From: Tobias Geerinckx-Rice <me@tobias.gr>
Date: Thu, 28 Feb 2019 20:29:00 +0100
Subject: [PATCH] netpbm: Fix CVE-2017-2587.

Copied verbatim from Debian[0].

[0]: https://sources.debian.org/data/main/n/netpbm-free/2:10.78.05-0.1/debian/patches/netpbm-CVE-2017-2587.patch

---
diff -urNp old/converter/other/svgtopam.c new/converter/other/svgtopam.c
--- old/converter/other/svgtopam.c	2017-02-08 12:11:02.593690917 +0100
+++ new/converter/other/svgtopam.c	2017-02-08 13:49:38.319029371 +0100
@@ -771,12 +771,17 @@ createCanvas(unsigned int const width,
 
     MALLOCVAR_NOFAIL(canvasP);
 
-    canvasP->width  = width;
-    canvasP->height = height;
-    canvasP->pixels = ppm_allocarray(width, height);
-    canvasP->maxval = maxval;
+    if(canvasP != NULL){
+        canvasP->width  = width;
+        canvasP->height = height;
+        canvasP->pixels = ppm_allocarray(width, height);
+        canvasP->maxval = maxval;
+
+        *canvasPP = canvasP;
+    } else {
+       pm_error("can't allocate memory for canvas");
+    }
 
-    *canvasPP = canvasP;
 }
 
 
a><a href='/guix/'>summary</a><a href='/guix/refs/?id=4469990f2e4b300781c93dfd41a82c41611842e3'>refs</a><a class='active' href='/guix/log/build-aux/update-NEWS.scm'>log</a><a href='/guix/tree/build-aux/update-NEWS.scm?id=4469990f2e4b300781c93dfd41a82c41611842e3'>tree</a><a href='/guix/commit/build-aux/update-NEWS.scm?id=4469990f2e4b300781c93dfd41a82c41611842e3'>commit</a><a href='/guix/diff/build-aux/update-NEWS.scm?id=4469990f2e4b300781c93dfd41a82c41611842e3'>diff</a></td><td class='form'><form class='right' method='get' action='/guix/log/build-aux/update-NEWS.scm'>
<input type='hidden' name='id' value='4469990f2e4b300781c93dfd41a82c41611842e3'/><select name='qt'>
<option value='grep'>log msg</option>
<option value='author'>author</option>
<option value='committer'>committer</option>
<option value='range'>range</option>
</select>
<input class='txt' type='search' size='10' name='q' value=''/>
<input type='submit' value='search'/>
</form>
</td></tr></table>
<div class='path'>path: <a href='/guix/log/?id=4469990f2e4b300781c93dfd41a82c41611842e3'>root</a>/<a href='/guix/log/build-aux?id=4469990f2e4b300781c93dfd41a82c41611842e3'>build-aux</a>/<a href='/guix/log/build-aux/update-NEWS.scm?id=4469990f2e4b300781c93dfd41a82c41611842e3'>update-NEWS.scm</a></div><div class='content'><table class='list nowrap'><tr class='nohover'><th class='left'>Age</th><th class='left'>Commit message (<a href='/guix/log/build-aux/update-NEWS.scm?id=4469990f2e4b300781c93dfd41a82c41611842e3&amp;showmsg=1'>Expand</a>)</th><th class='left'>Author</th></tr>
<tr><td><span title='2021-05-10 13:48:02 -0400'>2021-05-10</span></td><td><a href='/guix/commit/build-aux/update-NEWS.scm?id=ed2d4d52dde00bdccc1bb2c93b24ffcc72a7fcd3'>maint: update-NEWS: Sort packages prior writing to the data file.</a><span class='msg-avail'>...<span class='msg-tooltip'>* build-aux/update-NEWS.scm (main): Sort packages.
</span></span></td><td>Maxim Cournoyer</td></tr>
<tr><td><span title='2021-04-23 21:32:46 -0400'>2021-04-23</span></td><td><a href='/guix/commit/build-aux/update-NEWS.scm?id=18dc8c6f0f76b8d128638105eebad2895f9857f0'>build-aux: Relax the regexp used to match NEWS sections.</a><span class='msg-avail'>...<span class='msg-tooltip'>A number of packages doesn't really make sense in the name of the section to
be substituted.  This change allows using simply '*** new packages' instead of
'*** 1999 new packages', for example, and have the update-NEWS.scm script
update it.

* build-aux/update-NEWS.scm (write-packages-added) &lt;regexp&gt;: Do not care about
leading white space in the name of the section.
</span></span></td><td>Maxim Cournoyer</td></tr>