Path to this page:
Subject: CVS commit: pkgsrc/graphics/GraphicsMagick
From: Thomas Klausner
Date: 2018-06-24 12:16:49
Message id: 20180624101650.06B14FBEC@cvs.NetBSD.org
Log Message:
GraphicsMagick: update to 1.3.30.
1.3.30 (June 23, 2018)
=========================
Security Fixes:
* GraphicsMagick is now participating in Google's oss-fuzz project due
to the contributions and assistance of Alex Gaynor. Since February 4
2018, 238 issues have been opened by oss-fuzz and 230 of those
issues have been resolved. The issues list is available at
https://bugs.chromium.org/p/oss-fuzz/issues/list under search term
"graphicsmagick". Issues are available for anyone to view and
duplicate if they have been in "Verified" status for 30 days, or if
they have been in "New" status for 90 days. There are too many
fixes to list here. Please consult the GraphicsMagick ChangeLog
file, Mercurial repository commit log, and the oss-fuzz issues list
for details.
* SVG/Rendering: Fix heap write overflow of PrimitiveInfo and
PointInfo arrays. This is another manefestation of CVE-2016-2317,
which should finally be fixed correctly due to active
detection/correction of pending overflow rather than using
estimation.
Bug fixes:
* Many oss-fuzz fixes are bug fixes.
* Drawing/Rendering: Many more fixes by Gregory J Wolfe (see the ChangeLog).
* MIFF: Detect end of file while reading image directory.
* SVG: Many more fixes by Gregory J Wolfe (see the ChangeLog).
* The AlphaCompositePixel macro was producing wrong results when the
output alpha value was not 100% opaque. This is a regression
introduced in 1.3.29.
* TILE: Fix problem with tiling JPEG images because the size request
used by the TILE algorithm was also causing re-scaling in the JPEG
reader. The problem is solved by stripping the size request before
reading the image.
API Updates:
* The size of PrimitiveInfo (believed to be an internal/private
structure but in a header which is installed, has been increased to
store a 'flags' argument. This is intended to be an internal
interface but but may be detected as an ABI change.
Build Changes:
* The oss-fuzz build script (fuzzing/oss-fuzz-build.sh) now includes
many delegate libraries such as zlib, libpng, libtiff, libjpeg, and
freetype, resulting in more comprehensive testing. The Q16 build is
now being tested rather than the 'configure' default of Q8.
Behavior Changes:
* JPEG: The JPEG reader now allows 3 warnings of any particular type
before giving up on reading and throwing an exception. This choice
was made after observing files which produce hundreds of warnings
and consume massive amounts of memory before reading the image data
has even started. It is currently unknown how many files which were
previously accepted will be rejected by default. The number of
allowed warnings may be adjusted using '-define
jpeg:max-warnings=<value>'. The default limit will be adjusted
based on reported user experiences and may be adjusted prior to
compilation via the MaxWarningCount definition in coders/jpeg.c.
Files: