fetch) @@ -4933,7 +4933,7 @@ new API's in libXft, or the legacy API's in libX11.") ".tar.bz2")) (sha256 (base32 - "0c70n4aq0ba628wr88ih4740nci9d9f6y3v96sx376vvlm7q6vwr")))) + "1fr7mi4nbcxsa88qin9g2ipmzh595ydxy9qnabzl270laf6zmwnq")))) (build-system gnu-build-system) (propagated-inputs `(("inputproto" ,inputproto) |