community/graphicsmagick: security fixes for various CVEs:

* CVE-2017-11642
* CVE-2017-11722
* CVE-2017-12935
* CVE-2017-12936
* CVE-2017-12937
* CVE-2017-13063
* CVE-2017-13064

Fixes #7748

7 files changed, 286 insertions, 4 deletions

diff --git a/community/graphicsmagick/APKBUILD b/community/graphicsmagick/APKBUILD
index cda8a6fdd3..778e0cbb0f 100644
--- a/community/graphicsmagick/APKBUILD
+++ b/community/graphicsmagick/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Francesco Colista <fcolista@alpinelinux.org>
 pkgname=graphicsmagick
 pkgver=1.3.26
-pkgrel=1
+pkgrel=2
 pkgdesc="Image processing system"
 url="http://www.graphicsmagick.org/"
 arch="all"
@@ -13,13 +13,26 @@ makedepends="$depends_dev libtool libltdl"
 install=""
 subpackages="$pkgname-dev $pkgname-doc"
 source="http://downloads.sourceforge.net/$pkgname/$pkgname/$pkgver/GraphicsMagick-$pkgver.tar.xz
-	CVE-2017-11403.patch"
+	CVE-2017-11642.patch
+	CVE-2017-11722.patch
+	CVE-2017-12935.patch
+	CVE-2017-12936.patch
+	CVE-2017-12937.patch
+	CVE-2017-13063-13064.patch"
 options="libtool"
 
 builddir="$srcdir"/GraphicsMagick-$pkgver
 
 # security fixes:
-#   1.3.26-r1:
+#   1.3.26-r2:
+#     - CVE-2017-11642
+#     - CVE-2017-11722
+#     - CVE-2017-12935
+#     - CVE-2017-12936
+#     - CVE-2017-12937
+#     - CVE-2017-13063
+#     - CVE-2017-13064
+#   1.3.25-r2:
 #     - CVE-2017-11403
 
 build() {
@@ -48,4 +61,9 @@ package() {
 }
 
 sha512sums="b33ca0f1c858428693aee27a9089acff9e63d1110f85fa036894cfefe6274e7b2422758ea39852f94fdb4823c9c3f3c44b0d8906627503301f5928096f739f22  GraphicsMagick-1.3.26.tar.xz
-00cb425b9cb6cc0c7b92a6c795150222edf2d16d513f4d4c803ff15cfb1917e81c6854109aee0ca845d3668e515cec06c4067155f82a9ea0abde30f6bbd1e8c2  CVE-2017-11403.patch"
+1706f87cfa248bf08f2e7038ec2d3adf4ad0b9775a8787a48bb168d9bd04578e3ac01dcd384d4d961903dd738f748601619c0999b2a4b4b775e1b72489220336  CVE-2017-11642.patch
+f9167ad79f54fc3881d81b9b5cb5b84f38e847103c6945af4fda516d6696ff8e95ec48cbae84161f3dbedca48cf1f3a2afbb0831b54c32363d263c0c1ad5d595  CVE-2017-11722.patch
+2cb2ee3f88a835dff63c903bd215abb09c1812fedecbbb19c228fd2680c5762c6a20e6be1497c0fc3ed7a9b16eac6e7fe7f0fc9da4f6ef3e90fe75a049085ca7  CVE-2017-12935.patch
+b78b61d7b29c2316ecefe69c473b1aa1e93185e0da245f7cf2d351566ff737bce8e560e9b471334549e4ab76bc8752717f403e7afa9d393bdd64e191f8abbb9c  CVE-2017-12936.patch
+508ceee0aa73744e9b36c6e60b071d4dc4a5254b4d5265c4ee2bde317713b831db8958667fac44aa1e89b3cc8094027cade368f10f7f5f3d1a2980c2a70d516d  CVE-2017-12937.patch
+262434bab04541c276728111c9ec5d92abbb68e980813a50712d03505f3d3c4681b4daf02fd22e4ba11ed0daf5b553e4a47291c43f4c146554f1809292b73441  CVE-2017-13063-13064.patch"
diff --git a/community/graphicsmagick/CVE-2017-11642.patch b/community/graphicsmagick/CVE-2017-11642.patch
new file mode 100644
index 0000000000..144ed78e7e
--- /dev/null
+++ b/community/graphicsmagick/CVE-2017-11642.patch
@@ -0,0 +1,43 @@
+
+# HG changeset patch
+# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
+# Date 1500758975 18000
+# Node ID 29550606d8b9bf74f9aea0637d11d19fe706871b
+# Parent  30cd2b31f7e045de4861b102e3f8d83db579bc7a
+MAP: Fix null pointer dereference or SEGV if input is not colormapped.
+
+diff -r 30cd2b31f7e0 -r 29550606d8b9 coders/map.c
+--- a/coders/map.c	Sat Jul 22 15:40:00 2017 -0500
++++ b/coders/map.c	Sat Jul 22 16:29:35 2017 -0500
+@@ -18,7 +18,7 @@
+ %                            M   M  A   A  P                                  %
+ %                                                                             %
+ %                                                                             %
+-%                 Read/Write Image Colormaps As An Image File                 %
++%                 Read/Write Image Colormaps And Image File                   %
+ %                                                                             %
+ %                                                                             %
+ %                              Software Design                                %
+@@ -349,16 +349,17 @@
+   /*
+     Allocate colormap.
+   */
+-  if (!IsPaletteImage(image,&image->exception))
+-    (void) SetImageType(image,PaletteType);
++  if (SetImageType(image,PaletteType) == MagickFail)
++    ThrowMAPWriterException(ResourceLimitError,MemoryAllocationFailed,image);
+   packet_size=image->depth > 8 ? 2 : 1;
+-  pixels=MagickAllocateMemory(unsigned char *,image->columns*packet_size);
++  pixels=MagickAllocateArray(unsigned char *,image->columns,packet_size);
+   if (pixels == (unsigned char *) NULL)
+     ThrowMAPWriterException(ResourceLimitError,MemoryAllocationFailed,image);
+   packet_size=image->colors > 256 ? 6 : 3;
+-  colormap=MagickAllocateMemory(unsigned char *,packet_size*image->colors);
++  colormap=MagickAllocateArray(unsigned char *,packet_size,image->colors);
+   if (colormap == (unsigned char *) NULL)
+     ThrowMAPWriterException(ResourceLimitError,MemoryAllocationFailed,image);
++
+   /*
+     Write colormap to file.
+   */
+
diff --git a/community/graphicsmagick/CVE-2017-11722.patch b/community/graphicsmagick/CVE-2017-11722.patch
new file mode 100644
index 0000000000..f1ce0ad73f
--- /dev/null
+++ b/community/graphicsmagick/CVE-2017-11722.patch
@@ -0,0 +1,33 @@
+
+# HG changeset patch
+# User Glenn Randers-Pehrson <glennrp+bmo@gmail.com>
+# Date 1501028322 14400
+# Node ID f423ba88ca4ed01b7143520a7e00c360049aa823
+# Parent  d1e56efb0162a836707d41182d6d658d1cad49e6
+coders/png.c: Fixed writer bug due to missing brackets
+
+diff -r d1e56efb0162 -r f423ba88ca4e coders/png.c
+--- a/coders/png.c	Tue Jul 25 19:38:39 2017 -0400
++++ b/coders/png.c	Tue Jul 25 20:18:42 2017 -0400
+@@ -7125,12 +7125,14 @@
+                           png_error(ping, "Could not allocate trans_alpha");
+ 
+                         for (i=0; i<(int) number_colors; i++)
+-                          if (trans_alpha[i] == 256)
+-                             ping_trans_alpha[i]=255;
+-                          else
+-                             ping_trans_alpha[i]=(png_byte) trans_alpha[i];
+-                         (void) LogMagickEvent(CoderEvent, GetMagickModule(),
+-                            "    Alpha[%d]=%d",(int) i, (int) trans_alpha[i]);
++                          {
++                            if (trans_alpha[i] == 256)
++                               ping_trans_alpha[i]=255;
++                            else
++                               ping_trans_alpha[i]=(png_byte) trans_alpha[i];
++                           (void) LogMagickEvent(CoderEvent, GetMagickModule(),
++                              "    Alpha[%d]=%d",(int) i, (int) trans_alpha[i]);
++                          }
+                       }
+                   }
+ 
+
diff --git a/community/graphicsmagick/CVE-2017-12935.patch b/community/graphicsmagick/CVE-2017-12935.patch
new file mode 100644
index 0000000000..650c28d3df
--- /dev/null
+++ b/community/graphicsmagick/CVE-2017-12935.patch
@@ -0,0 +1,35 @@
+
+# HG changeset patch
+# User Glenn Randers-Pehrson <glennrp+bmo@gmail.com>
+# Date 1501123201 14400
+# Node ID cd699a44f188acf23493c969ef2d3f9fa7c8f8df
+# Parent  be898b7c97bd855fc6fa0cef983faae916bd0c93
+Reject MNG with too-large dimensions (over 65535)
+
+diff -r be898b7c97bd -r cd699a44f188 coders/png.c
+--- a/coders/png.c	Wed Jul 26 19:47:56 2017 -0500
++++ b/coders/png.c	Wed Jul 26 22:40:01 2017 -0400
+@@ -4084,11 +4084,17 @@
+                   mng_info->image=image;
+                 }
+ 
+-              if ((mng_info->mng_width > 65535L) || (mng_info->mng_height
+-                                                     > 65535L))
+-                (void) ThrowException(&image->exception,ImageError,
+-                                      WidthOrHeightExceedsLimit,
+-                                      image->filename);
++              if ((mng_info->mng_width > 65535L) ||
++                  (mng_info->mng_height > 65535L))
++                {
++                  (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++                      "  MNG width or height is too large: %lu, %lu",
++                      mng_info->mng_width,mng_info->mng_height);
++                  MagickFreeMemory(chunk);
++                  ThrowReaderException(CorruptImageError,
++                     ImproperImageHeader,image);
++                }
++
+               FormatString(page_geometry,"%lux%lu+0+0",mng_info->mng_width,
+                            mng_info->mng_height);
+               mng_info->frame.left=0;
+
diff --git a/community/graphicsmagick/CVE-2017-12936.patch b/community/graphicsmagick/CVE-2017-12936.patch
new file mode 100644
index 0000000000..37a4e6be9c
--- /dev/null
+++ b/community/graphicsmagick/CVE-2017-12936.patch
@@ -0,0 +1,23 @@
+
+# HG changeset patch
+# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
+# Date 1501116476 18000
+# Node ID be898b7c97bd855fc6fa0cef983faae916bd0c93
+# Parent  6a632982c866f36dbad87e4ab953e08a290eaa8b
+WMF: Eliminate use of already freed heap data in error reporting path.
+
+diff -r 6a632982c866 -r be898b7c97bd coders/wmf.c
+--- a/coders/wmf.c	Tue Jul 25 20:11:16 2017 -0500
++++ b/coders/wmf.c	Wed Jul 26 19:47:56 2017 -0500
+@@ -2719,8 +2719,8 @@
+   if(image->exception.severity != UndefinedException)
+     ThrowException2(exception,
+                    CoderWarning,
+-                   ddata->image->exception.reason,
+-                   ddata->image->exception.description);
++                   image->exception.reason,
++                   image->exception.description);
+ 
+   if(logging)
+     (void) LogMagickEvent(CoderEvent,GetMagickModule(),"leave ReadWMFImage()");
+
diff --git a/community/graphicsmagick/CVE-2017-12937.patch b/community/graphicsmagick/CVE-2017-12937.patch
new file mode 100644
index 0000000000..ee78a0ecda
--- /dev/null
+++ b/community/graphicsmagick/CVE-2017-12937.patch
@@ -0,0 +1,34 @@
+
+# HG changeset patch
+# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
+# Date 1501555785 18000
+# Node ID 95d00d55e978dec3e1bb4c288dbc210b5cc8bea1
+# Parent  921a31d31ea85405b54771941e195782e50e589d
+SUN: Fix heap read overflow while indexing colormap in bilevel decoder
+
+diff -r 921a31d31ea8 -r 95d00d55e978 coders/sun.c
+--- a/coders/sun.c	Mon Jul 31 09:35:26 2017 -0400
++++ b/coders/sun.c	Mon Jul 31 21:49:45 2017 -0500
+@@ -1,5 +1,5 @@
+ /*
+-% Copyright (C) 2003-2015 GraphicsMagick Group
++% Copyright (C) 2003-2017 GraphicsMagick Group
+ % Copyright (C) 2002 ImageMagick Studio
+ % Copyright 1991-1999 E. I. du Pont de Nemours and Company
+ %
+@@ -577,6 +577,7 @@
+           for (bit=7; bit >= 0; bit--)
+             {
+               index=((*p) & (0x01 << bit) ? 0x01 : 0x00);
++              VerifyColormapIndex(image,index);
+               indexes[x+7-bit]=index;
+               q[x+7-bit]=image->colormap[index];
+             }
+@@ -587,6 +588,7 @@
+             for (bit=7; bit >= (long) (8-(image->columns % 8)); bit--)
+               {
+                 index=((*p) & (0x01 << bit) ? 0x01 : 0x00);
++                VerifyColormapIndex(image,index);
+                 indexes[x+7-bit]=index;
+                 q[x+7-bit]=image->colormap[index];
+               }
diff --git a/community/graphicsmagick/CVE-2017-13063-13064.patch b/community/graphicsmagick/CVE-2017-13063-13064.patch
new file mode 100644
index 0000000000..ce35e0623c
--- /dev/null
+++ b/community/graphicsmagick/CVE-2017-13063-13064.patch
@@ -0,0 +1,96 @@
+# HG changeset patch
+# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
+# Date 1502890099 18000
+# Node ID 54f48ab2d52a2a4af99781057075d8ea9744a649
+# Parent  4970ea920a9388d6f08be1b35d58ef5efded4908
+SVG: Fix buffer-overflow and inconsistent behavior in GetStyleTokens().
+
+diff -r 4970ea920a93 -r 54f48ab2d52a coders/svg.c
+--- a/coders/svg.c	Tue Aug 15 08:05:00 2017 -0500
++++ b/coders/svg.c	Wed Aug 16 08:28:19 2017 -0500
+@@ -267,11 +267,12 @@
+   char
+     **tokens;
+ 
+-  register const char
++  const char
+     *p,
+     *q;
+ 
+-  register size_t
++  size_t
++    alloc_tokens,
+     i;
+ 
+   SVGInfo
+@@ -279,21 +280,27 @@
+ 
+   svg_info=(SVGInfo *) context;
+   *number_tokens=0;
++  alloc_tokens=0;
+   if (text == (const char *) NULL)
+     return((char **) NULL);
+   /*
+     Determine the number of arguments.
++
++    style="fill: red; stroke: blue; stroke-width: 3"
+   */
+   for (p=text; *p != '\0'; p++)
+     if (*p == ':')
+-      (*number_tokens)+=2;
+-  tokens=MagickAllocateMemory(char **,(*number_tokens+2)*sizeof(*tokens));
++      alloc_tokens+=2;
++  if (alloc_tokens == 0)
++    return((char **) NULL);
++  tokens=MagickAllocateMemory(char **,(alloc_tokens+2)*sizeof(*tokens));
+   if (tokens == (char **) NULL)
+     {
+       ThrowException3(svg_info->exception,ResourceLimitError,
+                       MemoryAllocationFailed,UnableToConvertStringToTokens);
+       return((char **) NULL);
+     }
++  (void) memset(tokens,0,(alloc_tokens+2)*sizeof(*tokens));
+   /*
+     Convert string to an ASCII list.
+   */
+@@ -304,14 +311,36 @@
+       if ((*q != ':') && (*q != ';') && (*q != '\0'))
+         continue;
+       tokens[i]=AllocateString(p);
++      if (tokens[i] == NULL)
++        {
++          ThrowException3(svg_info->exception,ResourceLimitError,
++                          MemoryAllocationFailed,UnableToConvertStringToTokens);
++          break;
++        }
+       (void) strlcpy(tokens[i],p,q-p+1);
+-      Strip(tokens[i++]);
++      Strip(tokens[i]);
++      i++;
++      if (i >= alloc_tokens)
++        break;
+       p=q+1;
+     }
+-  tokens[i]=AllocateString(p);
+-  (void) strlcpy(tokens[i],p,q-p+1);
+-  Strip(tokens[i++]);
++  if (i < alloc_tokens)
++    {
++      tokens[i]=AllocateString(p);
++      if (tokens[i] == NULL)
++        {
++          ThrowException3(svg_info->exception,ResourceLimitError,
++                          MemoryAllocationFailed,UnableToConvertStringToTokens);
++        }
++      else
++        {
++          (void) strlcpy(tokens[i],p,q-p+1);
++          Strip(tokens[i]);
++          i++;
++        }
++    }
+   tokens[i]=(char *) NULL;
++  *number_tokens=i;
+   return(tokens);
+ }
+