- Assign maintainership

- Resolve backlog of CVEs

PR:		201513
Reported by:	Sevan Janiyan
Submitted by:	Jason Unovitch (maintainer)
Security:	CVE-2004-0941 [1]
Security:	CVE-2007-0455 [1]
Security:	CVE-2007-2756 [1]
Security:	CVE-2007-3472 [1]
Security:	CVE-2007-3473 [1]
Security:	CVE-2007-3477 [1]
Security:	CVE-2009-3546 [1]
Security:	CVE-2015-4695 [2]
Security:	CVE-2015-4696 [3]
Security:	CVE-2015-0848 [4]
Security:	CVE-2015-4588 [4]
Security:	ca139c7f-2a8c-11e5-a4a5-002590263bf5
Obtained From:	CentOS libwmf RPM git [1]
Obtained From:	Debian Bug 784205 [2]
Obtained From:	Debian Bug 784192 [3]
Obtained From:	Red Hat Bug 1227243 [4]
MFH:		2015Q3

12 files changed, 380 insertions, 2 deletions

diff --git a/graphics/libwmf/Makefile b/graphics/libwmf/Makefile
index 6eee70dce710..8ba7bae9927e 100644
--- a/graphics/libwmf/Makefile
+++ b/graphics/libwmf/Makefile
@@ -3,11 +3,11 @@
 
 PORTNAME=	libwmf
 PORTVERSION=	0.2.8.4
-PORTREVISION=	13
+PORTREVISION=	14
 CATEGORIES=	graphics
 MASTER_SITES=	SF/wvware/${PORTNAME}/${PORTVERSION}
 
-MAINTAINER=	ports@FreeBSD.org
+MAINTAINER=	jason.unovitch@gmail.com
 COMMENT=	Tools and library for converting Microsoft WMF (windows metafile)
 
 LICENSE=	GPLv2 # or later
diff --git a/graphics/libwmf/files/patch-CAN-2004-0941 b/graphics/libwmf/files/patch-CAN-2004-0941
new file mode 100644
index 000000000000..0d34206e6140
--- /dev/null
+++ b/graphics/libwmf/files/patch-CAN-2004-0941
@@ -0,0 +1,17 @@
+--- src/extra/gd/gd_png.c	2004-11-11 14:02:37.407589824 -0500
++++ src/extra/gd/gd_png.c	2004-11-11 14:04:29.672522960 -0500
+@@ -188,6 +188,14 @@
+ 
+   png_get_IHDR (png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
+ 		&interlace_type, NULL, NULL);
++  if (overflow2(sizeof (int), width)) 
++    {
++      return NULL;
++    }
++  if (overflow2(sizeof (int) * width, height)) 
++    {
++      return NULL;
++    }  
+   if ((color_type == PNG_COLOR_TYPE_RGB) ||
+       (color_type == PNG_COLOR_TYPE_RGB_ALPHA))
+     {
diff --git a/graphics/libwmf/files/patch-CVE-2007-0455 b/graphics/libwmf/files/patch-CVE-2007-0455
new file mode 100644
index 000000000000..dc9e975ac328
--- /dev/null
+++ b/graphics/libwmf/files/patch-CVE-2007-0455
@@ -0,0 +1,11 @@
+--- src/extra/gd/gdft.c	2010-12-06 11:18:26.000000000 +0000
++++ src/extra/gd/gdft.c	2010-12-06 11:21:09.000000000 +0000
+@@ -811,7 +811,7 @@
+ 	    {
+ 	      ch = c & 0xFF;	/* don't extend sign */
+ 	    }
+-	  next++;
++	  if (*next) next++;
+ 	}
+       else
+ 	{
diff --git a/graphics/libwmf/files/patch-CVE-2007-2756 b/graphics/libwmf/files/patch-CVE-2007-2756
new file mode 100644
index 000000000000..ba367c82de12
--- /dev/null
+++ b/graphics/libwmf/files/patch-CVE-2007-2756
@@ -0,0 +1,16 @@
+--- src/extra/gd/gd_png.c	1 Apr 2007 20:41:01 -0000	1.21.2.1
++++ src/extra/gd/gd_png.c	16 May 2007 19:06:11 -0000
+@@ -78,8 +78,11 @@
+ gdPngReadData (png_structp png_ptr,
+ 	       png_bytep data, png_size_t length)
+ {
+-  gdGetBuf (data, length, (gdIOCtx *)
+-	    png_get_io_ptr (png_ptr));
++  int check;
++  check = gdGetBuf (data, length, (gdIOCtx *) png_get_io_ptr (png_ptr));
++  if (check != length) {
++    png_error(png_ptr, "Read Error: truncated data");
++  }
+ }
+ 
+ static void
diff --git a/graphics/libwmf/files/patch-CVE-2007-3472 b/graphics/libwmf/files/patch-CVE-2007-3472
new file mode 100644
index 000000000000..1f297f3aa5ff
--- /dev/null
+++ b/graphics/libwmf/files/patch-CVE-2007-3472
@@ -0,0 +1,61 @@
+Patch modified slightly from upstream CentOS version
+
+--- src/extra/gd/gd.c
++++ src/extra/gd/gd.c
+@@ -106,6 +106,18 @@
+   gdImagePtr im;
+   unsigned long cpa_size;
+ 
++  if (overflow2(sx, sy)) {
++    return NULL;
++  }
++
++  if (overflow2(sizeof (int *), sy)) {
++    return NULL;
++  }
++
++  if (overflow2(sizeof(int), sx)) {
++    return NULL;
++  }
++
+   im = (gdImage *) gdMalloc (sizeof (gdImage));
+   if (im == 0) return 0;
+   memset (im, 0, sizeof (gdImage));
+--- src/extra/gd/gdhelpers.c	2010-12-06 11:47:31.000000000 +0000
++++ src/extra/gd/gdhelpers.c	2010-12-06 11:48:04.000000000 +0000
+@@ -2,6 +2,7 @@
+ #include "gdhelpers.h"
+ #include <stdlib.h>
+ #include <string.h>
++#include <limits.h>
+ 
+ /* TBB: gd_strtok_r is not portable; provide an implementation */
+ 
+@@ -94,3 +95,18 @@
+ {
+   free (ptr);
+ }
++
++int overflow2(int a, int b)
++{
++	if(a < 0 || b < 0) {
++		fprintf(stderr, "gd warning: one parameter to a memory allocation multiplication is negative, failing operation gracefully\n");
++		return 1;
++	}
++	if(b == 0)
++		return 0;
++	if(a > INT_MAX / b) {
++		fprintf(stderr, "gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully\n");
++		return 1;
++	}
++	return 0;
++}
+--- src/extra/gd/gdhelpers.h	2010-12-06 11:47:17.000000000 +0000
++++ src/extra/gd/gdhelpers.h	2010-12-06 11:48:36.000000000 +0000
+@@ -15,4 +15,6 @@
+ void *gdMalloc(size_t size);
+ void *gdRealloc(void *ptr, size_t size);
+ 
++int overflow2(int a, int b);
++
+ #endif /* GDHELPERS_H */
diff --git a/graphics/libwmf/files/patch-CVE-2007-3473 b/graphics/libwmf/files/patch-CVE-2007-3473
new file mode 100644
index 000000000000..124be61ad1ad
--- /dev/null
+++ b/graphics/libwmf/files/patch-CVE-2007-3473
@@ -0,0 +1,13 @@
+--- src/extra/gd/gd.c
++++ src/extra/gd/gd.c
+@@ -2483,6 +2483,10 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromXbm (FILE * fd)
+     }
+   bytes = (w * h / 8) + 1;
+   im = gdImageCreate (w, h);
++  if (!im) {
++    return 0;
++  }
++
+   gdImageColorAllocate (im, 255, 255, 255);
+   gdImageColorAllocate (im, 0, 0, 0);
+   x = 0;
diff --git a/graphics/libwmf/files/patch-CVE-2007-3477 b/graphics/libwmf/files/patch-CVE-2007-3477
new file mode 100644
index 000000000000..108146a2c841
--- /dev/null
+++ b/graphics/libwmf/files/patch-CVE-2007-3477
@@ -0,0 +1,38 @@
+--- src/extra/gd/gd.c
++++ src/extra/gd/gd.c
+@@ -1335,10 +1335,31 @@
+   int w2, h2;
+   w2 = w / 2;
+   h2 = h / 2;
+-  while (e < s)
+-    {
+-      e += 360;
+-    }
++
++  if ((s % 360)  == (e % 360)) {
++         s = 0; e = 360;
++  } else {
++         if (s > 360) {
++                 s = s % 360;
++         }
++
++         if (e > 360) {
++                 e = e % 360;
++         }
++
++         while (s < 0) {
++                 s += 360;
++         }
++
++         while (e < s) {
++                 e += 360;
++         }
++
++         if (s == e) {
++                 s = 0; e = 360;
++         }
++  }
++
+   for (i = s; (i <= e); i++)
+     {
+       int x, y;
diff --git a/graphics/libwmf/files/patch-CVE-2009-3546 b/graphics/libwmf/files/patch-CVE-2009-3546
new file mode 100644
index 000000000000..081831a12626
--- /dev/null
+++ b/graphics/libwmf/files/patch-CVE-2009-3546
@@ -0,0 +1,13 @@
+--- src/extra/gd/gd_gd.c	2010-12-06 14:56:06.000000000 +0000
++++ src/extra/gd/gd_gd.c	2010-12-06 14:57:04.000000000 +0000
+@@ -42,6 +42,10 @@
+ 	    {
+ 	      goto fail1;
+ 	    }
++	  if (&im->colorsTotal > gdMaxColors)
++	    {
++	      goto fail1;
++	    }
+ 	}
+       /* Int to accommodate truecolor single-color transparency */
+       if (!gdGetInt (&im->transparent, in))
diff --git a/graphics/libwmf/files/patch-deb784192-CVE-2015-4696 b/graphics/libwmf/files/patch-deb784192-CVE-2015-4696
new file mode 100644
index 000000000000..f4b3a03b57ab
--- /dev/null
+++ b/graphics/libwmf/files/patch-deb784192-CVE-2015-4696
@@ -0,0 +1,20 @@
+--- src/player/meta.h
++++ src/player/meta.h
+ 
++		if (FR->region_clip) FR->region_clip (API,&polyrect);
++
+ 		wmf_free (API,polyrect.TL);
+ 		wmf_free (API,polyrect.BR);
+ 	}
+@@ -2593,9 +2595,10 @@
+ 		polyrect.BR = 0;
+ 
+ 		polyrect.count = 0;
++	
++		if (FR->region_clip) FR->region_clip (API,&polyrect);
+ 	}
+ 
+-	if (FR->region_clip) FR->region_clip (API,&polyrect);
+ 
+ 	return (changed);
+ }
diff --git a/graphics/libwmf/files/patch-deb784205-CVE-2015-4695 b/graphics/libwmf/files/patch-deb784205-CVE-2015-4695
new file mode 100644
index 000000000000..1e605e8843f2
--- /dev/null
+++ b/graphics/libwmf/files/patch-deb784205-CVE-2015-4695
@@ -0,0 +1,58 @@
+Index: src/player/meta.h
+===================================================================
+--- libwmf-0.2.8.4.orig/src/player/meta.h
++++ src/player/meta.h
+@@ -1565,7 +1565,7 @@ static int meta_rgn_create (wmfAPI* API,
+ 	objects = P->objects;
+ 
+ 	i = 0;
+-	while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
++	while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
+ 
+ 	if (i == NUM_OBJECTS (API))
+ 	{	WMF_ERROR (API,"Object out of range!");
+@@ -2142,7 +2142,7 @@ static int meta_dib_brush (wmfAPI* API,w
+ 	objects = P->objects;
+ 
+ 	i = 0;
+-	while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
++	while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
+ 
+ 	if (i == NUM_OBJECTS (API))
+ 	{	WMF_ERROR (API,"Object out of range!");
+@@ -3067,7 +3067,7 @@ static int meta_pen_create (wmfAPI* API,
+ 	objects = P->objects;
+ 
+ 	i = 0;
+-	while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
++	while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
+ 
+ 	if (i == NUM_OBJECTS (API))
+ 	{	WMF_ERROR (API,"Object out of range!");
+@@ -3181,7 +3181,7 @@ static int meta_brush_create (wmfAPI* AP
+ 	objects = P->objects;
+ 
+ 	i = 0;
+-	while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
++	while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
+ 
+ 	if (i == NUM_OBJECTS (API))
+ 	{	WMF_ERROR (API,"Object out of range!");
+@@ -3288,7 +3288,7 @@ static int meta_font_create (wmfAPI* API
+ 	objects = P->objects;
+ 
+ 	i = 0;
+-	while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
++	while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
+ 
+ 	if (i == NUM_OBJECTS (API))
+ 	{	WMF_ERROR (API,"Object out of range!");
+@@ -3396,7 +3396,7 @@ static int meta_palette_create (wmfAPI*
+ 	objects = P->objects;
+ 
+ 	i = 0;
+-	while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
++	while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
+ 
+ 	if (i == NUM_OBJECTS (API))
+ 	{	WMF_ERROR (API,"Object out of range!");
diff --git a/graphics/libwmf/files/patch-rh1227243-CVE-2015-0848 b/graphics/libwmf/files/patch-rh1227243-CVE-2015-0848
new file mode 100644
index 000000000000..45e5caa66298
--- /dev/null
+++ b/graphics/libwmf/files/patch-rh1227243-CVE-2015-0848
@@ -0,0 +1,20 @@
+--- src/ipa/ipa/bmp.h	2015-06-02 11:35:04.072201795 +0100
++++ src/ipa/ipa/bmp.h	2015-06-02 11:35:20.647406414 +0100
+@@ -1145,8 +1143,15 @@
+ 		}
+ 	}
+ 	else
+-	{	/* Convert run-length encoded raster pixels. */
+-		DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image);
++	{
++		if (bmp_info.bits_per_pixel == 8)	/* Convert run-length encoded raster pixels. */
++		{
++			DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image);
++		}
++		else
++		{	WMF_ERROR (API,"Unexpected pixel depth");
++			API->err = wmf_E_BadFormat;
++		}
+ 	}
+ 
+ 	if (ERR (API))
diff --git a/graphics/libwmf/files/patch-rh1227243-CVE-2015-4588 b/graphics/libwmf/files/patch-rh1227243-CVE-2015-4588
new file mode 100644
index 000000000000..10b6bef2d29d
--- /dev/null
+++ b/graphics/libwmf/files/patch-rh1227243-CVE-2015-4588
@@ -0,0 +1,111 @@
+diff -ru src/ipa/ipa/bmp.h src/ipa/ipa/bmp.h
+--- src/ipa/ipa/bmp.h	2015-06-03 09:30:59.410501271 +0100
++++ src/ipa/ipa/bmp.h	2015-06-03 09:31:05.775572630 +0100
+@@ -859,7 +859,7 @@
+ %
+ %
+ */
+-static void DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels)
++static int DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels)
+ {	int byte;
+ 	int count;
+ 	int i;
+@@ -870,12 +870,14 @@
+ 	U32 u;
+ 
+ 	unsigned char* q;
++	unsigned char* end;
+ 
+ 	for (u = 0; u < ((U32) bmp->width * (U32) bmp->height); u++) pixels[u] = 0;
+ 
+ 	byte = 0;
+ 	x = 0;
+ 	q = pixels;
++	end = pixels + bmp->width * bmp->height;
+ 
+ 	for (y = 0; y < bmp->height; )
+ 	{	count = ReadBlobByte (src);
+@@ -884,7 +886,10 @@
+ 		{	/* Encoded mode. */
+ 			byte = ReadBlobByte (src);
+ 			for (i = 0; i < count; i++)
+-			{	if (compression == 1)
++			{	
++				if (q == end)
++					return 0;
++			 	if (compression == 1)
+ 				{	(*(q++)) = (unsigned char) byte;
+ 				}
+ 				else
+@@ -896,13 +901,15 @@
+ 		else
+ 		{	/* Escape mode. */
+ 			count = ReadBlobByte (src);
+-			if (count == 0x01) return;
++			if (count == 0x01) return 1;
+ 			switch (count)
+ 			{
+ 			case 0x00:
+ 			 {	/* End of line. */
+ 				x = 0;
+ 				y++;
++				if (y >= bmp->height)
++					return 0;
+ 				q = pixels + y * bmp->width;
+ 				break;
+ 			 }
+@@ -910,13 +917,20 @@
+ 			 {	/* Delta mode. */
+ 				x += ReadBlobByte (src);
+ 				y += ReadBlobByte (src);
++				if (y >= bmp->height)
++					return 0;
++				if (x >= bmp->width)
++					return 0;
+ 				q = pixels + y * bmp->width + x;
+ 				break;
+ 			 }
+ 			default:
+ 			 {	/* Absolute mode. */
+ 				for (i = 0; i < count; i++)
+-				{	if (compression == 1)
++				{
++					if (q == end)
++						return 0;
++					if (compression == 1)
+ 					{	(*(q++)) = ReadBlobByte (src);
+ 					}
+ 					else
+@@ -943,7 +957,7 @@
+ 	byte = ReadBlobByte (src);  /* end of line */
+ 	byte = ReadBlobByte (src);
+ 
+-	return;
++	return 1;
+ }
+ 
+ /*
+@@ -1146,7 +1160,10 @@
+ 	{
+ 		if (bmp_info.bits_per_pixel == 8)	/* Convert run-length encoded raster pixels. */
+ 		{
+-			DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image);
++			if (!DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image))
++			{	WMF_ERROR (API,"corrupt bmp");
++				API->err = wmf_E_BadFormat;
++			}
+ 		}
+ 		else
+ 		{	WMF_ERROR (API,"Unexpected pixel depth");
+diff -ru src/ipa/ipa.h src/ipa/ipa.h
+--- src/ipa/ipa.h	2015-06-03 09:30:59.410501271 +0100
++++ src/ipa/ipa.h	2015-06-03 09:31:08.687605277 +0100
+@@ -48,7 +48,7 @@
+ static unsigned short ReadBlobLSBShort (BMPSource*);
+ static unsigned long  ReadBlobLSBLong (BMPSource*);
+ static long           TellBlob (BMPSource*);
+-static void           DecodeImage (wmfAPI*,wmfBMP*,BMPSource*,unsigned int,unsigned char*);
++static int            DecodeImage (wmfAPI*,wmfBMP*,BMPSource*,unsigned int,unsigned char*);
+ static void           ReadBMPImage (wmfAPI*,wmfBMP*,BMPSource*);
+ static int            ExtractColor (wmfAPI*,wmfBMP*,wmfRGB*,unsigned int,unsigned int);
+ static void           SetColor (wmfAPI*,wmfBMP*,wmfRGB*,unsigned char,unsigned int,unsigned int);