Add patches to fix CVE-2017-12925 , CVE-2017-12921 and a possible fix

for CVE-2017-12920.
Use += in master sites insted of \.
Bump PKGREVISION.

5 files changed, 125 insertions, 5 deletions

diff --git a/graphics/libfpx/Makefile b/graphics/libfpx/Makefile
index 9b1f8542303..9515b5bd1e9 100644
--- a/graphics/libfpx/Makefile
+++ b/graphics/libfpx/Makefile
@@ -1,12 +1,13 @@
-# $NetBSD: Makefile,v 1.2 2017/08/04 20:03:17 wiz Exp $
+# $NetBSD: Makefile,v 1.3 2017/10/04 17:19:33 nros Exp $
 
 libfpx_ver=	1.3.1
 DISTNAME=	libfpx-${libfpx_ver}-9
 PKGNAME=	libfpx-${libfpx_ver}
+PKGREVISION=	1
 CATEGORIES=	graphics
-MASTER_SITES=	ftp://ftp.imagemagick.org/pub/ImageMagick/delegates/ \
-		ftp://ftp.kddlabs.co.jp/graphics/ImageMagick/delegates/ \
-		http://www.imagemagick.org/download/delegates/
+MASTER_SITES=	ftp://ftp.imagemagick.org/pub/ImageMagick/delegates/
+MASTER_SITES+=	ftp://ftp.kddlabs.co.jp/graphics/ImageMagick/delegates/
+MASTER_SITES+=	http://www.imagemagick.org/download/delegates/
 EXTRACT_SUFX=	.tar.xz
 
 MAINTAINER=	nros@NetBSD.org
diff --git a/graphics/libfpx/distinfo b/graphics/libfpx/distinfo
index 43cb90633f6..640db9efe51 100644
--- a/graphics/libfpx/distinfo
+++ b/graphics/libfpx/distinfo
@@ -1,6 +1,9 @@
-$NetBSD: distinfo,v 1.1 2017/08/04 08:24:24 nros Exp $
+$NetBSD: distinfo,v 1.2 2017/10/04 17:19:33 nros Exp $
 
 SHA1 (libfpx-1.3.1-9.tar.xz) = d3aba5f74134feb4c3be40c9a864ce28edf1a7f9
 RMD160 (libfpx-1.3.1-9.tar.xz) = 7ea9bff48fa15dc243e17c4f1a4a59c1b45c09dc
 SHA512 (libfpx-1.3.1-9.tar.xz) = 218e7e0cd0512a1620f219802bc694591c90d494940fc7492076dee56c3707e50f5af50eb3dff9d562a5c0431e05ec9e696e6bdd8735b5b26db0cd3f929ad5f8
 Size (libfpx-1.3.1-9.tar.xz) = 1906072 bytes
+SHA1 (patch-fpx_f__fpxvw.cpp) = b2c91920029b66e74154a9f6ccd9dc494df927be
+SHA1 (patch-oless_dir.cxx) = 23218d4dfcf3c57db6234f4ac0c972bf13267290
+SHA1 (patch-oless_docfile.cxx) = 58f45c75a71d3cfcd7946a366d3d4e191fc2f769
diff --git a/graphics/libfpx/patches/patch-fpx_f__fpxvw.cpp b/graphics/libfpx/patches/patch-fpx_f__fpxvw.cpp
new file mode 100644
index 00000000000..58d22c33479
--- /dev/null
+++ b/graphics/libfpx/patches/patch-fpx_f__fpxvw.cpp
@@ -0,0 +1,76 @@
+$NetBSD: patch-fpx_f__fpxvw.cpp,v 1.1 2017/10/04 17:19:33 nros Exp $
+Fix CVE-2017-12921
+--- fpx/f_fpxvw.cpp.orig	2017-10-04 10:25:20.000000000 +0000
++++ fpx/f_fpxvw.cpp
+@@ -775,27 +775,67 @@ Boolean PFileFlashPixView::WriteCompObj(
+ // Get property in summary info property set
+ Boolean PFileFlashPixView::GetSummaryInfoProperty (DWORD pID, OLEProperty ** res)
+ {
+-  return summaryInfoPropertySet->GetProperty(pID, res);
++  Boolean ok = TRUE;
++
++  // If absent, there is an error
++  if (summaryInfoPropertySet == NULL)
++    ok = FALSE;
++
++  // Get the property
++  if (ok)
++    ok = summaryInfoPropertySet->GetProperty(pID, res);
++
++  return ok;
+ }
+ 
+ // Set property in summary info property set
+ Boolean PFileFlashPixView::SetSummaryInfoProperty (DWORD pID, DWORD propType, OLEProperty ** res)
+ {
+-  return summaryInfoPropertySet->NewProperty(pID, propType, res);
++  Boolean ok = TRUE;
++
++  // If absent, there is an error
++  if (summaryInfoPropertySet == NULL)
++    ok = FALSE;
++
++  // Get the property
++  if (ok)
++    ok = summaryInfoPropertySet->NewProperty(pID, propType, res);
++
++  return ok;
+ }
+ 
+ 
+ // Get property in global info property set
+ Boolean PFileFlashPixView::GetGlobalInfoProperty (DWORD pID, OLEProperty ** res)
+ {
+-  return globalInfoPropertySet->GetProperty(pID, res);
++  Boolean ok = TRUE;
++
++  // If absent, there is an error
++  if (globalInfoPropertySet == NULL)
++    ok = FALSE;
++
++  // Get the property
++  if (ok)
++    ok = globalInfoPropertySet->GetProperty(pID, res);
++
++  return ok;
+ }
+ 
+ 
+ // Set property in global info property set
+ Boolean PFileFlashPixView::SetGlobalInfoProperty (DWORD pID, DWORD propType, OLEProperty ** res)
+ {
+-  return globalInfoPropertySet->NewProperty(pID, propType, res);
++  Boolean ok = TRUE;
++
++  // If absent, there is an error
++  if (globalInfoPropertySet == NULL)
++    ok = FALSE;
++
++  // Get the property
++  if (ok)
++    ok = globalInfoPropertySet->NewProperty(pID, propType, res);
++
++  return ok;
+ }
+ 
+ 
diff --git a/graphics/libfpx/patches/patch-oless_dir.cxx b/graphics/libfpx/patches/patch-oless_dir.cxx
new file mode 100644
index 00000000000..7a4157020ff
--- /dev/null
+++ b/graphics/libfpx/patches/patch-oless_dir.cxx
@@ -0,0 +1,13 @@
+$NetBSD: patch-oless_dir.cxx,v 1.1 2017/10/04 17:19:33 nros Exp $
+possible fix for CVE-2017-12920
+--- oless/dir.cxx.orig	2017-10-03 18:36:32.000000000 +0000
++++ oless/dir.cxx
+@@ -1100,6 +1100,8 @@ SCODE CDirectory::GetDirEntry(
+     DIRINDEX id = sid / _cdeEntries;
+ 
+     msfChk(_dv.GetTable(id, dwFlags, &pds));
++    if (ppde == NULL)
++        msfErr(Err, ERROR_INVALID_ADDRESS);
+ 
+     *ppde = pds->GetEntry((DIROFFSET)(sid % _cdeEntries));
+ 
diff --git a/graphics/libfpx/patches/patch-oless_docfile.cxx b/graphics/libfpx/patches/patch-oless_docfile.cxx
new file mode 100644
index 00000000000..ba40ac379f5
--- /dev/null
+++ b/graphics/libfpx/patches/patch-oless_docfile.cxx
@@ -0,0 +1,27 @@
+$NetBSD: patch-oless_docfile.cxx,v 1.1 2017/10/04 17:19:33 nros Exp $
+fix CVE-2017-12925
+--- oless/docfile.cxx.orig	2017-10-03 18:06:20.000000000 +0000
++++ oless/docfile.cxx
+@@ -49,6 +49,7 @@ SCODE DfFromLB(ILockBytes *plst,
+     SCODE sc, scConv;
+     CRootExposedDocFile *prpdf;
+     CDFBasis *pdfb=NULL;
++    bool prpdf_Release_run = false;
+ 
+     UNREFERENCED_PARM(pcid);
+     olDebugOut((DEB_ITRACE, "In  DfFromLB(%p, %X, %lX, %p, %p, %p)\n",
+@@ -71,9 +72,12 @@ SCODE DfFromLB(ILockBytes *plst,
+     return scConv;
+ 
+ EH_ppcInit:
+-    prpdf->Release();
++    prpdf->Release(); //this also deletes pdfb
++    prpdf_Release_run = true;
+ EH_pdfb:
+-    delete pdfb;
++    if (!prpdf_Release_run) {
++        delete pdfb;
++    } 
+ EH_Err:
+     return sc;
+ }