From cd9b331d9fd0fbb3d77ab2e3550f9cb7c3ddfa85 Mon Sep 17 00:00:00 2001
From: maxice8 <thinkabit.ukim@gmail.com>
Date: Sun, 19 Aug 2018 10:07:08 -0300
Subject: [PATCH] libwmf: import debian patches to fix CVEs and gdk-pixbuf
 loader location

CVEs fixed:
- CVE-2006-3376
- CVE-2009-1364
- CVE-2015-0848
- CVE-2015-4588
- CVE-2015-4695
- CVE-2015-4696
- CVE-2016-9011
---
 ...yer.c-integer-overflow-cve-2006-3376.patch |  28 +++
 ...ont.c-always-check-generated-fontmap.patch |  11 ++
 .../03_font.c-compare-fonts-by-name.patch     |  11 ++
 ..._clip.c-use-after-free-cve-2009-1364.patch |  11 ++
 ...015-4588_CVE-2015-4695_CVE-2015-4696.patch | 186 ++++++++++++++++++
 srcpkgs/libwmf/patches/CVE-2016-9011.patch    |  34 ++++
 .../fix-gdk-pixbuf-loaders-location.patch     |  15 ++
 srcpkgs/libwmf/template                       |   6 +-
 8 files changed, 299 insertions(+), 3 deletions(-)
 create mode 100644 srcpkgs/libwmf/patches/01_player.c-integer-overflow-cve-2006-3376.patch
 create mode 100644 srcpkgs/libwmf/patches/02_font.c-always-check-generated-fontmap.patch
 create mode 100644 srcpkgs/libwmf/patches/03_font.c-compare-fonts-by-name.patch
 create mode 100644 srcpkgs/libwmf/patches/04_gd-gd_clip.c-use-after-free-cve-2009-1364.patch
 create mode 100644 srcpkgs/libwmf/patches/CVE-2015-0848_CVE-2015-4588_CVE-2015-4695_CVE-2015-4696.patch
 create mode 100644 srcpkgs/libwmf/patches/CVE-2016-9011.patch
 create mode 100644 srcpkgs/libwmf/patches/fix-gdk-pixbuf-loaders-location.patch

diff --git a/srcpkgs/libwmf/patches/01_player.c-integer-overflow-cve-2006-3376.patch b/srcpkgs/libwmf/patches/01_player.c-integer-overflow-cve-2006-3376.patch
new file mode 100644
index 00000000000..fcb029f420d
--- /dev/null
+++ b/srcpkgs/libwmf/patches/01_player.c-integer-overflow-cve-2006-3376.patch
@@ -0,0 +1,28 @@
+--- src/player.c
++++ src/player.c
+@@ -23,6 +23,7 @@
+ 
+ #include <stdio.h>
+ #include <stdlib.h>
++#include <stdint.h>
+ #include <string.h>
+ #include <math.h>
+ 
+@@ -132,8 +133,14 @@
+ 		}
+ 	}
+ 
+-/*	P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)-3) * 2 * sizeof (unsigned char));
+- */	P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)  ) * 2 * sizeof (unsigned char));
++	if (MAX_REC_SIZE(API) > UINT32_MAX / 2)
++	{
++		API->err = wmf_E_InsMem;
++		WMF_DEBUG (API,"bailing...");
++		return (API->err);
++	}
++
++ 	P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)  ) * 2 * sizeof (unsigned char));
+ 
+ 	if (ERR (API))
+ 	{	WMF_DEBUG (API,"bailing...");
+
diff --git a/srcpkgs/libwmf/patches/02_font.c-always-check-generated-fontmap.patch b/srcpkgs/libwmf/patches/02_font.c-always-check-generated-fontmap.patch
new file mode 100644
index 00000000000..3066f8ab175
--- /dev/null
+++ b/srcpkgs/libwmf/patches/02_font.c-always-check-generated-fontmap.patch
@@ -0,0 +1,11 @@
+--- src/font.c
++++ src/font.c
+@@ -422,7 +422,6 @@
+ 
+ 	fontmap_data->FD.FI = 0;
+ 
+-	if (API->flags & WMF_OPT_SYS_FONTS)
+ 	{	if (API->flags & WMF_OPT_SYS_FONTMAP)
+ 		{	wmf_ipa_font_map_xml (API,&(fontmap_data->FD),options->sys_fontmap_file);
+ 		}
+
diff --git a/srcpkgs/libwmf/patches/03_font.c-compare-fonts-by-name.patch b/srcpkgs/libwmf/patches/03_font.c-compare-fonts-by-name.patch
new file mode 100644
index 00000000000..01f9a787b30
--- /dev/null
+++ b/srcpkgs/libwmf/patches/03_font.c-compare-fonts-by-name.patch
@@ -0,0 +1,11 @@
+--- src/font.c
++++ src/font.c
+@@ -199,7 +199,7 @@
+ 	unsigned int i = 0;
+ 
+ 	while (font_data->cache[i].name)
+-	{	if (strcmp (font_data->cache[i].path,entry->path) == 0) break;
++	{	if (strcmp (font_data->cache[i].name,entry->name) == 0) break;
+ 		i++;
+ 	}
+ 
diff --git a/srcpkgs/libwmf/patches/04_gd-gd_clip.c-use-after-free-cve-2009-1364.patch b/srcpkgs/libwmf/patches/04_gd-gd_clip.c-use-after-free-cve-2009-1364.patch
new file mode 100644
index 00000000000..01f0dd2795c
--- /dev/null
+++ b/srcpkgs/libwmf/patches/04_gd-gd_clip.c-use-after-free-cve-2009-1364.patch
@@ -0,0 +1,11 @@
+--- src/extra/gd/gd_clip.c
++++ src/extra/gd/gd_clip.c
+@@ -70,6 +70,7 @@
+ 	{	more = gdRealloc (im->clip->list,(im->clip->max + 8) * sizeof (gdClipRectangle));
+ 		if (more == 0) return;
+ 		im->clip->max += 8;
++		im->clip->list = more;
+ 	}
+ 	im->clip->list[im->clip->count] = (*rect);
+ 	im->clip->count++;
+
diff --git a/srcpkgs/libwmf/patches/CVE-2015-0848_CVE-2015-4588_CVE-2015-4695_CVE-2015-4696.patch b/srcpkgs/libwmf/patches/CVE-2015-0848_CVE-2015-4588_CVE-2015-4695_CVE-2015-4696.patch
new file mode 100644
index 00000000000..26b44ef76cb
--- /dev/null
+++ b/srcpkgs/libwmf/patches/CVE-2015-0848_CVE-2015-4588_CVE-2015-4695_CVE-2015-4696.patch
@@ -0,0 +1,186 @@
+--- src/player/meta.h
++++ src/player/meta.h
+@@ -1565,7 +1565,7 @@ static int meta_rgn_create (wmfAPI* API,
+ 	objects = P->objects;
+ 
+ 	i = 0;
+-	while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
++	while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
+ 
+ 	if (i == NUM_OBJECTS (API))
+ 	{	WMF_ERROR (API,"Object out of range!");
+@@ -2142,7 +2142,7 @@ static int meta_dib_brush (wmfAPI* API,w
+ 	objects = P->objects;
+ 
+ 	i = 0;
+-	while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
++	while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
+ 
+ 	if (i == NUM_OBJECTS (API))
+ 	{	WMF_ERROR (API,"Object out of range!");
+@@ -2593,9 +2593,10 @@ static int meta_dc_restore (wmfAPI* API,
+ 		polyrect.BR = 0;
+ 
+ 		polyrect.count = 0;
++	
++		if (FR->region_clip) FR->region_clip (API,&polyrect);
+ 	}
+ 
+-	if (FR->region_clip) FR->region_clip (API,&polyrect);
+ 
+ 	return (changed);
+ }
+@@ -3067,7 +3068,7 @@ static int meta_pen_create (wmfAPI* API,
+ 	objects = P->objects;
+ 
+ 	i = 0;
+-	while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
++	while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
+ 
+ 	if (i == NUM_OBJECTS (API))
+ 	{	WMF_ERROR (API,"Object out of range!");
+@@ -3181,7 +3182,7 @@ static int meta_brush_create (wmfAPI* AP
+ 	objects = P->objects;
+ 
+ 	i = 0;
+-	while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
++	while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
+ 
+ 	if (i == NUM_OBJECTS (API))
+ 	{	WMF_ERROR (API,"Object out of range!");
+@@ -3288,7 +3289,7 @@ static int meta_font_create (wmfAPI* API
+ 	objects = P->objects;
+ 
+ 	i = 0;
+-	while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
++	while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
+ 
+ 	if (i == NUM_OBJECTS (API))
+ 	{	WMF_ERROR (API,"Object out of range!");
+@@ -3396,7 +3397,7 @@ static int meta_palette_create (wmfAPI*
+ 	objects = P->objects;
+ 
+ 	i = 0;
+-	while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
++	while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
+ 
+ 	if (i == NUM_OBJECTS (API))
+ 	{	WMF_ERROR (API,"Object out of range!");
+--- src/ipa/ipa.h
++++ src/ipa/ipa.h
+@@ -48,7 +48,7 @@ static int            ReadBlobByte (BMPS
+ static unsigned short ReadBlobLSBShort (BMPSource*);
+ static unsigned long  ReadBlobLSBLong (BMPSource*);
+ static long           TellBlob (BMPSource*);
+-static void           DecodeImage (wmfAPI*,wmfBMP*,BMPSource*,unsigned int,unsigned char*);
++static int            DecodeImage (wmfAPI*,wmfBMP*,BMPSource*,unsigned int,unsigned char*);
+ static void           ReadBMPImage (wmfAPI*,wmfBMP*,BMPSource*);
+ static int            ExtractColor (wmfAPI*,wmfBMP*,wmfRGB*,unsigned int,unsigned int);
+ static void           SetColor (wmfAPI*,wmfBMP*,wmfRGB*,unsigned char,unsigned int,unsigned int);
+--- src/ipa/ipa/bmp.h
++++ src/ipa/ipa/bmp.h
+@@ -859,7 +859,7 @@ static long TellBlob (BMPSource* src)
+ %
+ %
+ */
+-static void DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels)
++static int DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels)
+ {	int byte;
+ 	int count;
+ 	int i;
+@@ -870,12 +870,14 @@ static void DecodeImage (wmfAPI* API,wmf
+ 	U32 u;
+ 
+ 	unsigned char* q;
++	unsigned char* end;
+ 
+ 	for (u = 0; u < ((U32) bmp->width * (U32) bmp->height); u++) pixels[u] = 0;
+ 
+ 	byte = 0;
+ 	x = 0;
+ 	q = pixels;
++	end = pixels + bmp->width * bmp->height;
+ 
+ 	for (y = 0; y < bmp->height; )
+ 	{	count = ReadBlobByte (src);
+@@ -884,7 +886,10 @@ static void DecodeImage (wmfAPI* API,wmf
+ 		{	/* Encoded mode. */
+ 			byte = ReadBlobByte (src);
+ 			for (i = 0; i < count; i++)
+-			{	if (compression == 1)
++			{	
++				if (q == end)
++					return 0;
++			 	if (compression == 1)
+ 				{	(*(q++)) = (unsigned char) byte;
+ 				}
+ 				else
+@@ -896,13 +901,15 @@ static void DecodeImage (wmfAPI* API,wmf
+ 		else
+ 		{	/* Escape mode. */
+ 			count = ReadBlobByte (src);
+-			if (count == 0x01) return;
++			if (count == 0x01) return 1;
+ 			switch (count)
+ 			{
+ 			case 0x00:
+ 			 {	/* End of line. */
+ 				x = 0;
+ 				y++;
++				if (y >= bmp->height)
++					return 0;
+ 				q = pixels + y * bmp->width;
+ 				break;
+ 			 }
+@@ -910,13 +917,20 @@ static void DecodeImage (wmfAPI* API,wmf
+ 			 {	/* Delta mode. */
+ 				x += ReadBlobByte (src);
+ 				y += ReadBlobByte (src);
++				if (y >= bmp->height)
++					return 0;
++				if (x >= bmp->width)
++					return 0;
+ 				q = pixels + y * bmp->width + x;
+ 				break;
+ 			 }
+ 			default:
+ 			 {	/* Absolute mode. */
+ 				for (i = 0; i < count; i++)
+-				{	if (compression == 1)
++				{
++					if (q == end)
++						return 0;
++					if (compression == 1)
+ 					{	(*(q++)) = ReadBlobByte (src);
+ 					}
+ 					else
+@@ -943,7 +957,7 @@ static void DecodeImage (wmfAPI* API,wmf
+ 	byte = ReadBlobByte (src);  /* end of line */
+ 	byte = ReadBlobByte (src);
+ 
+-	return;
++	return 1;
+ }
+ 
+ /*
+@@ -1143,8 +1157,18 @@ static void ReadBMPImage (wmfAPI* API,wm
+ 		}
+ 	}
+ 	else
+-	{	/* Convert run-length encoded raster pixels. */
+-		DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image);
++	{
++		if (bmp_info.bits_per_pixel == 8)	/* Convert run-length encoded raster pixels. */
++		{
++			if (!DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image))
++			{	WMF_ERROR (API,"corrupt bmp");
++				API->err = wmf_E_BadFormat;
++			}
++		}
++		else
++		{	WMF_ERROR (API,"Unexpected pixel depth");
++			API->err = wmf_E_BadFormat;
++		}
+ 	}
+ 
+ 	if (ERR (API))
diff --git a/srcpkgs/libwmf/patches/CVE-2016-9011.patch b/srcpkgs/libwmf/patches/CVE-2016-9011.patch
new file mode 100644
index 00000000000..5955784c2d8
--- /dev/null
+++ b/srcpkgs/libwmf/patches/CVE-2016-9011.patch
@@ -0,0 +1,34 @@
+--- src/player.c
++++ src/player.c
+@@ -140,7 +140,30 @@
+ 		return (API->err);
+ 	}
+ 
+- 	P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)  ) * 2 * sizeof (unsigned char));
++	U32 nMaxRecordSize = (MAX_REC_SIZE(API)  ) * 2 * sizeof (unsigned char);
++	if (nMaxRecordSize)
++	{
++		//before allocating memory do a sanity check on size by seeking
++		//to claimed end to see if its possible. We're constrained here
++		//by the api and existing implementations to not simply seeking
++		//to SEEK_END. So use what we have to skip to the last byte and
++		//try and read it.
++		const long nPos = WMF_TELL (API);
++		WMF_SEEK (API, nPos + nMaxRecordSize - 1);
++		if (ERR (API))
++		{	WMF_DEBUG (API,"bailing...");
++			return (API->err);
++		}
++		int byte = WMF_READ (API);
++		if (byte == (-1))
++		{	WMF_ERROR (API,"Unexpected EOF!");
++		       	API->err = wmf_E_EOF;
++		       	return (API->err);
++		}
++		WMF_SEEK (API, nPos);
++	}
++
++ 	P->Parameters = (unsigned char*) wmf_malloc (API, nMaxRecordSize);
+ 
+ 	if (ERR (API))
+ 	{	WMF_DEBUG (API,"bailing...");
diff --git a/srcpkgs/libwmf/patches/fix-gdk-pixbuf-loaders-location.patch b/srcpkgs/libwmf/patches/fix-gdk-pixbuf-loaders-location.patch
new file mode 100644
index 00000000000..4b67ceaa8fd
--- /dev/null
+++ b/srcpkgs/libwmf/patches/fix-gdk-pixbuf-loaders-location.patch
@@ -0,0 +1,15 @@
+Source: Debian https://sources.debian.org/src/libwmf/0.2.8.4-12/debian/patches/05_gdk-pixbuf-loader-dir.patch/
+Upstream: Unknown
+Reason: Install gdk-pixbuf-loader into correct location
+
+--- configure.ac
++++ configure.ac
+@@ -745,7 +745,7 @@ GDK_PIXBUF_DIR=""
+ if test $LIBWMF_BUILDSTYLE != lite; then
+ 	PKG_CHECK_MODULES(GDK_PIXBUF,gdk-pixbuf-2.0 >= 2.1.2,[
+ 		GTK_VERSION=`$PKG_CONFIG --variable=gtk_binary_version gtk+-2.0`
+-		GDK_PIXBUF_DIR="gtk-2.0/$GTK_VERSION/loaders"
++		GDK_PIXBUF_DIR="gdk-pixbuf-2.0/$GTK_VERSION/loaders"
+ 		wmf_gdk_pixbuf=yes
+ 	],[	wmf_gdk_pixbuf=no
+ 	])
diff --git a/srcpkgs/libwmf/template b/srcpkgs/libwmf/template
index 70ae833567e..ed051d5e3ef 100644
--- a/srcpkgs/libwmf/template
+++ b/srcpkgs/libwmf/template
@@ -1,11 +1,11 @@
 # Template file for 'libwmf'
 pkgname=libwmf
 version=0.2.8.4
-revision=17
+revision=18
 build_style=gnu-configure
 configure_args="--with-gsfontdir=/usr/share/fonts/Type1
---with-fontdir=/usr/share/fonts/Type1 --disable-static
---with-gsfontmap=/usr/share/ghostscript/8.15/lib/Fontmap.GS"
+ --with-fontdir=/usr/share/fonts/Type1 --disable-static
+ --with-gsfontmap=/usr/share/ghostscript/8.15/lib/Fontmap.GS"
 hostmakedepends="automake libtool pkg-config gsfonts freetype-devel"
 makedepends="zlib-devel freetype-devel libjpeg-turbo-devel libpng-devel
  expat-devel glib-devel gtk+-devel gd-devel gsfonts"