commit 6117b2b36165301a8b6340edefc42847b8e0cb06 Author: CentOS Sources Date: Tue May 7 07:35:56 2019 -0400 import libgxps-0.3.0-5.el8 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..e631c69 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/libgxps-0.3.0.tar.xz diff --git a/.libgxps.metadata b/.libgxps.metadata new file mode 100644 index 0000000..0ac1c04 --- /dev/null +++ b/.libgxps.metadata @@ -0,0 +1 @@ +3e30b03543bdc4529815eb97261041d152f7785a SOURCES/libgxps-0.3.0.tar.xz diff --git a/SOURCES/libgxps-0.3.0-archive-fill-error.patch b/SOURCES/libgxps-0.3.0-archive-fill-error.patch new file mode 100644 index 0000000..cc70a93 --- /dev/null +++ b/SOURCES/libgxps-0.3.0-archive-fill-error.patch @@ -0,0 +1,114 @@ +From b458226e162fe1ffe7acb4230c114a52ada5131b Mon Sep 17 00:00:00 2001 +From: Carlos Garcia Campos +Date: Sat, 5 May 2018 12:01:24 +0200 +Subject: [PATCH 1/2] gxps-archive: Ensure gxps_archive_read_entry() fills the + GError in case of failure + +And fix the callers to not overwrite the GError. +--- + libgxps/gxps-archive.c | 15 +++++++++++---- + libgxps/gxps-fonts.c | 17 +++++------------ + libgxps/gxps-images.c | 17 ++++++----------- + 3 files changed, 22 insertions(+), 27 deletions(-) + +diff --git a/libgxps/gxps-archive.c b/libgxps/gxps-archive.c +index e763773..346ba73 100644 +--- a/libgxps/gxps-archive.c ++++ b/libgxps/gxps-archive.c +@@ -406,9 +406,13 @@ gxps_archive_read_entry (GXPSArchive *archive, + gboolean retval; + + stream = gxps_archive_open (archive, path); +- if (!stream) +- /* TODO: Error */ ++ if (!stream) { ++ g_set_error (error, ++ G_IO_ERROR, ++ G_IO_ERROR_NOT_FOUND, ++ "The entry '%s' was not found in archive", path); + return FALSE; ++ } + + entry_size = archive_entry_size (GXPS_ARCHIVE_INPUT_STREAM (stream)->entry); + if (entry_size <= 0) { +@@ -423,7 +427,7 @@ gxps_archive_read_entry (GXPSArchive *archive, + *buffer = g_malloc (buffer_size); + do { + bytes = g_input_stream_read (stream, &buf, BUFFER_SIZE, NULL, error); +- if (*error != NULL) { ++ if (bytes < 0) { + g_free (*buffer); + g_object_unref (stream); + +@@ -441,7 +445,10 @@ gxps_archive_read_entry (GXPSArchive *archive, + g_object_unref (stream); + + if (*bytes_read == 0) { +- /* TODO: Error */ ++ g_set_error (error, ++ G_IO_ERROR, ++ G_IO_ERROR_INVALID_DATA, ++ "The entry '%s' is empty in archive", path); + g_free (*buffer); + return FALSE; + } +diff --git a/libgxps/gxps-fonts.c b/libgxps/gxps-fonts.c +index 882157d..8d02ffc 100644 +--- a/libgxps/gxps-fonts.c ++++ b/libgxps/gxps-fonts.c +@@ -220,19 +220,12 @@ gxps_fonts_new_font_face (GXPSArchive *zip, + cairo_font_face_t *font_face; + guchar *font_data; + gsize font_data_len; +- gboolean res; + +- res = gxps_archive_read_entry (zip, font_uri, +- &font_data, &font_data_len, +- error); +- if (!res) { +- g_set_error (error, +- GXPS_ERROR, +- GXPS_ERROR_SOURCE_NOT_FOUND, +- "Font source %s not found in archive", +- font_uri); +- return NULL; +- } ++ if (!gxps_archive_read_entry (zip, font_uri, ++ &font_data, &font_data_len, ++ error)) { ++ return NULL; ++ } + + ft_face.font_data = font_data; + ft_face.font_data_len = (gssize)font_data_len; +diff --git a/libgxps/gxps-images.c b/libgxps/gxps-images.c +index 4dcf9e2..50f899f 100644 +--- a/libgxps/gxps-images.c ++++ b/libgxps/gxps-images.c +@@ -742,17 +742,12 @@ gxps_images_create_from_tiff (GXPSArchive *zip, + guchar *data; + guchar *p; + +- if (!gxps_archive_read_entry (zip, image_uri, +- &buffer.buffer, +- &buffer.buffer_len, +- error)) { +- g_set_error (error, +- GXPS_ERROR, +- GXPS_ERROR_SOURCE_NOT_FOUND, +- "Image source %s not found in archive", +- image_uri); +- return NULL; +- } ++ if (!gxps_archive_read_entry (zip, image_uri, ++ &buffer.buffer, ++ &buffer.buffer_len, ++ error)) { ++ return NULL; ++ } + + buffer.pos = 0; + +-- +2.17.1 + diff --git a/SOURCES/libgxps-0.3.0-archive-handle-error.patch b/SOURCES/libgxps-0.3.0-archive-handle-error.patch new file mode 100644 index 0000000..d9c85a4 --- /dev/null +++ b/SOURCES/libgxps-0.3.0-archive-handle-error.patch @@ -0,0 +1,30 @@ +From 133fe2a96e020d4ca65c6f64fb28a404050ebbfd Mon Sep 17 00:00:00 2001 +From: Carlos Garcia Campos +Date: Sat, 5 May 2018 12:02:36 +0200 +Subject: [PATCH 2/2] gxps-archive: Handle errors returned by archive_read_data + +--- + libgxps/gxps-archive.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/libgxps/gxps-archive.c b/libgxps/gxps-archive.c +index 346ba73..1bae729 100644 +--- a/libgxps/gxps-archive.c ++++ b/libgxps/gxps-archive.c +@@ -520,6 +520,13 @@ gxps_archive_input_stream_read (GInputStream *stream, + return -1; + + bytes_read = archive_read_data (istream->zip->archive, buffer, count); ++ if (bytes_read < 0) { ++ g_set_error_literal (error, ++ G_IO_ERROR, ++ g_io_error_from_errno (archive_errno (istream->zip->archive)), ++ archive_error_string (istream->zip->archive)); ++ return -1; ++ } + if (bytes_read == 0 && istream->is_interleaved && !gxps_archive_input_stream_is_last_piece (istream)) { + /* Read next piece */ + gxps_archive_input_stream_next_piece (istream); +-- +2.17.1 + diff --git a/SOURCES/libgxps-0.3.0-clear-error.patch b/SOURCES/libgxps-0.3.0-clear-error.patch new file mode 100644 index 0000000..89123c6 --- /dev/null +++ b/SOURCES/libgxps-0.3.0-clear-error.patch @@ -0,0 +1,30 @@ +From 672c65ea8cbd2bcfd82a6b6498a4f1eb9daf5ec5 Mon Sep 17 00:00:00 2001 +From: Carlos Garcia Campos +Date: Fri, 8 Dec 2017 11:20:25 +0100 +Subject: [PATCH 2/2] gxps-images: clear the error before trying to load an + image again + +In gxps_images_get_image() we first try with the image file extension, +and if that fails then we try guessing the content type. If the image +load failed the first time, the GError might be filled already, so we +need to clear it before passing it to create functions again. +--- + libgxps/gxps-images.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/libgxps/gxps-images.c b/libgxps/gxps-images.c +index 19cb1c0..4dcf9e2 100644 +--- a/libgxps/gxps-images.c ++++ b/libgxps/gxps-images.c +@@ -925,6 +925,8 @@ gxps_images_get_image (GXPSArchive *zip, + if (!image) { + gchar *mime_type; + ++ g_clear_error(error); ++ + mime_type = gxps_images_guess_content_type (zip, image_uri); + if (g_strcmp0 (mime_type, "image/png") == 0) { + image = gxps_images_create_from_png (zip, image_uri, error); +-- +2.17.1 + diff --git a/SOURCES/libgxps-0.3.0-integer-overflow.patch b/SOURCES/libgxps-0.3.0-integer-overflow.patch new file mode 100644 index 0000000..bbb6485 --- /dev/null +++ b/SOURCES/libgxps-0.3.0-integer-overflow.patch @@ -0,0 +1,25 @@ +From 123dd99c6a1ae2ef6fcb5547e51fa58e8c954b51 Mon Sep 17 00:00:00 2001 +From: Carlos Garcia Campos +Date: Fri, 8 Dec 2017 11:11:38 +0100 +Subject: [PATCH 1/2] gxps-images: fix integer overflow in png decoder + +--- + libgxps/gxps-images.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libgxps/gxps-images.c b/libgxps/gxps-images.c +index 98c7052..19cb1c0 100644 +--- a/libgxps/gxps-images.c ++++ b/libgxps/gxps-images.c +@@ -286,7 +286,7 @@ gxps_images_create_from_png (GXPSArchive *zip, + } + + stride = cairo_format_stride_for_width (format, png_width); +- if (stride < 0) { ++ if (stride < 0 || png_height >= INT_MAX / stride) { + fill_png_error (error, image_uri, NULL); + g_object_unref (stream); + png_destroy_read_struct (&png, &info, NULL); +-- +2.17.1 + diff --git a/SPECS/libgxps.spec b/SPECS/libgxps.spec new file mode 100644 index 0000000..1f6d217 --- /dev/null +++ b/SPECS/libgxps.spec @@ -0,0 +1,192 @@ +Name: libgxps +Version: 0.3.0 +Release: 5%{?dist} +Summary: GObject based library for handling and rendering XPS documents + +License: LGPLv2+ +URL: https://wiki.gnome.org/Projects/libgxps +Source0: https://ftp.gnome.org/pub/gnome/sources/%{name}/0.3/%{name}-%{version}.tar.xz + +# https://bugzilla.redhat.com/show_bug.cgi?id=1576113 +Patch0: libgxps-0.3.0-archive-fill-error.patch +Patch1: libgxps-0.3.0-archive-handle-error.patch + +# https://bugzilla.redhat.com/show_bug.cgi?id=1524378 +Patch2: libgxps-0.3.0-integer-overflow.patch +Patch3: libgxps-0.3.0-clear-error.patch + +BuildRequires: meson +BuildRequires: gcc +BuildRequires: gtk3-devel +BuildRequires: glib2-devel +BuildRequires: gobject-introspection-devel +BuildRequires: gtk-doc +BuildRequires: cairo-devel +BuildRequires: libarchive-devel +BuildRequires: freetype-devel +BuildRequires: libjpeg-devel +BuildRequires: libtiff-devel +BuildRequires: lcms2-devel + +%description +libgxps is a GObject based library for handling and rendering XPS +documents. + +%package devel +Summary: Development files for %{name} +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description devel +The %{name}-devel package contains libraries and header files for +developing applications that use %{name}. + +%package tools +Summary: Command-line utility programs for manipulating XPS files +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description tools +The %{name}-tools contains command-line programs for manipulating XPS format +documents using the %{name} library. + + +%prep +%autosetup -p1 + + +%build +%meson -Denable-gtk-doc=true -Denable-man=true +%meson_build + + +%install +%meson_install + + +%files +%doc AUTHORS MAINTAINERS NEWS README TODO +%license COPYING +%{_libdir}/*.so.* +%{_libdir}/girepository-1.0/*.typelib + + +%files devel +%{_includedir}/* +%{_libdir}/*.so +%{_libdir}/pkgconfig/*.pc +%{_datadir}/gir-1.0/*.gir +%{_datadir}/gtk-doc/html/libgxps + + +%files tools +%{_bindir}/xpsto* +%{_mandir}/man1/xpsto*.1.gz + + +%changelog +* Thu Jun 21 2018 Marek Kasik - 0.3.0-5 +- Fix integer overflow in png decoder +- Clear the error before trying to load an image again +- Resolves: #1524378 + +* Wed Jun 20 2018 Marek Kasik - 0.3.0-4 +- Ensure gxps_archive_read_entry() fills the GError in case of failure +- Handle errors returned by archive_read_data() +- Fixes CVE-2018-10733 +- Resolves: #1576113 + +* Wed Feb 07 2018 Fedora Release Engineering - 0.3.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Tue Jan 30 2018 Tom Hughes - 0.3.0-2 +- Drop ldconfig scriptlets + +* Thu Aug 10 2017 Tom Hughes - 0.3.0-1 +- Update to 0.3.0 upstream release + +* Thu Aug 03 2017 Fedora Release Engineering - 0.2.5-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 0.2.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Sat Feb 25 2017 Tom Hughes - 0.2.5-1 +- Update to 0.2.5 upstream release + +* Fri Feb 10 2017 Fedora Release Engineering - 0.2.4-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Tue Jun 21 2016 Tom Hughes - 0.2.4-1 +- Update to 0.2.4 upstream release + +* Thu Feb 04 2016 Fedora Release Engineering - 0.2.3.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Fri Sep 4 2015 Tom Hughes - 0.2.3.2-1 +- Update to 0.2.3.2 upstream release + +* Sat Aug 15 2015 Tom Hughes - 0.2.3.1-1 +- Update to 0.2.3.1 upstream release + +* Thu Aug 13 2015 Tom Hughes - 0.2.3-1 +- Update to 0.2.3 upstream release + +* Wed Jun 17 2015 Fedora Release Engineering - 0.2.2-12 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Sun Aug 17 2014 Fedora Release Engineering - 0.2.2-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Tue Jul 22 2014 Kalev Lember - 0.2.2-10 +- Rebuilt for gobject-introspection 1.41.4 + +* Sat Jun 07 2014 Fedora Release Engineering - 0.2.2-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Sat Aug 03 2013 Fedora Release Engineering - 0.2.2-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Thu Feb 14 2013 Fedora Release Engineering - 0.2.2-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Fri Jan 18 2013 Adam Tkac - 0.2.2-6 +- rebuild due to "jpeg8-ABI" feature drop + +* Thu Jan 17 2013 Tomas Bzatek - 0.2.2-5 +- Rebuilt for new libarchive + +* Fri Dec 21 2012 Adam Tkac - 0.2.2-4 +- rebuild against new libjpeg + +* Thu Jul 19 2012 Fedora Release Engineering - 0.2.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Sun May 6 2012 Tom Hughes - 0.2.2-2 +- Rebuilt for new libtiff. + +* Mon Mar 19 2012 Tom Hughes - 0.2.2-1 +- Update to 0.2.2 upstream release. + +* Thu Jan 26 2012 Tomas Bzatek - 0.2.1-4 +- Rebuilt for new libarchive + +* Thu Jan 26 2012 Tom Hughes - 0.2.1-3 +- Correct summary and description for tools package. + +* Thu Jan 26 2012 Tom Hughes - 0.2.1-2 +- Rebuild for libarchive soname bump. + +* Sat Jan 21 2012 Tom Hughes - 0.2.1-1 +- Update to 0.2.1 upstream release. + +* Wed Jan 4 2012 Tom Hughes - 0.2.0-2 +- Rebuilt for gcc 4.7 mass rebuild. +- Run autoreconf to update libtool. + +* Thu Dec 1 2011 Tom Hughes - 0.2.0-1 +- Update to 0.2.0 upstream release. + +* Sat Nov 5 2011 Tom Hughes - 0.1.0-2 +- Fix base package dependency in devel package. + +* Fri Nov 4 2011 Tom Hughes - 0.1.0-1 +- Initial build.