From: Tobias Geerinckx-Rice <me@tobias.gr>
Date: Thu, 28 Feb 2019 20:29:00 +0100
Subject: [PATCH] netpbm: Fix CVE-2017-2587.

Copied verbatim from Debian[0].

[0]: https://sources.debian.org/data/main/n/netpbm-free/2:10.78.05-0.1/debian/patches/netpbm-CVE-2017-2587.patch

---
diff -urNp old/converter/other/svgtopam.c new/converter/other/svgtopam.c
--- old/converter/other/svgtopam.c	2017-02-08 12:11:02.593690917 +0100
+++ new/converter/other/svgtopam.c	2017-02-08 13:49:38.319029371 +0100
@@ -771,12 +771,17 @@ createCanvas(unsigned int const width,
 
     MALLOCVAR_NOFAIL(canvasP);
 
-    canvasP->width  = width;
-    canvasP->height = height;
-    canvasP->pixels = ppm_allocarray(width, height);
-    canvasP->maxval = maxval;
+    if(canvasP != NULL){
+        canvasP->width  = width;
+        canvasP->height = height;
+        canvasP->pixels = ppm_allocarray(width, height);
+        canvasP->maxval = maxval;
+
+        *canvasPP = canvasP;
+    } else {
+       pm_error("can't allocate memory for canvas");
+    }
 
-    *canvasPP = canvasP;
 }
 
 
mary</a><a href='/guix/refs/?id=5482403f35b2718610a06f906f1b98728dcdae1e'>refs</a><a class='active' href='/guix/log/tests/elpa.scm'>log</a><a href='/guix/tree/tests/elpa.scm?id=5482403f35b2718610a06f906f1b98728dcdae1e'>tree</a><a href='/guix/commit/tests/elpa.scm?id=5482403f35b2718610a06f906f1b98728dcdae1e'>commit</a><a href='/guix/diff/tests/elpa.scm?id=5482403f35b2718610a06f906f1b98728dcdae1e'>diff</a></td><td class='form'><form class='right' method='get' action='/guix/log/tests/elpa.scm'>
<input type='hidden' name='id' value='5482403f35b2718610a06f906f1b98728dcdae1e'/><select name='qt'>
<option value='grep'>log msg</option>
<option value='author'>author</option>
<option value='committer'>committer</option>
<option value='range'>range</option>
</select>
<input class='txt' type='search' size='10' name='q' value=''/>
<input type='submit' value='search'/>
</form>
</td></tr></table>
<div class='path'>path: <a href='/guix/log/?id=5482403f35b2718610a06f906f1b98728dcdae1e'>root</a>/<a href='/guix/log/tests?id=5482403f35b2718610a06f906f1b98728dcdae1e'>tests</a>/<a href='/guix/log/tests/elpa.scm?id=5482403f35b2718610a06f906f1b98728dcdae1e'>elpa.scm</a></div><div class='content'><table class='list nowrap'><tr class='nohover'><th class='left'>Age</th><th class='left'>Commit message (<a href='/guix/log/tests/elpa.scm?id=5482403f35b2718610a06f906f1b98728dcdae1e&amp;showmsg=1'>Expand</a>)</th><th class='left'>Author</th></tr>
<tr><td><span title='2023-06-09 14:19:14 +0200'>2023-06-09</span></td><td><a href='/guix/commit/tests/elpa.scm?id=53bf9fba0c9542a46702bb30251f5796da371e64'>tests: Ensure 'elpa' test does not access the network.</a><span class='msg-avail'>...<span class='msg-tooltip'>Previously it would try to access the real elpa.gnu.org.  This would
succeed when network is available because "taxy-magit-section" is an
existing package.

* guix/import/elpa.scm (elpa-repository)
(package-from-elpa-repository?): Recognize 'gnu/http.
* tests/elpa.scm ("package-latest-release"): Use 'http' instead of
'https'.  Change "taxy-magit-section" to "fake-taxy-magit-section".
</span></span></td><td>Ludovic Courtès</td></tr>
<tr><td><span title='2023-05-31 23:50:06 +0200'>2023-05-31</span></td><td><a href='/guix/commit/tests/elpa.scm?id=654fcf9971bb01389d577be07c6ec0f68940c743'>tests: Use quasiquoted 'match' patterns for package sexps.</a><span class='msg-avail'>...<span class='msg-tooltip'>Turns out it's easier to read.

* tests/cpan.scm ("cpan-&gt;guix-package"): Use a quasiquoted pattern.
* tests/elpa.scm (eval-test-with-elpa): Likewise.
* tests/gem.scm ("gem-&gt;guix-package")
("gem-&gt;guix-package with a specific version")
("gem-recursive-import")
("gem-recursive-import with a specific version"): Likewise.
* tests/hexpm.scm ("hexpm-recursive-import"): Likewise.
* tests/opam.scm ("opam-&gt;guix-package"): Likewise.
* tests/pypi.scm ("pypi-&gt;guix-package, no wheel")
("pypi-&gt;guix-package, wheels")
("pypi-&gt;guix-package, no usable requirement file.")
("pypi-&gt;guix-package, package name contains \"-\" followed by digits"):
Likewise.
* tests/texlive.scm ("texlive-&gt;guix-package"): Likewise.
</span></span></td><td>Ludovic Courtès</td></tr>
<tr><td><span title='2023-05-31 23:25:26 +0200'>2023-05-31</span></td><td><a href='/guix/commit/tests/elpa.scm?id=d46d1bee1ea93d8fba97d7f8cadd142c493dc3bf'>import: elpa: Updater provides input list.</a><span class='msg-avail'>...<span class='msg-tooltip'>* guix/import/elpa.scm (elpa-dependency-&gt;upstream-input): New
procedure.
(latest-release): Add 'inputs' field.
* tests/elpa.scm ("package-latest-release"): New test.
</span></span></td><td>Ludovic Courtès</td></tr>
<tr><td><span title='2021-12-18 22:51:55 +0100'>2021-12-18</span></td><td><a href='/guix/commit/tests/elpa.scm?id=f21c70bc9a41d000acf7d39a0813a3c7415517ca'>import: elpa: Support ‘upstream-name’ property.</a><span class='msg-avail'>...<span class='msg-tooltip'>* guix/import/elpa.scm: (guix-package-&gt;elpa-name): New procedure.
  (latest-release): Use it.
* tests/elpa.scm ("guix-package-&gt;elpa-name: without 'upstream-name' property")
  ("guix-package-&gt;elpa-name: with 'upstream-name' property"): Test it.

Signed-off-by: Ludovic Courtès &lt;ludo@gnu.org&gt;
</span></span></td><td>Xinglu Chen</td></tr>

Age	Commit message (Expand)	Author
2023-06-09	tests: Ensure 'elpa' test does not access the network....Previously it would try to access the real elpa.gnu.org. This would succeed when network is available because "taxy-magit-section" is an existing package. * guix/import/elpa.scm (elpa-repository) (package-from-elpa-repository?): Recognize 'gnu/http. * tests/elpa.scm ("package-latest-release"): Use 'http' instead of 'https'. Change "taxy-magit-section" to "fake-taxy-magit-section".	Ludovic Courtès
2023-05-31	tests: Use quasiquoted 'match' patterns for package sexps....Turns out it's easier to read. * tests/cpan.scm ("cpan->guix-package"): Use a quasiquoted pattern. * tests/elpa.scm (eval-test-with-elpa): Likewise. * tests/gem.scm ("gem->guix-package") ("gem->guix-package with a specific version") ("gem-recursive-import") ("gem-recursive-import with a specific version"): Likewise. * tests/hexpm.scm ("hexpm-recursive-import"): Likewise. * tests/opam.scm ("opam->guix-package"): Likewise. * tests/pypi.scm ("pypi->guix-package, no wheel") ("pypi->guix-package, wheels") ("pypi->guix-package, no usable requirement file.") ("pypi->guix-package, package name contains \"-\" followed by digits"): Likewise. * tests/texlive.scm ("texlive->guix-package"): Likewise.	Ludovic Courtès
2023-05-31	import: elpa: Updater provides input list....* guix/import/elpa.scm (elpa-dependency->upstream-input): New procedure. (latest-release): Add 'inputs' field. * tests/elpa.scm ("package-latest-release"): New test.	Ludovic Courtès
2021-12-18	import: elpa: Support ‘upstream-name’ property....* guix/import/elpa.scm: (guix-package->elpa-name): New procedure. (latest-release): Use it. * tests/elpa.scm ("guix-package->elpa-name: without 'upstream-name' property") ("guix-package->elpa-name: with 'upstream-name' property"): Test it. Signed-off-by: Ludovic Courtès <ludo@gnu.org>	Xinglu Chen