From: Tobias Geerinckx-Rice <me@tobias.gr>
Date: Thu, 28 Feb 2019 20:29:00 +0100
Subject: [PATCH] netpbm: Fix CVE-2017-2587.

Copied verbatim from Debian[0].

[0]: https://sources.debian.org/data/main/n/netpbm-free/2:10.78.05-0.1/debian/patches/netpbm-CVE-2017-2587.patch

---
diff -urNp old/converter/other/svgtopam.c new/converter/other/svgtopam.c
--- old/converter/other/svgtopam.c	2017-02-08 12:11:02.593690917 +0100
+++ new/converter/other/svgtopam.c	2017-02-08 13:49:38.319029371 +0100
@@ -771,12 +771,17 @@ createCanvas(unsigned int const width,
 
     MALLOCVAR_NOFAIL(canvasP);
 
-    canvasP->width  = width;
-    canvasP->height = height;
-    canvasP->pixels = ppm_allocarray(width, height);
-    canvasP->maxval = maxval;
+    if(canvasP != NULL){
+        canvasP->width  = width;
+        canvasP->height = height;
+        canvasP->pixels = ppm_allocarray(width, height);
+        canvasP->maxval = maxval;
+
+        *canvasPP = canvasP;
+    } else {
+       pm_error("can't allocate memory for canvas");
+    }
 
-    *canvasPP = canvasP;
 }
 
 
<a href='/guix/'>summary</a><a href='/guix/refs/?id=aa65bba301b66b9cc7557255b567df5e35fbabe8'>refs</a><a class='active' href='/guix/log/etc/guix-publish.conf.in'>log</a><a href='/guix/tree/etc/guix-publish.conf.in?id=aa65bba301b66b9cc7557255b567df5e35fbabe8'>tree</a><a href='/guix/commit/etc/guix-publish.conf.in?id=aa65bba301b66b9cc7557255b567df5e35fbabe8'>commit</a><a href='/guix/diff/etc/guix-publish.conf.in?id=aa65bba301b66b9cc7557255b567df5e35fbabe8'>diff</a></td><td class='form'><form class='right' method='get' action='/guix/log/etc/guix-publish.conf.in'>
<input type='hidden' name='id' value='aa65bba301b66b9cc7557255b567df5e35fbabe8'/><select name='qt'>
<option value='grep'>log msg</option>
<option value='author'>author</option>
<option value='committer'>committer</option>
<option value='range'>range</option>
</select>
<input class='txt' type='search' size='10' name='q' value=''/>
<input type='submit' value='search'/>
</form>
</td></tr></table>
<div class='path'>path: <a href='/guix/log/?id=aa65bba301b66b9cc7557255b567df5e35fbabe8'>root</a>/<a href='/guix/log/etc?id=aa65bba301b66b9cc7557255b567df5e35fbabe8'>etc</a>/<a href='/guix/log/etc/guix-publish.conf.in?id=aa65bba301b66b9cc7557255b567df5e35fbabe8'>guix-publish.conf.in</a></div><div class='content'><table class='list nowrap'><tr class='nohover'><th class='left'>Age</th><th class='left'>Commit message (<a href='/guix/log/etc/guix-publish.conf.in?id=aa65bba301b66b9cc7557255b567df5e35fbabe8&amp;showmsg=1'>Expand</a>)</th><th class='left'>Author</th></tr>
<tr><td><span title='2018-11-23 15:42:01 +0100'>2018-11-23</span></td><td><a href='/guix/commit/etc/guix-publish.conf.in?id=e9926f80c6553fde50ce1fcfd38d6370f841efd2'>build: Binary tarball now populates the "current-guix" profile.</a><span class='msg-avail'>...<span class='msg-tooltip'>* Makefile.am (guix-binary.%.tar.xz): Pass
'--profile-name=current-guix'.  Remove glibc and glibc-utf8-locales.
* doc/guix.texi (Binary Installation): Update accordingly.
* etc/guix-install.sh
* etc/guix-install.sh (sys_create_store, sys_enable_guix_daemon)
(sys_authorize_build_farms): Likewise.
* etc/guix-publish.conf.in, etc/guix-publish.service.in,
etc/guix-daemon.conf.in, etc/guix-daemon.service.in: Update file names
accordingly.
</span></span></td><td>Ludovic Courtès</td></tr>