freeimage: unstable-2021-11-01 -> 3.18.0-unstable-2024-04-18

pkgs/by-name/fr/freeimage/CVE-2020-24292.patch

@@ -0,0 +1,13 @@
+diff -rupN --no-dereference freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PluginICO.cpp freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PluginICO.cpp
+--- freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PluginICO.cpp	2023-09-28 19:34:45.524031668 +0200
++++ freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PluginICO.cpp	2023-09-28 19:34:47.717009813 +0200
+@@ -301,6 +301,9 @@ LoadStandardIcon(FreeImageIO *io, fi_han
+ 	int width  = bmih.biWidth;
+ 	int height = bmih.biHeight / 2; // height == xor + and mask
+ 	unsigned bit_count = bmih.biBitCount;
++	if (bit_count != 1 && bit_count != 2 && bit_count != 4 && bit_count != 8 && bit_count != 16 && bit_count != 24 && bit_count != 32) {
++	  return NULL;
++	}
+ 	unsigned line   = CalculateLine(width, bit_count);
+ 	unsigned pitch  = CalculatePitch(line);
+

pkgs/by-name/fr/freeimage/CVE-2020-24293.patch

@@ -0,0 +1,14 @@
+diff -rupN --no-dereference freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PSDParser.cpp freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PSDParser.cpp
+--- freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PSDParser.cpp	2023-09-28 19:34:47.287014100 +0200
++++ freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PSDParser.cpp	2023-09-28 19:34:47.832008666 +0200
+@@ -780,6 +780,10 @@ int psdThumbnail::Read(FreeImageIO *io,
+ 		FreeImage_Unload(_dib);
+ 	}
+
++	if (_WidthBytes != _Width * _BitPerPixel / 8) {
++	  throw "Invalid PSD image";
++	}
++
+ 	if(_Format == 1) {
+ 		// kJpegRGB thumbnail image
+ 		_dib = FreeImage_LoadFromHandle(FIF_JPEG, io, handle);

pkgs/by-name/fr/freeimage/CVE-2020-24295.patch

@@ -0,0 +1,21 @@
+diff -rupN --no-dereference freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PSDParser.cpp freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PSDParser.cpp
+--- freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PSDParser.cpp	2023-09-28 19:34:47.936007630 +0200
++++ freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PSDParser.cpp	2023-09-28 19:34:47.940007590 +0200
+@@ -1466,6 +1466,7 @@ FIBITMAP* psdParser::ReadImageData(FreeI
+ 	const unsigned dstBpp =  (depth == 1) ? 1 : FreeImage_GetBPP(bitmap)/8;
+ 	const unsigned dstLineSize = FreeImage_GetPitch(bitmap);
+ 	BYTE* const dst_first_line = FreeImage_GetScanLine(bitmap, nHeight - 1);//<*** flipped
++	const unsigned dst_buffer_size = dstLineSize * nHeight;
+
+ 	BYTE* line_start = new BYTE[lineSize]; //< fileline cache
+
+@@ -1481,6 +1482,9 @@ FIBITMAP* psdParser::ReadImageData(FreeI
+ 				const unsigned channelOffset = GetChannelOffset(bitmap, c) * bytes;
+
+ 				BYTE* dst_line_start = dst_first_line + channelOffset;
++				if (channelOffset + lineSize > dst_buffer_size) {
++					throw "Invalid PSD image";
++				}
+ 				for(unsigned h = 0; h < nHeight; ++h, dst_line_start -= dstLineSize) {//<*** flipped
+ 					io->read_proc(line_start, lineSize, 1, handle);
+ 					ReadImageLine(dst_line_start, line_start, lineSize, dstBpp, bytes);

pkgs/by-name/fr/freeimage/CVE-2021-33367.patch

@@ -0,0 +1,19 @@
+diff -rupN --no-dereference freeimage-svn-r1909-FreeImage-trunk/Source/Metadata/Exif.cpp freeimage-svn-r1909-FreeImage-trunk-new/Source/Metadata/Exif.cpp
+--- freeimage-svn-r1909-FreeImage-trunk/Source/Metadata/Exif.cpp	2023-09-28 19:34:45.003036859 +0200
++++ freeimage-svn-r1909-FreeImage-trunk-new/Source/Metadata/Exif.cpp	2023-09-28 19:34:47.505011926 +0200
+@@ -770,8 +770,13 @@ jpeg_read_exif_dir(FIBITMAP *dib, const
+ 	//
+
+ 	const WORD entriesCount0th = ReadUint16(msb_order, ifd0th);
+-	
+-	DWORD next_offset = ReadUint32(msb_order, DIR_ENTRY_ADDR(ifd0th, entriesCount0th));
++
++	const BYTE* de_addr = DIR_ENTRY_ADDR(ifd0th, entriesCount0th);
++	if(de_addr+4 >= (BYTE*)(dwLength + ifd0th - tiffp)) {
++		return TRUE; //< no thumbnail
++	}
++
++	DWORD next_offset = ReadUint32(msb_order, de_addr);
+ 	if((next_offset == 0) || (next_offset >= dwLength)) {
+ 		return TRUE; //< no thumbnail
+ 	}

pkgs/by-name/fr/freeimage/CVE-2021-40263.patch

@@ -0,0 +1,15 @@
+diff -rupN --no-dereference freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PluginTIFF.cpp freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PluginTIFF.cpp
+--- freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PluginTIFF.cpp	2023-09-28 19:34:47.713009853 +0200
++++ freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PluginTIFF.cpp	2023-09-28 19:34:48.043006563 +0200
+@@ -2142,6 +2142,11 @@ Load(FreeImageIO *io, fi_handle handle,
+ 				uint32_t tileRowSize = (uint32_t)TIFFTileRowSize(tif);
+ 				uint32_t imageRowSize = (uint32_t)TIFFScanlineSize(tif);
+
++				if (width / tileWidth * tileRowSize * 8 > bitspersample * samplesperpixel * width) {
++				  free(tileBuffer);
++				  throw "Corrupted tiled TIFF file";
++				}
++
+
+ 				// In the tiff file the lines are saved from up to down 
+ 				// In a DIB the lines must be saved from down to up

pkgs/by-name/fr/freeimage/CVE-2021-40266.patch

@@ -0,0 +1,14 @@
+diff -rupN --no-dereference freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PluginTIFF.cpp freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PluginTIFF.cpp
+--- freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PluginTIFF.cpp	2023-09-28 19:34:47.501011966 +0200
++++ freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PluginTIFF.cpp	2023-09-28 19:34:47.610010879 +0200
+@@ -372,6 +372,10 @@ static void
+ ReadPalette(TIFF *tiff, uint16_t photometric, uint16_t bitspersample, FIBITMAP *dib) {
+ 	RGBQUAD *pal = FreeImage_GetPalette(dib);
+
++	if (!pal) {
++	  return;
++	}
++
+ 	switch(photometric) {
+ 		case PHOTOMETRIC_MINISBLACK:	// bitmap and greyscale image types
+ 		case PHOTOMETRIC_MINISWHITE:

pkgs/by-name/fr/freeimage/CVE-2023-47995.patch

@@ -0,0 +1,14 @@
+diff -rupN --no-dereference freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PluginJPEG.cpp freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PluginJPEG.cpp
+--- freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PluginJPEG.cpp	2024-03-10 14:22:17.818579271 +0100
++++ freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PluginJPEG.cpp	2024-03-10 14:22:18.776573816 +0100
+@@ -1086,6 +1086,10 @@ Load(FreeImageIO *io, fi_handle handle,
+
+ 			jpeg_read_header(&cinfo, TRUE);
+
++			if (cinfo.image_width > JPEG_MAX_DIMENSION || cinfo.image_height > JPEG_MAX_DIMENSION) {
++				throw FI_MSG_ERROR_DIB_MEMORY;
++			}
++
+ 			// step 4: set parameters for decompression
+
+ 			unsigned int scale_denom = 1;		// fraction by which to scale image

pkgs/by-name/fr/freeimage/CVE-2023-47997.patch

@@ -0,0 +1,16 @@
+diff -rupN --no-dereference freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PluginTIFF.cpp freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PluginTIFF.cpp
+--- freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PluginTIFF.cpp	2024-03-10 14:22:18.669574426 +0100
++++ freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PluginTIFF.cpp	2024-03-10 14:22:18.673574403 +0100
+@@ -1484,6 +1484,12 @@ Load(FreeImageIO *io, fi_handle handle,
+ 				(int)bitspersample, (int)samplesperpixel, (int)photometric);
+ 			throw (char*)NULL;
+ 		}
++		if (planar_config == PLANARCONFIG_SEPARATE && bitspersample < 8) {
++			FreeImage_OutputMessageProc(s_format_id,
++				"Unable to handle this format: bitspersample = 8, TIFFTAG_PLANARCONFIG = PLANARCONFIG_SEPARATE"
++			);
++			throw (char*)NULL;
++		}
+
+ 		// ---------------------------------------------------------------------------------
+

pkgs/development/libraries/freeimage/default.nix → pkgs/by-name/fr/freeimage/package.nix

@@ -14,17 +14,16 @@
   jxrlib,
   pkg-config,
   fixDarwinDylibNames,
-  autoSignDarwinBinariesHook,
 }:
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "freeimage";
-  version = "unstable-2021-11-01";
+  version = "3.18.0-unstable-2024-04-18";
 
   src = fetchsvn {
     url = "svn://svn.code.sf.net/p/freeimage/svn/";
-    rev = "1900";
-    sha256 = "rWoNlU/BWKZBPzRb1HqU6T0sT7aK6dpqKPe88+o/4sA=";
+    rev = "1911";
+    hash = "sha256-JznVZUYAbsN4FplnuXxCd/ITBhH7bfGKWXep2A6mius=";
   };
 
   sourceRoot = "${finalAttrs.src.name}/FreeImage/trunk";
@@ -33,9 +32,23 @@ stdenv.mkDerivation (finalAttrs: {
   prePatch = ''
     rm -rf Source/Lib* Source/OpenEXR Source/ZLib
   '';
+
+  # Tell patch to work with trailing carriage returns
+  patchFlags = [
+    "-p1"
+    "--binary"
+  ];
+
   patches = [
     ./unbundle.diff
-    ./libtiff-4.4.0.diff
+    ./CVE-2020-24292.patch
+    ./CVE-2020-24293.patch
+    ./CVE-2020-24295.patch
+    ./CVE-2021-33367.patch
+    ./CVE-2021-40263.patch
+    ./CVE-2021-40266.patch
+    ./CVE-2023-47995.patch
+    ./CVE-2023-47997.patch
   ];
 
   postPatch =
@@ -58,10 +71,8 @@ stdenv.mkDerivation (finalAttrs: {
     ++ lib.optionals stdenv.hostPlatform.isDarwin [
       cctools
       fixDarwinDylibNames
-    ]
-    ++ lib.optionals (stdenv.hostPlatform.isDarwin && stdenv.hostPlatform.isAarch64) [
-      autoSignDarwinBinariesHook
     ];
+
   buildInputs = [
     libtiff
     libtiff.dev_private
@@ -107,18 +118,50 @@ stdenv.mkDerivation (finalAttrs: {
     homepage = "http://freeimage.sourceforge.net/";
     license = "GPL";
     knownVulnerabilities = [
-      "CVE-2021-33367"
-      "CVE-2021-40262"
-      "CVE-2021-40263"
-      "CVE-2021-40264"
-      "CVE-2021-40265"
-      "CVE-2021-40266"
-
-      "CVE-2023-47992"
-      "CVE-2023-47993"
-      "CVE-2023-47994"
-      "CVE-2023-47995"
+      "CVE-2024-31570"
+      "CVE-2024-28584"
+      "CVE-2024-28583"
+      "CVE-2024-28582"
+      "CVE-2024-28581"
+      "CVE-2024-28580"
+      "CVE-2024-28579"
+      "CVE-2024-28578"
+      "CVE-2024-28577"
+      "CVE-2024-28576"
+      "CVE-2024-28575"
+      "CVE-2024-28574"
+      "CVE-2024-28573"
+      "CVE-2024-28572"
+      "CVE-2024-28571"
+      "CVE-2024-28570"
+      "CVE-2024-28569"
+      "CVE-2024-28568"
+      "CVE-2024-28567"
+      "CVE-2024-28566"
+      "CVE-2024-28565"
+      "CVE-2024-28564"
+      "CVE-2024-28563"
+      "CVE-2024-28562"
+      "CVE-2024-9029"
+      # "CVE-2023-47997"
       "CVE-2023-47996"
+      # "CVE-2023-47995"
+      "CVE-2023-47994"
+      "CVE-2023-47993"
+      "CVE-2023-47992"
+      # "CVE-2021-40266"
+      "CVE-2021-40265"
+      "CVE-2021-40264"
+      # "CVE-2021-40263"
+      "CVE-2021-40262"
+      # "CVE-2021-33367"
+      # "CVE-2020-24295"
+      "CVE-2020-24294"
+      # "CVE-2020-24293"
+      # "CVE-2020-24292"
+      "CVE-2020-21426"
+      "CVE-2019-12214"
+      "CVE-2019-12212"
     ];
     maintainers = with lib.maintainers; [ l-as ];
     platforms = with lib.platforms; unix;

pkgs/development/lisp-modules/imported.nix

@@ -6,6 +6,7 @@
   lib,
   fetchzip,
   build-asdf-system,
+  stdenv,
   ...
 }:
 
@@ -15920,6 +15921,8 @@ lib.makeScope pkgs.newScope (self: {
       lispLibs = [ (getAttr "cffi" self) ];
       meta = {
         hydraPlatforms = [ ];
+        # darwin cannot find libpango.dylib
+        broken = stdenv.isDarwin;
       };
     }
   );
@@ -39537,6 +39540,8 @@ lib.makeScope pkgs.newScope (self: {
       ];
       meta = {
         hydraPlatforms = [ ];
+        # darwin cannot find libpango.dylib
+        broken = stdenv.isDarwin;
       };
     }
   );

pkgs/top-level/all-packages.nix

@@ -8964,10 +8964,6 @@ with pkgs;
   fplll = callPackage ../development/libraries/fplll { };
   fplll_20160331 = callPackage ../development/libraries/fplll/20160331.nix { };
 
-  freeimage = callPackage ../development/libraries/freeimage {
-    inherit (darwin) autoSignDarwinBinariesHook;
-  };
-
   freeipa = callPackage ../os-specific/linux/freeipa {
     kerberos = krb5.override {
       withVerto = true;