summaryrefslogtreecommitdiffstats
path: root/patches/source/libwmf
diff options
context:
space:
mode:
author Patrick J Volkerding <volkerdi@slackware.com>2018-05-25 23:29:36 +0000
committer Eric Hameleers <alien@slackware.com>2018-05-31 15:18:32 -0700
commit8ff4f2f51a6cf07fc33742ce3bee81328896e49b (patch)
tree4a166b8389404be98a6c098babaa444e2dec8f48 /patches/source/libwmf
parent76fc4757ac91ac7947a01fb7b53dddf9a78a01d1 (diff)
downloadcurrent-14.1.tar.gz
current-14.1.tar.xz
Fri May 25 23:29:36 UTC 201814.1
patches/packages/glibc-zoneinfo-2018e-noarch-2_slack14.1.txz: Rebuilt. Handle removal of US/Pacific-New timezone. If we see that the machine is using this, it will be automatically switched to US/Pacific.
Diffstat (limited to 'patches/source/libwmf')
-rw-r--r--patches/source/libwmf/libwmf-0.2.8.4-CVE-2004-0941.patch17
-rw-r--r--patches/source/libwmf/libwmf-0.2.8.4-CVE-2006-3376.patch27
-rw-r--r--patches/source/libwmf/libwmf-0.2.8.4-CVE-2007-0455.patch11
-rw-r--r--patches/source/libwmf/libwmf-0.2.8.4-CVE-2007-2756.patch16
-rw-r--r--patches/source/libwmf/libwmf-0.2.8.4-CVE-2007-3472.patch61
-rw-r--r--patches/source/libwmf/libwmf-0.2.8.4-CVE-2007-3473.patch13
-rw-r--r--patches/source/libwmf/libwmf-0.2.8.4-CVE-2007-3477.patch38
-rw-r--r--patches/source/libwmf/libwmf-0.2.8.4-CVE-2009-3546.patch13
-rw-r--r--patches/source/libwmf/libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch118
-rw-r--r--patches/source/libwmf/libwmf-0.2.8.4-CVE-2015-4695.patch56
-rw-r--r--patches/source/libwmf/libwmf-0.2.8.4-CVE-2015-4696.patch23
-rw-r--r--patches/source/libwmf/libwmf-0.2.8.4-CVE-2016-10167.patch30
-rw-r--r--patches/source/libwmf/libwmf-0.2.8.4-CVE-2016-10168.patch14
-rw-r--r--patches/source/libwmf/libwmf-0.2.8.4-CVE-2016-9011.patch36
-rw-r--r--patches/source/libwmf/libwmf-0.2.8.4-CVE-2016-9317.patch21
-rw-r--r--patches/source/libwmf/libwmf-0.2.8.4-CVE-2017-6362.patch32
-rw-r--r--patches/source/libwmf/libwmf-0.2.8.4-fallbackfont.patch18
-rw-r--r--patches/source/libwmf/libwmf-0.2.8.4-pixbufloaderdir.patch14
-rw-r--r--patches/source/libwmf/libwmf-0.2.8.4-reducesymbols.patch520
-rw-r--r--patches/source/libwmf/libwmf-0.2.8.4-useafterfree.patch10
-rwxr-xr-xpatches/source/libwmf/libwmf.SlackBuild142
-rw-r--r--patches/source/libwmf/libwmf.png14.diff11
-rw-r--r--patches/source/libwmf/slack-desc19
23 files changed, 1260 insertions, 0 deletions
diff --git a/patches/source/libwmf/libwmf-0.2.8.4-CVE-2004-0941.patch b/patches/source/libwmf/libwmf-0.2.8.4-CVE-2004-0941.patch
new file mode 100644
index 000000000..581e4e091
--- /dev/null
+++ b/patches/source/libwmf/libwmf-0.2.8.4-CVE-2004-0941.patch
@@ -0,0 +1,17 @@
+--- libwmf-0.2.8.4/src/extra/gd/gd_png.c 2004-11-11 14:02:37.407589824 -0500
++++ libwmf-0.2.8.4/src/extra/gd/gd_png.c 2004-11-11 14:04:29.672522960 -0500
+@@ -188,6 +188,14 @@
+
+ png_get_IHDR (png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
+ &interlace_type, NULL, NULL);
++ if (overflow2(sizeof (int), width))
++ {
++ return NULL;
++ }
++ if (overflow2(sizeof (int) * width, height))
++ {
++ return NULL;
++ }
+ if ((color_type == PNG_COLOR_TYPE_RGB) ||
+ (color_type == PNG_COLOR_TYPE_RGB_ALPHA))
+ {
diff --git a/patches/source/libwmf/libwmf-0.2.8.4-CVE-2006-3376.patch b/patches/source/libwmf/libwmf-0.2.8.4-CVE-2006-3376.patch
new file mode 100644
index 000000000..507fe6622
--- /dev/null
+++ b/patches/source/libwmf/libwmf-0.2.8.4-CVE-2006-3376.patch
@@ -0,0 +1,27 @@
+--- libwmf-0.2.8.4.orig/src/player.c 2002-12-10 19:30:26.000000000 +0000
++++ libwmf-0.2.8.4/src/player.c 2006-07-12 15:12:52.000000000 +0100
+@@ -42,6 +42,7 @@
+ #include "player/defaults.h" /* Provides: default settings */
+ #include "player/record.h" /* Provides: parameter mechanism */
+ #include "player/meta.h" /* Provides: record interpreters */
++#include <stdint.h>
+
+ /**
+ * @internal
+@@ -132,8 +134,14 @@
+ }
+ }
+
+-/* P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)-3) * 2 * sizeof (unsigned char));
+- */ P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char));
++ if (MAX_REC_SIZE(API) > UINT32_MAX / 2)
++ {
++ API->err = wmf_E_InsMem;
++ WMF_DEBUG (API,"bailing...");
++ return (API->err);
++ }
++
++ P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char));
+
+ if (ERR (API))
+ { WMF_DEBUG (API,"bailing...");
diff --git a/patches/source/libwmf/libwmf-0.2.8.4-CVE-2007-0455.patch b/patches/source/libwmf/libwmf-0.2.8.4-CVE-2007-0455.patch
new file mode 100644
index 000000000..0cc5abc71
--- /dev/null
+++ b/patches/source/libwmf/libwmf-0.2.8.4-CVE-2007-0455.patch
@@ -0,0 +1,11 @@
+--- libwmf-0.2.8.4/src/extra/gd/gdft.c 2010-12-06 11:18:26.000000000 +0000
++++ libwmf-0.2.8.4/src/extra/gd/gdft.c 2010-12-06 11:21:09.000000000 +0000
+@@ -811,7 +811,7 @@
+ {
+ ch = c & 0xFF; /* don't extend sign */
+ }
+- next++;
++ if (*next) next++;
+ }
+ else
+ {
diff --git a/patches/source/libwmf/libwmf-0.2.8.4-CVE-2007-2756.patch b/patches/source/libwmf/libwmf-0.2.8.4-CVE-2007-2756.patch
new file mode 100644
index 000000000..eba8fac25
--- /dev/null
+++ b/patches/source/libwmf/libwmf-0.2.8.4-CVE-2007-2756.patch
@@ -0,0 +1,16 @@
+--- libwmf-0.2.8.4/src/extra/gd/gd_png.c 1 Apr 2007 20:41:01 -0000 1.21.2.1
++++ libwmf-0.2.8.4/src/extra/gd/gd_png.c 16 May 2007 19:06:11 -0000
+@@ -78,8 +78,11 @@
+ gdPngReadData (png_structp png_ptr,
+ png_bytep data, png_size_t length)
+ {
+- gdGetBuf (data, length, (gdIOCtx *)
+- png_get_io_ptr (png_ptr));
++ int check;
++ check = gdGetBuf (data, length, (gdIOCtx *) png_get_io_ptr (png_ptr));
++ if (check != length) {
++ png_error(png_ptr, "Read Error: truncated data");
++ }
+ }
+
+ static void
diff --git a/patches/source/libwmf/libwmf-0.2.8.4-CVE-2007-3472.patch b/patches/source/libwmf/libwmf-0.2.8.4-CVE-2007-3472.patch
new file mode 100644
index 000000000..ac1ead5a8
--- /dev/null
+++ b/patches/source/libwmf/libwmf-0.2.8.4-CVE-2007-3472.patch
@@ -0,0 +1,61 @@
+--- libwmf-0.2.8.4/src/extra/gd/gd.c
++++ libwmf-0.2.8.4/src/extra/gd/gd.c
+@@ -106,6 +106,18 @@
+ gdImagePtr im;
+ unsigned long cpa_size;
+
++ if (overflow2(sx, sy)) {
++ return NULL;
++ }
++
++ if (overflow2(sizeof (int *), sy)) {
++ return NULL;
++ }
++
++ if (overflow2(sizeof(int), sx)) {
++ return NULL;
++ }
++
+ im = (gdImage *) gdMalloc (sizeof (gdImage));
+ if (im == 0) return 0;
+ memset (im, 0, sizeof (gdImage));
+--- libwmf-0.2.8.4/src/extra/gd/gdhelpers.c 2010-12-06 11:47:31.000000000 +0000
++++ libwmf-0.2.8.4/src/extra/gd/gdhelpers.c 2010-12-06 11:48:04.000000000 +0000
+@@ -2,6 +2,7 @@
+ #include "gdhelpers.h"
+ #include <stdlib.h>
+ #include <string.h>
++#include <limits.h>
+
+ /* TBB: gd_strtok_r is not portable; provide an implementation */
+
+@@ -94,3 +95,18 @@
+ {
+ free (ptr);
+ }
++
++int overflow2(int a, int b)
++{
++ if(a < 0 || b < 0) {
++ fprintf(stderr, "gd warning: one parameter to a memory allocation multiplication is negative, failing operation gracefully\n");
++ return 1;
++ }
++ if(b == 0)
++ return 0;
++ if(a > INT_MAX / b) {
++ fprintf(stderr, "gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully\n");
++ return 1;
++ }
++ return 0;
++}
+--- libwmf-0.2.8.4/src/extra/gd/gdhelpers.h 2010-12-06 11:47:17.000000000 +0000
++++ libwmf-0.2.8.4/src/extra/gd/gdhelpers.h 2010-12-06 11:48:36.000000000 +0000
+@@ -15,6 +15,8 @@
+ void *gdMalloc(size_t size);
+ void *gdRealloc(void *ptr, size_t size);
+
++int overflow2(int a, int b);
++
+ #pragma GCC visibility pop
+
+ #endif /* GDHELPERS_H */
diff --git a/patches/source/libwmf/libwmf-0.2.8.4-CVE-2007-3473.patch b/patches/source/libwmf/libwmf-0.2.8.4-CVE-2007-3473.patch
new file mode 100644
index 000000000..590189969
--- /dev/null
+++ b/patches/source/libwmf/libwmf-0.2.8.4-CVE-2007-3473.patch
@@ -0,0 +1,13 @@
+--- libwmf-0.2.8.4/src/extra/gd/gd.c
++++ libwmf-0.2.8.4/src/extra/gd/gd.c
+@@ -2483,6 +2483,10 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromXbm (FILE * fd)
+ }
+ bytes = (w * h / 8) + 1;
+ im = gdImageCreate (w, h);
++ if (!im) {
++ return 0;
++ }
++
+ gdImageColorAllocate (im, 255, 255, 255);
+ gdImageColorAllocate (im, 0, 0, 0);
+ x = 0;
diff --git a/patches/source/libwmf/libwmf-0.2.8.4-CVE-2007-3477.patch b/patches/source/libwmf/libwmf-0.2.8.4-CVE-2007-3477.patch
new file mode 100644
index 000000000..81ac03853
--- /dev/null
+++ b/patches/source/libwmf/libwmf-0.2.8.4-CVE-2007-3477.patch
@@ -0,0 +1,38 @@
+--- libwmf-0.2.8.4/src/extra/gd/gd.c
++++ libwmf-0.2.8.4/src/extra/gd/gd.c
+@@ -1335,10 +1335,31 @@
+ int w2, h2;
+ w2 = w / 2;
+ h2 = h / 2;
+- while (e < s)
+- {
+- e += 360;
+- }
++
++ if ((s % 360) == (e % 360)) {
++ s = 0; e = 360;
++ } else {
++ if (s > 360) {
++ s = s % 360;
++ }
++
++ if (e > 360) {
++ e = e % 360;
++ }
++
++ while (s < 0) {
++ s += 360;
++ }
++
++ while (e < s) {
++ e += 360;
++ }
++
++ if (s == e) {
++ s = 0; e = 360;
++ }
++ }
++
+ for (i = s; (i <= e); i++)
+ {
+ int x, y;
diff --git a/patches/source/libwmf/libwmf-0.2.8.4-CVE-2009-3546.patch b/patches/source/libwmf/libwmf-0.2.8.4-CVE-2009-3546.patch
new file mode 100644
index 000000000..d718976ad
--- /dev/null
+++ b/patches/source/libwmf/libwmf-0.2.8.4-CVE-2009-3546.patch
@@ -0,0 +1,13 @@
+--- libwmf-0.2.8.4/src/extra/gd/gd_gd.c 2010-12-06 14:56:06.000000000 +0000
++++ libwmf-0.2.8.4/src/extra/gd/gd_gd.c 2010-12-06 14:57:04.000000000 +0000
+@@ -42,6 +42,10 @@
+ {
+ goto fail1;
+ }
++ if (&im->colorsTotal > gdMaxColors)
++ {
++ goto fail1;
++ }
+ }
+ /* Int to accommodate truecolor single-color transparency */
+ if (!gdGetInt (&im->transparent, in))
diff --git a/patches/source/libwmf/libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch b/patches/source/libwmf/libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch
new file mode 100644
index 000000000..e8ba8db1e
--- /dev/null
+++ b/patches/source/libwmf/libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch
@@ -0,0 +1,118 @@
+--- libwmf-0.2.8.4/src/ipa/ipa/bmp.h 2015-06-08 14:46:24.591876404 +0100
++++ libwmf-0.2.8.4/src/ipa/ipa/bmp.h 2015-06-08 14:46:35.345993247 +0100
+@@ -859,7 +859,7 @@
+ %
+ %
+ */
+-static void DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels)
++static int DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels)
+ { int byte;
+ int count;
+ int i;
+@@ -870,12 +870,14 @@
+ U32 u;
+
+ unsigned char* q;
++ unsigned char* end;
+
+ for (u = 0; u < ((U32) bmp->width * (U32) bmp->height); u++) pixels[u] = 0;
+
+ byte = 0;
+ x = 0;
+ q = pixels;
++ end = pixels + bmp->width * bmp->height;
+
+ for (y = 0; y < bmp->height; )
+ { count = ReadBlobByte (src);
+@@ -884,7 +886,10 @@
+ { /* Encoded mode. */
+ byte = ReadBlobByte (src);
+ for (i = 0; i < count; i++)
+- { if (compression == 1)
++ {
++ if (q == end)
++ return 0;
++ if (compression == 1)
+ { (*(q++)) = (unsigned char) byte;
+ }
+ else
+@@ -896,13 +901,15 @@
+ else
+ { /* Escape mode. */
+ count = ReadBlobByte (src);
+- if (count == 0x01) return;
++ if (count == 0x01) return 1;
+ switch (count)
+ {
+ case 0x00:
+ { /* End of line. */
+ x = 0;
+ y++;
++ if (y >= bmp->height)
++ return 0;
+ q = pixels + y * bmp->width;
+ break;
+ }
+@@ -910,13 +917,20 @@
+ { /* Delta mode. */
+ x += ReadBlobByte (src);
+ y += ReadBlobByte (src);
++ if (y >= bmp->height)
++ return 0;
++ if (x >= bmp->width)
++ return 0;
+ q = pixels + y * bmp->width + x;
+ break;
+ }
+ default:
+ { /* Absolute mode. */
+ for (i = 0; i < count; i++)
+- { if (compression == 1)
++ {
++ if (q == end)
++ return 0;
++ if (compression == 1)
+ { (*(q++)) = ReadBlobByte (src);
+ }
+ else
+@@ -943,7 +957,7 @@
+ byte = ReadBlobByte (src); /* end of line */
+ byte = ReadBlobByte (src);
+
+- return;
++ return 1;
+ }
+
+ /*
+@@ -1143,8 +1157,18 @@
+ }
+ }
+ else
+- { /* Convert run-length encoded raster pixels. */
+- DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image);
++ {
++ if (bmp_info.bits_per_pixel == 8) /* Convert run-length encoded raster pixels. */
++ {
++ if (!DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image))
++ { WMF_ERROR (API,"corrupt bmp");
++ API->err = wmf_E_BadFormat;
++ }
++ }
++ else
++ { WMF_ERROR (API,"Unexpected pixel depth");
++ API->err = wmf_E_BadFormat;
++ }
+ }
+
+ if (ERR (API))
+--- libwmf-0.2.8.4/src/ipa/ipa.h 2015-06-08 14:46:24.590876393 +0100
++++ libwmf-0.2.8.4/src/ipa/ipa.h 2015-06-08 14:46:35.345993247 +0100
+@@ -48,7 +48,7 @@
+ static unsigned short ReadBlobLSBShort (BMPSource*);
+ static unsigned long ReadBlobLSBLong (BMPSource*);
+ static long TellBlob (BMPSource*);
+-static void DecodeImage (wmfAPI*,wmfBMP*,BMPSource*,unsigned int,unsigned char*);
++static int DecodeImage (wmfAPI*,wmfBMP*,BMPSource*,unsigned int,unsigned char*);
+ static void ReadBMPImage (wmfAPI*,wmfBMP*,BMPSource*);
+ static int ExtractColor (wmfAPI*,wmfBMP*,wmfRGB*,unsigned int,unsigned int);
+ static void SetColor (wmfAPI*,wmfBMP*,wmfRGB*,unsigned char,unsigned int,unsigned int);
diff --git a/patches/source/libwmf/libwmf-0.2.8.4-CVE-2015-4695.patch b/patches/source/libwmf/libwmf-0.2.8.4-CVE-2015-4695.patch
new file mode 100644
index 000000000..b6d499da9
--- /dev/null
+++ b/patches/source/libwmf/libwmf-0.2.8.4-CVE-2015-4695.patch
@@ -0,0 +1,56 @@
+--- libwmf-0.2.8.4/src/player/meta.h
++++ libwmf-0.2.8.4/src/player/meta.h
+@@ -1565,7 +1565,7 @@ static int meta_rgn_create (wmfAPI* API,
+ objects = P->objects;
+
+ i = 0;
+- while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
++ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
+
+ if (i == NUM_OBJECTS (API))
+ { WMF_ERROR (API,"Object out of range!");
+@@ -2142,7 +2142,7 @@ static int meta_dib_brush (wmfAPI* API,w
+ objects = P->objects;
+
+ i = 0;
+- while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
++ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
+
+ if (i == NUM_OBJECTS (API))
+ { WMF_ERROR (API,"Object out of range!");
+@@ -3067,7 +3067,7 @@ static int meta_pen_create (wmfAPI* API,
+ objects = P->objects;
+
+ i = 0;
+- while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
++ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
+
+ if (i == NUM_OBJECTS (API))
+ { WMF_ERROR (API,"Object out of range!");
+@@ -3181,7 +3181,7 @@ static int meta_brush_create (wmfAPI* AP
+ objects = P->objects;
+
+ i = 0;
+- while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
++ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
+
+ if (i == NUM_OBJECTS (API))
+ { WMF_ERROR (API,"Object out of range!");
+@@ -3288,7 +3288,7 @@ static int meta_font_create (wmfAPI* API
+ objects = P->objects;
+
+ i = 0;
+- while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
++ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
+
+ if (i == NUM_OBJECTS (API))
+ { WMF_ERROR (API,"Object out of range!");
+@@ -3396,7 +3396,7 @@ static int meta_palette_create (wmfAPI*
+ objects = P->objects;
+
+ i = 0;
+- while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
++ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
+
+ if (i == NUM_OBJECTS (API))
+ { WMF_ERROR (API,"Object out of range!");
diff --git a/patches/source/libwmf/libwmf-0.2.8.4-CVE-2015-4696.patch b/patches/source/libwmf/libwmf-0.2.8.4-CVE-2015-4696.patch
new file mode 100644
index 000000000..331284125
--- /dev/null
+++ b/patches/source/libwmf/libwmf-0.2.8.4-CVE-2015-4696.patch
@@ -0,0 +1,23 @@
+--- libwmf-0.2.8.4/src/player/meta.h
++++ libwmf-0.2.8.4/src/player/meta.h
+@@ -2585,6 +2585,8 @@
+ polyrect.BR[i] = clip->rects[i].BR;
+ }
+
++ if (FR->region_clip) FR->region_clip (API,&polyrect);
++
+ wmf_free (API,polyrect.TL);
+ wmf_free (API,polyrect.BR);
+ }
+@@ -2593,9 +2595,10 @@
+ polyrect.BR = 0;
+
+ polyrect.count = 0;
++
++ if (FR->region_clip) FR->region_clip (API,&polyrect);
+ }
+
+- if (FR->region_clip) FR->region_clip (API,&polyrect);
+
+ return (changed);
+ }
diff --git a/patches/source/libwmf/libwmf-0.2.8.4-CVE-2016-10167.patch b/patches/source/libwmf/libwmf-0.2.8.4-CVE-2016-10167.patch
new file mode 100644
index 000000000..5e2819743
--- /dev/null
+++ b/patches/source/libwmf/libwmf-0.2.8.4-CVE-2016-10167.patch
@@ -0,0 +1,30 @@
+--- libwmf-0.2.8.4/src/extra/gd/gd_gd2.c
++++ libwmf-0.2.8.4/src/extra/gd/gd_gd2.c
+@@ -362,10 +362,9 @@
+ {
+ if (!gdGetInt (&im->tpixels[y][x], in))
+ {
+- /*printf("EOF while reading\n"); */
+- /*gdImageDestroy(im); */
+- /*return 0; */
+- im->tpixels[y][x] = 0;
++ fprintf(stderr, "gd2: EOF while reading\n");
++ gdImageDestroy(im);
++ return NULL;
+ }
+ }
+ else
+@@ -373,10 +372,9 @@
+ int ch;
+ if (!gdGetByte (&ch, in))
+ {
+- /*printf("EOF while reading\n"); */
+- /*gdImageDestroy(im); */
+- /*return 0; */
+- ch = 0;
++ fprintf(stderr, "gd2: EOF while reading\n");
++ gdImageDestroy(im);
++ return NULL;
+ }
+ im->pixels[y][x] = ch;
+ }
diff --git a/patches/source/libwmf/libwmf-0.2.8.4-CVE-2016-10168.patch b/patches/source/libwmf/libwmf-0.2.8.4-CVE-2016-10168.patch
new file mode 100644
index 000000000..f08b1f1e5
--- /dev/null
+++ b/patches/source/libwmf/libwmf-0.2.8.4-CVE-2016-10168.patch
@@ -0,0 +1,14 @@
+--- libwmf-0.2.8.4/src/extra/gd/gd_gd2.c
++++ libwmf-0.2.8.4/src/extra/gd/gd_gd2.c
+@@ -145,6 +145,11 @@
+
+ if ((*fmt) == GD2_FMT_COMPRESSED)
+ {
++ if (*ncx <= 0 || *ncy <= 0 || *ncx > INT_MAX / *ncy) {
++ GD2_DBG(printf ("Illegal chunk counts: %d * %d\n", *ncx, *ncy));
++ goto fail1;
++ }
++
+ nc = (*ncx) * (*ncy);
+ GD2_DBG (printf ("Reading %d chunk index entries\n", nc));
+ sidx = sizeof (t_chunk_info) * nc;
diff --git a/patches/source/libwmf/libwmf-0.2.8.4-CVE-2016-9011.patch b/patches/source/libwmf/libwmf-0.2.8.4-CVE-2016-9011.patch
new file mode 100644
index 000000000..c6bd017c2
--- /dev/null
+++ b/patches/source/libwmf/libwmf-0.2.8.4-CVE-2016-9011.patch
@@ -0,0 +1,36 @@
+--- libwmf-0.2.8.4/src/player.c
++++ libwmf-0.2.8.4/src/player.c
+@@ -139,8 +139,31 @@
+ WMF_DEBUG (API,"bailing...");
+ return (API->err);
+ }
+-
+- P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char));
++
++ U32 nMaxRecordSize = (MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char);
++ if (nMaxRecordSize)
++ {
++ //before allocating memory do a sanity check on size by seeking
++ //to claimed end to see if its possible. We're constrained here
++ //by the api and existing implementations to not simply seeking
++ //to SEEK_END. So use what we have to skip to the last byte and
++ //try and read it.
++ const long nPos = WMF_TELL (API);
++ WMF_SEEK (API, nPos + nMaxRecordSize - 1);
++ if (ERR (API))
++ { WMF_DEBUG (API,"bailing...");
++ return (API->err);
++ }
++ int byte = WMF_READ (API);
++ if (byte == (-1))
++ { WMF_ERROR (API,"Unexpected EOF!");
++ API->err = wmf_E_EOF;
++ return (API->err);
++ }
++ WMF_SEEK (API, nPos);
++ }
++
++ P->Parameters = (unsigned char*) wmf_malloc (API, nMaxRecordSize);
+
+ if (ERR (API))
+ { WMF_DEBUG (API,"bailing...");
diff --git a/patches/source/libwmf/libwmf-0.2.8.4-CVE-2016-9317.patch b/patches/source/libwmf/libwmf-0.2.8.4-CVE-2016-9317.patch
new file mode 100644
index 000000000..cf57734ed
--- /dev/null
+++ b/patches/source/libwmf/libwmf-0.2.8.4-CVE-2016-9317.patch
@@ -0,0 +1,21 @@
+--- libwmf-0.2.8.4/src/extra/gd/gd.c
++++ libwmf-0.2.8.4/src/extra/gd/gd.c
+@@ -65,6 +65,18 @@
+ {
+ int i;
+ gdImagePtr im;
++
++ if (overflow2(sx, sy)) {
++ return NULL;
++ }
++
++ if (overflow2(sizeof (unsigned char *), sy)) {
++ return NULL;
++ }
++ if (overflow2(sizeof (unsigned char), sx)) {
++ return NULL;
++ }
++
+ im = (gdImage *) gdMalloc (sizeof (gdImage));
+ memset (im, 0, sizeof (gdImage));
+ /* Row-major ever since gd 1.3 */
diff --git a/patches/source/libwmf/libwmf-0.2.8.4-CVE-2017-6362.patch b/patches/source/libwmf/libwmf-0.2.8.4-CVE-2017-6362.patch
new file mode 100644
index 000000000..2ad180d97
--- /dev/null
+++ b/patches/source/libwmf/libwmf-0.2.8.4-CVE-2017-6362.patch
@@ -0,0 +1,32 @@
+--- libwmf-0.2.8.4/src/extra/gd/gd_png.c
++++ libwmf-0.2.8.4/src/extra/gd/gd_png.c
+@@ -435,17 +435,6 @@
+ out->free (out);
+ }
+
+-void *
+-gdImagePngPtr (gdImagePtr im, int *size)
+-{
+- void *rv;
+- gdIOCtx *out = gdNewDynamicCtx (2048, NULL);
+- gdImagePngCtx (im, out);
+- rv = gdDPExtractData (out, size);
+- out->free (out);
+- return rv;
+-}
+-
+ /* This routine is based in part on code from Dale Lutz (Safe Software Inc.)
+ * and in part on demo code from Chapter 15 of "PNG: The Definitive Guide"
+ * (http://www.cdrom.com/pub/png/pngbook.html).
+--- libwmf-0.2.8.4/src/extra/gd/gd.h
++++ libwmf-0.2.8.4/src/extra/gd/gd.h
+@@ -373,9 +373,6 @@
+ void gdImageGd2(gdImagePtr im, FILE *out, int cs, int fmt);
+
+ /* Best to free this memory with gdFree(), not free() */
+-void* gdImagePngPtr(gdImagePtr im, int *size);
+-
+-/* Best to free this memory with gdFree(), not free() */
+ void* gdImageGdPtr(gdImagePtr im, int *size);
+
+ /* Best to free this memory with gdFree(), not free() */
diff --git a/patches/source/libwmf/libwmf-0.2.8.4-fallbackfont.patch b/patches/source/libwmf/libwmf-0.2.8.4-fallbackfont.patch
new file mode 100644
index 000000000..83383138a
--- /dev/null
+++ b/patches/source/libwmf/libwmf-0.2.8.4-fallbackfont.patch
@@ -0,0 +1,18 @@
+diff -ru libwmf-0.2.8.4.orig/src/font.c libwmf-0.2.8.4/src/font.c
+--- libwmf-0.2.8.4.orig/src/font.c 2005-07-27 21:35:06.000000000 +0100
++++ libwmf-0.2.8.4/src/font.c 2006-01-03 12:53:38.000000000 +0000
+@@ -1429,11 +1429,9 @@
+ if (GS->len == 0) return (0);
+
+ name = font->lfFaceName;
+- if (name == 0)
+- { WMF_DEBUG (API,"No font name?");
+- API->err = wmf_E_Glitch;
+- return (0);
+- }
++
++ if (name == 0 || name[0] == 0)
++ name = "Times";
+
+ /* Find first white-space character or eol
+ */
diff --git a/patches/source/libwmf/libwmf-0.2.8.4-pixbufloaderdir.patch b/patches/source/libwmf/libwmf-0.2.8.4-pixbufloaderdir.patch
new file mode 100644
index 000000000..a03578581
--- /dev/null
+++ b/patches/source/libwmf/libwmf-0.2.8.4-pixbufloaderdir.patch
@@ -0,0 +1,14 @@
+diff -up libwmf-0.2.8.4/configure.in.pixbufloaderdir libwmf-0.2.8.4/configure.in
+--- libwmf-0.2.8.4/configure.in.pixbufloaderdir 2010-06-28 23:35:06.227167269 -0400
++++ libwmf-0.2.8.4/configure.in 2010-06-28 23:36:00.948420306 -0400
+@@ -741,8 +741,8 @@
+
+ if test $LIBWMF_BUILDSTYLE != lite; then
+ PKG_CHECK_MODULES(GDK_PIXBUF,gdk-pixbuf-2.0 >= 2.1.2,[
+- GTK_VERSION=`$PKG_CONFIG --variable=gtk_binary_version gtk+-2.0`
+- GDK_PIXBUF_DIR="gtk-2.0/$GTK_VERSION/loaders"
++ GDK_PIXBUF_VERSION=`$PKG_CONFIG --variable=gdk_pixbuf_binary_version gdk-pixbuf-2.0`
++ GDK_PIXBUF_DIR="gdk-pixbuf-2.0/$GDK_PIXBUF_VERSION/loaders"
+ wmf_gdk_pixbuf=yes
+ ],[ wmf_gdk_pixbuf=no
+ ])
diff --git a/patches/source/libwmf/libwmf-0.2.8.4-reducesymbols.patch b/patches/source/libwmf/libwmf-0.2.8.4-reducesymbols.patch
new file mode 100644
index 000000000..45d82b327
--- /dev/null
+++ b/patches/source/libwmf/libwmf-0.2.8.4-reducesymbols.patch
@@ -0,0 +1,520 @@
+diff -ru libwmf-0.2.8.4/src/extra/gd/gd.c libwmf-0.2.8.4.symbols/src/extra/gd/gd.c
+--- libwmf-0.2.8.4/src/extra/gd/gd.c 2005-07-27 21:35:05.000000000 +0100
++++ libwmf-0.2.8.4.symbols/src/extra/gd/gd.c 2006-11-16 12:27:05.000000000 +0000
+@@ -249,6 +249,7 @@
+ }
+ HWBType;
+
++#if 0
+ static HWBType *
+ RGB_to_HWB (RGBType RGB, HWBType * HWB)
+ {
+@@ -308,7 +309,6 @@
+ return diff;
+ }
+
+-#if 0
+ /*
+ * This is not actually used, but is here for completeness, in case someone wants to
+ * use the HWB stuff for anything else...
+@@ -355,6 +355,7 @@
+ }
+ #endif
+
++#if 0
+ int
+ gdImageColorClosestHWB (gdImagePtr im, int r, int g, int b)
+ {
+@@ -384,6 +385,7 @@
+ }
+ return ct;
+ }
++#endif
+
+ int
+ gdImageColorExact (gdImagePtr im, int r, int g, int b)
+@@ -677,7 +679,7 @@
+ }
+ }
+
+-int
++static int
+ gdImageGetTrueColorPixel (gdImagePtr im, int x, int y)
+ {
+ int p = gdImageGetPixel (im, x, y);
+@@ -1286,11 +1288,11 @@
+ return len;
+ }
+
+-#ifndef HAVE_LSQRT
++#if 0
+ /* If you don't have a nice square root function for longs, you can use
+ ** this hack
+ */
+-long
++static long
+ lsqrt (long n)
+ {
+ long result = (long) sqrt ((double) n);
+@@ -2250,7 +2252,7 @@
+ }
+ }
+
+-int gdCompareInt (const void *a, const void *b);
++static int gdCompareInt (const void *a, const void *b);
+
+ /* THANKS to Kirsten Schulz for the polygon fixes! */
+
+diff -ru libwmf-0.2.8.4/src/extra/gd/gdcache.h libwmf-0.2.8.4.symbols/src/extra/gd/gdcache.h
+--- libwmf-0.2.8.4/src/extra/gd/gdcache.h 2001-08-21 15:40:33.000000000 +0100
++++ libwmf-0.2.8.4.symbols/src/extra/gd/gdcache.h 2006-11-16 12:13:40.000000000 +0000
+@@ -41,6 +41,9 @@
+ /*********************************************************/
+
+ /* #include <malloc.h> */
++
++#pragma GCC visibility push(hidden)
++
+ #ifndef NULL
+ #define NULL (void *)0
+ #endif
+@@ -81,3 +84,5 @@
+
+ void *
+ gdCacheGet( gdCache_head_t *head, void *keydata );
++
++#pragma GCC visibility pop
+diff -ru libwmf-0.2.8.4/src/extra/gd/gd_clip.h libwmf-0.2.8.4.symbols/src/extra/gd/gd_clip.h
+--- libwmf-0.2.8.4/src/extra/gd/gd_clip.h 2001-03-28 10:37:30.000000000 +0100
++++ libwmf-0.2.8.4.symbols/src/extra/gd/gd_clip.h 2006-11-16 12:11:49.000000000 +0000
+@@ -1,6 +1,8 @@
+ #ifndef GD_CLIP_H
+ #define GD_CLIP_H 1
+
++#pragma GCC visibility push(hidden)
++
+ #ifdef __cplusplus
+ extern "C" {
+ #endif
+@@ -23,4 +25,6 @@
+ }
+ #endif
+
++#pragma GCC visibility pop
++
+ #endif /* GD_CLIP_H */
+diff -ru libwmf-0.2.8.4/src/extra/gd/gdfontg.h libwmf-0.2.8.4.symbols/src/extra/gd/gdfontg.h
+--- libwmf-0.2.8.4/src/extra/gd/gdfontg.h 2001-03-28 10:37:30.000000000 +0100
++++ libwmf-0.2.8.4.symbols/src/extra/gd/gdfontg.h 2006-11-16 12:12:03.000000000 +0000
+@@ -2,6 +2,8 @@
+ #ifndef _GDFONTG_H_
+ #define _GDFONTG_H_ 1
+
++#pragma GCC visibility push(hidden)
++
+ #ifdef __cplusplus
+ extern "C" {
+ #endif
+@@ -25,5 +27,7 @@
+ }
+ #endif
+
++#pragma GCC visibility pop
++
+ #endif
+
+diff -ru libwmf-0.2.8.4/src/extra/gd/gdfontl.h libwmf-0.2.8.4.symbols/src/extra/gd/gdfontl.h
+--- libwmf-0.2.8.4/src/extra/gd/gdfontl.h 2001-03-28 10:37:30.000000000 +0100
++++ libwmf-0.2.8.4.symbols/src/extra/gd/gdfontl.h 2006-11-16 12:12:11.000000000 +0000
+@@ -2,6 +2,8 @@
+ #ifndef _GDFONTL_H_
+ #define _GDFONTL_H_ 1
+
++#pragma GCC visibility push(hidden)
++
+ #ifdef __cplusplus
+ extern "C" {
+ #endif
+@@ -26,5 +28,7 @@
+ }
+ #endif
+
++#pragma GCC visibility pop
++
+ #endif
+
+diff -ru libwmf-0.2.8.4/src/extra/gd/gdfontmb.h libwmf-0.2.8.4.symbols/src/extra/gd/gdfontmb.h
+--- libwmf-0.2.8.4/src/extra/gd/gdfontmb.h 2001-03-28 10:37:30.000000000 +0100
++++ libwmf-0.2.8.4.symbols/src/extra/gd/gdfontmb.h 2006-11-16 12:12:19.000000000 +0000
+@@ -2,6 +2,8 @@
+ #ifndef _GDFONTMB_H_
+ #define _GDFONTMB_H_ 1
+
++#pragma GCC visibility push(hidden)
++
+ #ifdef __cplusplus
+ extern "C" {
+ #endif
+@@ -24,5 +26,7 @@
+ }
+ #endif
+
++#pragma GCC visibility pop
++
+ #endif
+
+diff -ru libwmf-0.2.8.4/src/extra/gd/gdfonts.h libwmf-0.2.8.4.symbols/src/extra/gd/gdfonts.h
+--- libwmf-0.2.8.4/src/extra/gd/gdfonts.h 2001-03-28 10:37:30.000000000 +0100
++++ libwmf-0.2.8.4.symbols/src/extra/gd/gdfonts.h 2006-11-16 12:12:28.000000000 +0000
+@@ -2,6 +2,8 @@
+ #ifndef _GDFONTS_H_
+ #define _GDFONTS_H_ 1
+
++#pragma GCC visibility push(hidden)
++
+ #ifdef __cplusplus
+ extern "C" {
+ #endif
+@@ -24,5 +26,7 @@
+ }
+ #endif
+
++#pragma GCC visibility pop
++
+ #endif
+
+diff -ru libwmf-0.2.8.4/src/extra/gd/gdfontt.h libwmf-0.2.8.4.symbols/src/extra/gd/gdfontt.h
+--- libwmf-0.2.8.4/src/extra/gd/gdfontt.h 2001-03-28 10:37:30.000000000 +0100
++++ libwmf-0.2.8.4.symbols/src/extra/gd/gdfontt.h 2006-11-16 12:12:36.000000000 +0000
+@@ -2,6 +2,8 @@
+ #ifndef _GDFONTT_H_
+ #define _GDFONTT_H_ 1
+
++#pragma GCC visibility push(hidden)
++
+ #ifdef __cplusplus
+ extern "C" {
+ #endif
+@@ -25,5 +27,7 @@
+ }
+ #endif
+
++#pragma GCC visibility pop
++
+ #endif
+
+diff -ru libwmf-0.2.8.4/src/extra/gd/gdft.c libwmf-0.2.8.4.symbols/src/extra/gd/gdft.c
+--- libwmf-0.2.8.4/src/extra/gd/gdft.c 2005-07-27 21:35:05.000000000 +0100
++++ libwmf-0.2.8.4.symbols/src/extra/gd/gdft.c 2006-11-16 12:24:50.000000000 +0000
+@@ -533,7 +533,7 @@
+ }
+
+ /* draw_bitmap - transfers glyph bitmap to GD image */
+-/* static */ char *
++static char *
+ gdft_draw_bitmap (gdImage * im, int fg, FT_Bitmap bitmap, int pen_x, int pen_y)
+ {
+ unsigned char *pixel = 0;
+@@ -643,7 +643,7 @@
+ return (char *) NULL;
+ }
+
+-int
++static int
+ gdroundupdown (FT_F26Dot6 v1, int updown)
+ {
+ return (!updown)
+@@ -651,7 +651,9 @@
+ : (v1 > 0 ? ((v1 + 63) >> 6) : v1 >> 6);
+ }
+
++#pragma GCC visibility push(hidden)
+ extern int any2eucjp (char *, char *, unsigned int);
++#pragma GCC visibility pop
+
+ /********************************************************************/
+ /* gdImageStringFT - render a utf8 string onto a gd image */
+diff -ru libwmf-0.2.8.4/src/extra/gd/gd_gd2.c libwmf-0.2.8.4.symbols/src/extra/gd/gd_gd2.c
+--- libwmf-0.2.8.4/src/extra/gd/gd_gd2.c 2005-07-27 21:35:05.000000000 +0100
++++ libwmf-0.2.8.4.symbols/src/extra/gd/gd_gd2.c 2006-11-16 12:21:28.000000000 +0000
+@@ -34,8 +34,10 @@
+ }
+ t_chunk_info;
+
++#pragma GCC visibility push(hidden)
+ extern int _gdGetColors (gdIOCtx * in, gdImagePtr im, int gd2xFlag);
+ extern void _gdPutColors (gdImagePtr im, gdIOCtx * out);
++#pragma GCC visibility pop
+
+ /* */
+ /* Read the extra info in the gd2 header. */
+diff -ru libwmf-0.2.8.4/src/extra/gd/gd_gd.c libwmf-0.2.8.4.symbols/src/extra/gd/gd_gd.c
+--- libwmf-0.2.8.4/src/extra/gd/gd_gd.c 2005-07-27 21:35:05.000000000 +0100
++++ libwmf-0.2.8.4.symbols/src/extra/gd/gd_gd.c 2006-11-16 12:21:43.000000000 +0000
+@@ -11,6 +11,11 @@
+ /* Exported functions: */
+ extern void gdImageGd (gdImagePtr im, FILE * out);
+
++#pragma GCC visibility push(hidden)
++int _gdGetColors (gdIOCtx * in, gdImagePtr im, int gd2xFlag);
++void _gdPutColors (gdImagePtr im, gdIOCtx * out);
++#pragma GCC visibility pop
++
+
+ /* Use this for commenting out debug-print statements. */
+ /* Just use the first '#define' to allow all the prints... */
+diff -ru libwmf-0.2.8.4/src/extra/gd/gd.h libwmf-0.2.8.4.symbols/src/extra/gd/gd.h
+--- libwmf-0.2.8.4/src/extra/gd/gd.h 2002-12-05 20:09:11.000000000 +0000
++++ libwmf-0.2.8.4.symbols/src/extra/gd/gd.h 2006-11-16 12:14:11.000000000 +0000
+@@ -25,6 +25,8 @@
+ #include <gd_io.h>
+ #include <gd_clip.h>
+
++#pragma GCC visibility push(hidden)
++
+ /* The maximum number of palette entries in palette-based images.
+ In the wonderful new world of gd 2.0, you can of course have
+ many more colors when using truecolor mode. */
+@@ -497,6 +499,8 @@
+ /* resolution affects ttf font rendering, particularly hinting */
+ #define GD_RESOLUTION 96 /* pixels per inch */
+
++#pragma GCC visibility pop
++
+ #ifdef __cplusplus
+ }
+ #endif
+diff -ru libwmf-0.2.8.4/src/extra/gd/gdhelpers.h libwmf-0.2.8.4.symbols/src/extra/gd/gdhelpers.h
+--- libwmf-0.2.8.4/src/extra/gd/gdhelpers.h 2001-03-28 10:37:31.000000000 +0100
++++ libwmf-0.2.8.4.symbols/src/extra/gd/gdhelpers.h 2006-11-16 12:12:55.000000000 +0000
+@@ -1,6 +1,8 @@
+ #ifndef GDHELPERS_H
+ #define GDHELPERS_H 1
+
++#pragma GCC visibility push(hidden)
++
+ /* TBB: strtok_r is not universal; provide an implementation of it. */
+
+ extern char *gd_strtok_r(char *s, char *sep, char **state);
+@@ -13,5 +15,7 @@
+ void *gdMalloc(size_t size);
+ void *gdRealloc(void *ptr, size_t size);
+
++#pragma GCC visibility pop
++
+ #endif /* GDHELPERS_H */
+
+diff -ru libwmf-0.2.8.4/src/extra/gd/gd_io.h libwmf-0.2.8.4.symbols/src/extra/gd/gd_io.h
+--- libwmf-0.2.8.4/src/extra/gd/gd_io.h 2001-03-28 10:37:30.000000000 +0100
++++ libwmf-0.2.8.4.symbols/src/extra/gd/gd_io.h 2006-11-16 12:13:08.000000000 +0000
+@@ -2,6 +2,8 @@
+ #define GD_IO_H 1
+
+ #include <stdio.h>
++
++#pragma GCC visibility push(hidden)
+
+ typedef struct gdIOCtx {
+ int (*getC)(struct gdIOCtx*);
+@@ -36,4 +38,6 @@
+ int gdSeek(gdIOCtx *ctx, const int);
+ long gdTell(gdIOCtx *ctx);
+
++#pragma GCC visibility pop
++
+ #endif
+diff -ru libwmf-0.2.8.4/src/extra/gd/gd_jpeg.c libwmf-0.2.8.4.symbols/src/extra/gd/gd_jpeg.c
+--- libwmf-0.2.8.4/src/extra/gd/gd_jpeg.c 2005-07-27 21:35:06.000000000 +0100
++++ libwmf-0.2.8.4.symbols/src/extra/gd/gd_jpeg.c 2006-11-16 12:28:13.000000000 +0000
+@@ -99,7 +99,7 @@
+ return rv;
+ }
+
+-void jpeg_gdIOCtx_dest (j_compress_ptr cinfo, gdIOCtx * outfile);
++static void jpeg_gdIOCtx_dest (j_compress_ptr cinfo, gdIOCtx * outfile);
+
+ void
+ gdImageJpegCtx (gdImagePtr im, gdIOCtx * outfile, int quality)
+@@ -266,7 +266,7 @@
+ return im;
+ }
+
+-void
++static void
+ jpeg_gdIOCtx_src (j_decompress_ptr cinfo,
+ gdIOCtx * infile);
+
+@@ -511,7 +511,7 @@
+ * before any data is actually read.
+ */
+
+-void
++static void
+ init_source (j_decompress_ptr cinfo)
+ {
+ my_src_ptr src = (my_src_ptr) cinfo->src;
+@@ -559,7 +559,7 @@
+
+ #define END_JPEG_SEQUENCE "\r\n[*]--:END JPEG:--[*]\r\n"
+
+-safeboolean
++static safeboolean
+ fill_input_buffer (j_decompress_ptr cinfo)
+ {
+ my_src_ptr src = (my_src_ptr) cinfo->src;
+@@ -627,7 +627,7 @@
+ * buffer is the application writer's problem.
+ */
+
+-void
++static void
+ skip_input_data (j_decompress_ptr cinfo, long num_bytes)
+ {
+ my_src_ptr src = (my_src_ptr) cinfo->src;
+@@ -669,7 +669,7 @@
+ * for error exit.
+ */
+
+-void
++static void
+ term_source (j_decompress_ptr cinfo)
+ {
+
+@@ -742,7 +742,7 @@
+ * before any data is actually written.
+ */
+
+-void
++static void
+ init_destination (j_compress_ptr cinfo)
+ {
+ my_dest_ptr dest = (my_dest_ptr) cinfo->dest;
+@@ -780,7 +780,7 @@
+ * write it out when emptying the buffer externally.
+ */
+
+-safeboolean
++static safeboolean
+ empty_output_buffer (j_compress_ptr cinfo)
+ {
+ my_dest_ptr dest = (my_dest_ptr) cinfo->dest;
+@@ -805,7 +805,7 @@
+ * for error exit.
+ */
+
+-void
++static void
+ term_destination (j_compress_ptr cinfo)
+ {
+ my_dest_ptr dest = (my_dest_ptr) cinfo->dest;
+diff -ru libwmf-0.2.8.4/src/extra/gd/gdkanji.c libwmf-0.2.8.4.symbols/src/extra/gd/gdkanji.c
+--- libwmf-0.2.8.4/src/extra/gd/gdkanji.c 2001-05-19 14:09:34.000000000 +0100
++++ libwmf-0.2.8.4.symbols/src/extra/gd/gdkanji.c 2006-11-16 12:29:42.000000000 +0000
+@@ -555,6 +555,11 @@
+ return kanji;
+ }
+
++#pragma GCC visibility push(hidden)
++int
++any2eucjp (unsigned char *dest, unsigned char *src, unsigned int dest_max);
++#pragma GCC visibility pop
++
+ int
+ any2eucjp (unsigned char *dest, unsigned char *src, unsigned int dest_max)
+ {
+diff -ru libwmf-0.2.8.4/src/extra/gd/gd_topal.c libwmf-0.2.8.4.symbols/src/extra/gd/gd_topal.c
+--- libwmf-0.2.8.4/src/extra/gd/gd_topal.c 2005-07-27 21:35:06.000000000 +0100
++++ libwmf-0.2.8.4.symbols/src/extra/gd/gd_topal.c 2006-11-16 12:25:45.000000000 +0000
+@@ -1129,7 +1129,7 @@
+ * Map some rows of pixels to the output colormapped representation.
+ */
+
+-void
++static void
+ pass2_no_dither (gdImagePtr im, my_cquantize_ptr cquantize)
+ /* This version performs no dithering */
+ {
+@@ -1217,7 +1217,7 @@
+ #endif
+
+
+-void
++static void
+ pass2_fs_dither (gdImagePtr im, my_cquantize_ptr cquantize)
+
+ /* This version performs Floyd-Steinberg dithering */
+diff -ru libwmf-0.2.8.4/src/extra/gd/gd_wbmp.c libwmf-0.2.8.4.symbols/src/extra/gd/gd_wbmp.c
+--- libwmf-0.2.8.4/src/extra/gd/gd_wbmp.c 2001-05-19 14:09:34.000000000 +0100
++++ libwmf-0.2.8.4.symbols/src/extra/gd/gd_wbmp.c 2006-11-16 12:28:33.000000000 +0000
+@@ -67,7 +67,7 @@
+ ** Wrapper around gdPutC for use with writewbmp
+ **
+ */
+-void
++static void
+ gd_putout (int i, void *out)
+ {
+ gdPutC (i, (gdIOCtx *) out);
+@@ -79,7 +79,7 @@
+ ** Wrapper around gdGetC for use with readwbmp
+ **
+ */
+-int
++static int
+ gd_getin (void *in)
+ {
+ return (gdGetC ((gdIOCtx *) in));
+diff -ru libwmf-0.2.8.4/src/extra/gd/gdxpm.c libwmf-0.2.8.4.symbols/src/extra/gd/gdxpm.c
+--- libwmf-0.2.8.4/src/extra/gd/gdxpm.c 2001-05-19 14:09:34.000000000 +0100
++++ libwmf-0.2.8.4.symbols/src/extra/gd/gdxpm.c 2006-11-16 12:18:29.000000000 +0000
+@@ -10,6 +10,7 @@
+ #include "gd.h"
+ #include "gdhelpers.h"
+
++#if 0
+ #ifndef HAVE_XPM
+ gdImagePtr
+ gdImageCreateFromXpm (char *filename)
+@@ -146,3 +147,4 @@
+ return (im);
+ }
+ #endif
++#endif
+diff -ru libwmf-0.2.8.4/src/extra/gd/jisx0208.h libwmf-0.2.8.4.symbols/src/extra/gd/jisx0208.h
+--- libwmf-0.2.8.4/src/extra/gd/jisx0208.h 2001-03-28 10:37:35.000000000 +0100
++++ libwmf-0.2.8.4.symbols/src/extra/gd/jisx0208.h 2006-11-16 12:13:19.000000000 +0000
+@@ -1,5 +1,8 @@
+ #ifndef JISX0208_H
+ #define JISX0208_H
++
++#pragma GCC visibility push(hidden)
++
+ /* This file was derived from "src/VF_Ftype.c" in VFlib2-2.24.2
+ by Dr. Kakugawa */
+
+@@ -1202,4 +1205,6 @@
+ 0x2170, 0x2171, 0x2172, 0x2173, 0x2174, 0x2175, 0x2176, 0x2177,
+ 0x2178, 0x2179, 0xFFE2, 0xFFE4, 0xFF07, 0xFF02}};
+
++#pragma GCC visibility pop
++
+ #endif /* JISX0208_H */
+diff -ru libwmf-0.2.8.4/src/extra/gd/wbmp.h libwmf-0.2.8.4.symbols/src/extra/gd/wbmp.h
+--- libwmf-0.2.8.4/src/extra/gd/wbmp.h 2001-03-28 10:37:37.000000000 +0100
++++ libwmf-0.2.8.4.symbols/src/extra/gd/wbmp.h 2006-11-16 12:14:19.000000000 +0000
+@@ -12,6 +12,8 @@
+ #ifndef __WBMP_H
+ #define __WBMP_H 1
+
++#pragma GCC visibility push(hidden)
++
+
+ /* WBMP struct
+ ** -----------
+@@ -44,4 +46,6 @@
+ void freewbmp( Wbmp *wbmp );
+ void printwbmp( Wbmp *wbmp );
+
++#pragma GCC visibility pop
++
+ #endif
diff --git a/patches/source/libwmf/libwmf-0.2.8.4-useafterfree.patch b/patches/source/libwmf/libwmf-0.2.8.4-useafterfree.patch
new file mode 100644
index 000000000..328c5411f
--- /dev/null
+++ b/patches/source/libwmf/libwmf-0.2.8.4-useafterfree.patch
@@ -0,0 +1,10 @@
+--- libwmf-0.2.8.4/src/extra/gd/gd_clip.c.CVE-2009-1364-im-clip-list 2009-04-24 04:06:44.000000000 -0400
++++ libwmf-0.2.8.4/src/extra/gd/gd_clip.c 2009-04-24 04:08:30.000000000 -0400
+@@ -70,6 +70,7 @@ void gdClipSetAdd(gdImagePtr im,gdClipRe
+ { more = gdRealloc (im->clip->list,(im->clip->max + 8) * sizeof (gdClipRectangle));
+ if (more == 0) return;
+ im->clip->max += 8;
++ im->clip->list = more;
+ }
+ im->clip->list[im->clip->count] = (*rect);
+ im->clip->count++;
diff --git a/patches/source/libwmf/libwmf.SlackBuild b/patches/source/libwmf/libwmf.SlackBuild
new file mode 100755
index 000000000..3f12178f1
--- /dev/null
+++ b/patches/source/libwmf/libwmf.SlackBuild
@@ -0,0 +1,142 @@
+#!/bin/bash
+
+# Copyright 2008, 2009, 2010, 2018 Patrick J. Volkerding, Sebeka, Minnesota, USA
+# All rights reserved.
+#
+# Redistribution and use of this script, with or without modification, is
+# permitted provided that the following conditions are met:
+#
+# 1. Redistributions of this script must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
+# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
+# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+cd $(dirname $0) ; CWD=$(pwd)
+
+PKGNAM=libwmf
+VERSION=0.2.8.4
+BUILD=${BUILD:-6_slack14.1}
+
+# Automatically determine the architecture we're building on:
+if [ -z "$ARCH" ]; then
+ case "$( uname -m )" in
+ i?86) export ARCH=i486 ;;
+ arm*) export ARCH=arm ;;
+ # Unless $ARCH is already set, use uname -m for all other archs:
+ *) export ARCH=$( uname -m ) ;;
+ esac
+fi
+
+# If the variable PRINT_PACKAGE_NAME is set, then this script will report what
+# the name of the created package would be, and then exit. This information
+# could be useful to other scripts.
+if [ ! -z "${PRINT_PACKAGE_NAME}" ]; then
+ echo "$PKGNAM-$VERSION-$ARCH-$BUILD.txz"
+ exit 0
+fi
+
+if [ "$ARCH" = "i486" ]; then
+ SLKCFLAGS="-O2 -march=i486 -mtune=i686"
+ LIBDIRSUFFIX=""
+elif [ "$ARCH" = "s390" ]; then
+ SLKCFLAGS="-O2"
+ LIBDIRSUFFIX=""
+elif [ "$ARCH" = "x86_64" ]; then
+ SLKCFLAGS="-O2 -fPIC"
+ LIBDIRSUFFIX="64"
+else
+ SLKCFLAGS="-O2"
+ LIBDIRSUFFIX=""
+fi
+
+NUMJOBS=${NUMJOBS:-" -j7 "}
+TMP=${TMP:-/tmp}
+
+PKG=$TMP/package-libwmf
+
+rm -rf $PKG
+mkdir -p $PKG
+
+cd $TMP
+rm -rf libwmf-$VERSION
+tar xvf $CWD/libwmf-$VERSION.tar.?z* || exit 1
+cd libwmf-$VERSION || exit 1
+
+zcat $CWD/libwmf.png14.diff.gz | patch -p1 --verbose || exit 1
+
+chown -R root:root .
+find . \
+ \( -perm 777 -o -perm 775 -o -perm 711 -o -perm 555 -o -perm 511 \) \
+ -exec chmod 755 {} \; -o \
+ \( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \
+ -exec chmod 644 {} \;
+
+# Miscellaneous patches from Fedora:
+zcat $CWD/libwmf-0.2.8.4-fallbackfont.patch.gz | patch -p1 --verbose || exit 1
+zcat $CWD/libwmf-0.2.8.4-pixbufloaderdir.patch.gz | patch -p1 --verbose || exit 1
+
+# Don't export the modified embedded GD library symbols, to avoid conflicts with
+# the system libgd:
+zcat $CWD/libwmf-0.2.8.4-reducesymbols.patch.gz | patch -p1 --verbose || exit 1
+
+# Patch security issues:
+zcat $CWD/libwmf-0.2.8.4-useafterfree.patch.gz | patch -p1 --verbose || exit 1
+zcat $CWD/libwmf-0.2.8.4-CVE-2006-3376.patch.gz | patch -p1 --verbose || exit 1
+zcat $CWD/libwmf-0.2.8.4-CVE-2004-0941.patch.gz | patch -p1 --verbose || exit 1
+zcat $CWD/libwmf-0.2.8.4-CVE-2007-0455.patch.gz | patch -p1 --verbose || exit 1
+zcat $CWD/libwmf-0.2.8.4-CVE-2007-2756.patch.gz | patch -p1 --verbose || exit 1
+zcat $CWD/libwmf-0.2.8.4-CVE-2007-3472.patch.gz | patch -p1 --verbose || exit 1
+zcat $CWD/libwmf-0.2.8.4-CVE-2007-3473.patch.gz | patch -p1 --verbose || exit 1
+zcat $CWD/libwmf-0.2.8.4-CVE-2007-3477.patch.gz | patch -p1 --verbose || exit 1
+zcat $CWD/libwmf-0.2.8.4-CVE-2009-3546.patch.gz | patch -p1 --verbose || exit 1
+zcat $CWD/libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch.gz | patch -p1 --verbose || exit 1
+zcat $CWD/libwmf-0.2.8.4-CVE-2015-4695.patch.gz | patch -p1 --verbose || exit 1
+zcat $CWD/libwmf-0.2.8.4-CVE-2015-4696.patch.gz | patch -p1 --verbose || exit 1
+zcat $CWD/libwmf-0.2.8.4-CVE-2016-10167.patch.gz | patch -p1 --verbose || exit 1
+zcat $CWD/libwmf-0.2.8.4-CVE-2016-10168.patch.gz | patch -p1 --verbose || exit 1
+zcat $CWD/libwmf-0.2.8.4-CVE-2016-9011.patch.gz | patch -p1 --verbose || exit 1
+zcat $CWD/libwmf-0.2.8.4-CVE-2016-9317.patch.gz | patch -p1 --verbose || exit 1
+zcat $CWD/libwmf-0.2.8.4-CVE-2017-6362.patch.gz | patch -p1 --verbose || exit 1
+
+CFLAGS="$SLKCFLAGS" \
+./configure \
+ --prefix=/usr \
+ --libdir=/usr/lib${LIBDIRSUFFIX} \
+ --enable-static=no \
+ --build=$ARCH-slackware-linux || exit 1
+
+make $NUMJOBS || make || exit 1
+make install DESTDIR=$PKG || exit 1
+
+find $PKG | xargs file | grep -e "executable" -e "shared object" | grep ELF \
+ | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null
+
+mkdir -p $PKG/usr/doc
+mv $PKG/usr/share/doc/libwmf $PKG/usr/doc/libwmf-$VERSION
+rmdir $PKG/usr/share/doc
+cp -a \
+ AUTHORS BUILDING COPYING CREDITS NEWS README TODO \
+ $PKG/usr/doc/libwmf-$VERSION
+
+# If there's a ChangeLog, installing at least part of the recent history
+# is useful, but don't let it get totally out of control:
+if [ -r ChangeLog ]; then
+ DOCSDIR=$(echo $PKG/usr/doc/*-$VERSION)
+ cat ChangeLog | head -n 1000 > $DOCSDIR/ChangeLog
+ touch -r ChangeLog $DOCSDIR/ChangeLog
+fi
+
+mkdir -p $PKG/install
+cat $CWD/slack-desc > $PKG/install/slack-desc
+
+cd $PKG
+/sbin/makepkg -l y -c n $TMP/libwmf-$VERSION-$ARCH-$BUILD.txz
diff --git a/patches/source/libwmf/libwmf.png14.diff b/patches/source/libwmf/libwmf.png14.diff
new file mode 100644
index 000000000..c55b143c8
--- /dev/null
+++ b/patches/source/libwmf/libwmf.png14.diff
@@ -0,0 +1,11 @@
+--- ./src/extra/gd/gd_png.c.orig 2005-07-27 15:35:06.000000000 -0500
++++ ./src/extra/gd/gd_png.c 2010-02-14 18:24:19.000000000 -0600
+@@ -136,7 +136,7 @@
+ /* first do a quick check that the file really is a PNG image; could
+ * have used slightly more general png_sig_cmp() function instead */
+ gdGetBuf (sig, 8, infile);
+- if (!png_check_sig (sig, 8))
++ if (!(png_sig_cmp(sig, 0, 8) == 0))
+ return NULL; /* bad signature */
+
+ #ifndef PNG_SETJMP_NOT_SUPPORTED
diff --git a/patches/source/libwmf/slack-desc b/patches/source/libwmf/slack-desc
new file mode 100644
index 000000000..19f99a7de
--- /dev/null
+++ b/patches/source/libwmf/slack-desc
@@ -0,0 +1,19 @@
+# HOW TO EDIT THIS FILE:
+# The "handy ruler" below makes it easier to edit a package description. Line
+# up the first '|' above the ':' following the base package name, and the '|' on
+# the right side marks the last column you can put a character in. You must make
+# exactly 11 lines for the formatting to be correct. It's also customary to
+# leave one space after the ':'.
+
+ |-----handy-ruler------------------------------------------------------|
+libwmf: libwmf (WMF graphics format library)
+libwmf:
+libwmf: libwmf is a library for interpreting metafile images and either
+libwmf: displaying them using X or converting them to standard formats such
+libwmf: as PNG, JPEG, PS, EPS and SVG.
+libwmf:
+libwmf:
+libwmf:
+libwmf:
+libwmf:
+libwmf: