Subject: CVS commit: pkgsrc/graphics/GraphicsMagick
From: Thomas Klausner
Date: 2018-06-24 12:16:49
Message id: 20180624101650.06B14FBEC@cvs.NetBSD.org

Log Message:
GraphicsMagick: update to 1.3.30.

1.3.30 (June 23, 2018)
=========================

Security Fixes:

* GraphicsMagick is now participating in Google's oss-fuzz project due
  to the contributions and assistance of Alex Gaynor. Since February 4
  2018, 238 issues have been opened by oss-fuzz and 230 of those
  issues have been resolved.  The issues list is available at
  https://bugs.chromium.org/p/oss-fuzz/issues/list under search term
  "graphicsmagick".  Issues are available for anyone to view and
  duplicate if they have been in "Verified" status for 30 days, or if
  they have been in "New" status for 90 days.  There are too many
  fixes to list here.  Please consult the GraphicsMagick ChangeLog
  file, Mercurial repository commit log, and the oss-fuzz issues list
  for details.

* SVG/Rendering: Fix heap write overflow of PrimitiveInfo and
  PointInfo arrays.  This is another manefestation of CVE-2016-2317,
  which should finally be fixed correctly due to active
  detection/correction of pending overflow rather than using
  estimation.

Bug fixes:

* Many oss-fuzz fixes are bug fixes.

* Drawing/Rendering: Many more fixes by Gregory J Wolfe (see the ChangeLog).

* MIFF: Detect end of file while reading image directory.

* SVG: Many more fixes by Gregory J Wolfe (see the ChangeLog).

* The AlphaCompositePixel macro was producing wrong results when the
  output alpha value was not 100% opaque. This is a regression
  introduced in 1.3.29.

* TILE: Fix problem with tiling JPEG images because the size request
  used by the TILE algorithm was also causing re-scaling in the JPEG
  reader.  The problem is solved by stripping the size request before
  reading the image.

API Updates:

* The size of PrimitiveInfo (believed to be an internal/private
  structure but in a header which is installed, has been increased to
  store a 'flags' argument. This is intended to be an internal
  interface but but may be detected as an ABI change.

Build Changes:

* The oss-fuzz build script (fuzzing/oss-fuzz-build.sh) now includes
  many delegate libraries such as zlib, libpng, libtiff, libjpeg, and
  freetype, resulting in more comprehensive testing.  The Q16 build is
  now being tested rather than the 'configure' default of Q8.

Behavior Changes:

* JPEG: The JPEG reader now allows 3 warnings of any particular type
  before giving up on reading and throwing an exception.  This choice
  was made after observing files which produce hundreds of warnings
  and consume massive amounts of memory before reading the image data
  has even started.  It is currently unknown how many files which were
  previously accepted will be rejected by default.  The number of
  allowed warnings may be adjusted using '-define
  jpeg:max-warnings=<value>'.  The default limit will be adjusted
  based on reported user experiences and may be adjusted prior to
  compilation via the MaxWarningCount definition in coders/jpeg.c.

Files:
RevisionActionfile
1.21modifypkgsrc/graphics/GraphicsMagick/Makefile.common
1.47modifypkgsrc/graphics/GraphicsMagick/distinfo