!49 Fix CVE-2020-24292 CVE-2020-24293 CVE-2020-24295 CVE-2021-33367 CVE-2021-40263 CVE-2021-40266 CVE-2023-47995 CVE-2023-47997

From: @wk333 
Reviewed-by: @wang--ge 
Signed-off-by: @wang--ge

CVE-2020-21427-1-r1832-improved-BMP-plugin-when-working-with-malicious-images.patch

@@ -0,0 +1,445 @@
+Origin: upstream, r1832
+Index: Source/FreeImage/PluginBMP.cpp
+---
+diff --git a/Source/FreeImage/PluginBMP.cpp b/Source/FreeImage/PluginBMP.cpp
+--- a/Source/FreeImage/PluginBMP.cpp	(revision 1831)
++++ b/Source/FreeImage/PluginBMP.cpp	(revision 1832)
+@@ -181,6 +181,7 @@
+ 		}
+ 	}
+ #endif
++
+ #if FREEIMAGE_COLORORDER == FREEIMAGE_COLORORDER_RGB
+ 	if (bit_count == 24 || bit_count == 32) {
+ 		for(unsigned y = 0; y < FreeImage_GetHeight(dib); y++) {
+@@ -202,7 +203,7 @@
+ @param handle FreeImage IO handle
+ @param width Image width
+ @param height Image height
+-@param dib Image to be loaded 
++@param dib 4-bit image to be loaded 
+ @return Returns TRUE if successful, returns FALSE otherwise
+ */
+ static BOOL 
+@@ -217,7 +218,9 @@
+ 		height = abs(height);
+ 
+ 		pixels = (BYTE*)malloc(width * height * sizeof(BYTE));
+-		if(!pixels) throw(1);
++		if (!pixels) {
++			throw(1);
++		}
+ 		memset(pixels, 0, width * height * sizeof(BYTE));
+ 
+ 		BYTE *q = pixels;
+@@ -237,7 +240,7 @@
+ 					throw(1);
+ 				}
+ 				for (int i = 0; i < status_byte; i++)	{
+-					*q++=(BYTE)((i & 0x01) ? (second_byte & 0x0f) : ((second_byte >> 4) & 0x0f));
++					*q++ = (BYTE)((i & 0x01) ? (second_byte & 0x0f) : ((second_byte >> 4) & 0x0f));
+ 				}
+ 				bits += status_byte;
+ 			}
+@@ -252,7 +255,7 @@
+ 						// End of line
+ 						bits = 0;
+ 						scanline++;
+-						q = pixels + scanline*width;
++						q = pixels + scanline * width;
+ 					}
+ 					break;
+ 
+@@ -264,7 +267,6 @@
+ 					case RLE_DELTA:
+ 					{
+ 						// read the delta values
+-
+ 						BYTE delta_x = 0;
+ 						BYTE delta_y = 0;
+ 
+@@ -276,7 +278,6 @@
+ 						}
+ 
+ 						// apply them
+-
+ 						bits += delta_x;
+ 						scanline += delta_y;
+ 						q = pixels + scanline*width+bits;
+@@ -293,7 +294,7 @@
+ 									throw(1);
+ 								}
+ 							}
+-							*q++=(BYTE)((i & 0x01) ? (second_byte & 0x0f) : ((second_byte >> 4) & 0x0f));
++							*q++ = (BYTE)((i & 0x01) ? (second_byte & 0x0f) : ((second_byte >> 4) & 0x0f));
+ 						}
+ 						bits += status_byte;
+ 						// Read pad byte
+@@ -334,7 +335,9 @@
+ 		return TRUE;
+ 
+ 	} catch(int) {
+-		if(pixels) free(pixels);
++		if (pixels) {
++			free(pixels);
++		}
+ 		return FALSE;
+ 	}
+ }
+@@ -345,7 +348,7 @@
+ @param handle FreeImage IO handle
+ @param width Image width
+ @param height Image height
+-@param dib Image to be loaded 
++@param dib 8-bit image to be loaded 
+ @return Returns TRUE if successful, returns FALSE otherwise
+ */
+ static BOOL 
+@@ -354,103 +357,85 @@
+ 	BYTE second_byte = 0;
+ 	int scanline = 0;
+ 	int bits = 0;
++	int count = 0;
++	BYTE delta_x = 0;
++	BYTE delta_y = 0;
+ 
+-	for (;;) {
+-		if( io->read_proc(&status_byte, sizeof(BYTE), 1, handle) != 1) {
++	height = abs(height);
++	
++	while(scanline < height) {
++
++		if (io->read_proc(&status_byte, sizeof(BYTE), 1, handle) != 1) {
+ 			return FALSE;
+ 		}
+ 
+-		switch (status_byte) {
+-			case RLE_COMMAND :
+-				if(io->read_proc(&status_byte, sizeof(BYTE), 1, handle) != 1) {
+-					return FALSE;
+-				}
++		if (status_byte == RLE_COMMAND) {
++			if (io->read_proc(&status_byte, sizeof(BYTE), 1, handle) != 1) {
++				return FALSE;
++			}
+ 
+-				switch (status_byte) {
+-					case RLE_ENDOFLINE :
+-						bits = 0;
+-						scanline++;
+-						break;
++			switch (status_byte) {
++				case RLE_ENDOFLINE:
++					bits = 0;
++					scanline++;
++					break;
+ 
+-					case RLE_ENDOFBITMAP :
+-						return TRUE;
++				case RLE_ENDOFBITMAP:
++					return TRUE;
+ 
+-					case RLE_DELTA :
+-					{
+-						// read the delta values
++				case RLE_DELTA:
++					// read the delta values
++					delta_x = 0;
++					delta_y = 0;
++					if (io->read_proc(&delta_x, sizeof(BYTE), 1, handle) != 1) {
++						return FALSE;
++					}
++					if (io->read_proc(&delta_y, sizeof(BYTE), 1, handle) != 1) {
++						return FALSE;
++					}
++					// apply them
++					bits += delta_x;
++					scanline += delta_y;
++					break;
+ 
+-						BYTE delta_x = 0;
+-						BYTE delta_y = 0;
+-
+-						if(io->read_proc(&delta_x, sizeof(BYTE), 1, handle) != 1) {
+-							return FALSE;
+-						}
+-						if(io->read_proc(&delta_y, sizeof(BYTE), 1, handle) != 1) {
+-							return FALSE;
+-						}
+-
+-						// apply them
+-
+-						bits     += delta_x;
+-						scanline += delta_y;
+-
+-						break;
++				default:
++					// absolute mode
++					count = MIN((int)status_byte, width - bits);
++					if (count < 0) {
++						return FALSE;
+ 					}
+-
+-					default :
+-					{
+-						if(scanline >= abs(height)) {
+-							return TRUE;
+-						}
+-
+-						int count = MIN((int)status_byte, width - bits);
+-
+-						BYTE *sline = FreeImage_GetScanLine(dib, scanline);
+-
+-						if(io->read_proc((void *)(sline + bits), sizeof(BYTE) * count, 1, handle) != 1) {
++					BYTE *sline = FreeImage_GetScanLine(dib, scanline);
++					if (io->read_proc((void *)(sline + bits), sizeof(BYTE) * count, 1, handle) != 1) {
++						return FALSE;
++					}
++					// align run length to even number of bytes
++					if ((status_byte & 1) == 1) {
++						if (io->read_proc(&second_byte, sizeof(BYTE), 1, handle) != 1) {
+ 							return FALSE;
+ 						}
+-						
+-						// align run length to even number of bytes 
+-
+-						if ((status_byte & 1) == 1) {
+-							if(io->read_proc(&second_byte, sizeof(BYTE), 1, handle) != 1) {
+-								return FALSE;
+-							}
+-						}
+-
+-						bits += status_byte;													
+-
+-						break;	
+ 					}
+-				}
++					bits += status_byte;				
++					break;
+ 
+-				break;
+-
+-			default :
+-			{
+-				if(scanline >= abs(height)) {
+-					return TRUE;
+-				}
+-
+-				int count = MIN((int)status_byte, width - bits);
+-
+-				BYTE *sline = FreeImage_GetScanLine(dib, scanline);
+-
+-				if(io->read_proc(&second_byte, sizeof(BYTE), 1, handle) != 1) {
+-					return FALSE;
+-				}
+-
+-				for (int i = 0; i < count; i++) {
+-					*(sline + bits) = second_byte;
+-
+-					bits++;					
+-				}
+-
+-				break;
++			} // switch (status_byte)
++		}
++		else {
++			count = MIN((int)status_byte, width - bits);
++			if (count < 0) {
++				return FALSE;
+ 			}
++			BYTE *sline = FreeImage_GetScanLine(dib, scanline);
++			if (io->read_proc(&second_byte, sizeof(BYTE), 1, handle) != 1) {
++				return FALSE;
++			}
++			for (int i = 0; i < count; i++) {
++				*(sline + bits) = second_byte;
++				bits++;
++			}
+ 		}
+ 	}
++	
++	return FALSE;
+ }
+ 
+ // --------------------------------------------------------------------------
+@@ -463,10 +448,12 @@
+ 		BOOL header_only = (flags & FIF_LOAD_NOPIXELS) == FIF_LOAD_NOPIXELS;
+ 
+ 		// load the info header
+-
+ 		BITMAPINFOHEADER bih;
++		memset(&bih, 0, sizeof(BITMAPINFOHEADER));
++		if (io->read_proc(&bih, sizeof(BITMAPINFOHEADER), 1, handle) != 1) {
++			throw FI_MSG_ERROR_INVALID_FORMAT;
++		}
+ 
+-		io->read_proc(&bih, sizeof(BITMAPINFOHEADER), 1, handle);
+ #ifdef FREEIMAGE_BIGENDIAN
+ 		SwapInfoHeader(&bih);
+ #endif
+@@ -544,7 +531,7 @@
+ 						break;
+ 
+ 					case BI_RLE4 :
+-						if( LoadPixelDataRLE4(io, handle, width, height, dib) ) {
++						if( (bit_count == 4) && LoadPixelDataRLE4(io, handle, width, height, dib) ) {
+ 							return dib;
+ 						} else {
+ 							throw "Error encountered while decoding RLE4 BMP data";
+@@ -552,7 +539,7 @@
+ 						break;
+ 
+ 					case BI_RLE8 :
+-						if( LoadPixelDataRLE8(io, handle, width, height, dib) ) {
++						if( (bit_count == 8) && LoadPixelDataRLE8(io, handle, width, height, dib) ) {
+ 							return dib;
+ 						} else {
+ 							throw "Error encountered while decoding RLE8 BMP data";
+@@ -602,7 +589,7 @@
+ 
+ 				return dib;
+ 			}
+-			break; // 16-bit
++			break; // 16-bit RGB
+ 
+ 			case 24 :
+ 			case 32 :
+@@ -679,10 +666,12 @@
+ 		BOOL header_only = (flags & FIF_LOAD_NOPIXELS) == FIF_LOAD_NOPIXELS;
+ 
+ 		// load the info header
+-
+ 		BITMAPINFOHEADER bih;
++		memset(&bih, 0, sizeof(BITMAPINFOHEADER));
++		if (io->read_proc(&bih, sizeof(BITMAPINFOHEADER), 1, handle) != 1) {
++			throw FI_MSG_ERROR_INVALID_FORMAT;
++		}
+ 
+-		io->read_proc(&bih, sizeof(BITMAPINFOHEADER), 1, handle);
+ #ifdef FREEIMAGE_BIGENDIAN
+ 		SwapInfoHeader(&bih);
+ #endif
+@@ -767,17 +756,19 @@
+ 						return dib;
+ 
+ 					case BI_RLE4 :
+-						if( LoadPixelDataRLE4(io, handle, width, height, dib) ) {
++						if ((bit_count == 4) && LoadPixelDataRLE4(io, handle, width, height, dib)) {
+ 							return dib;
+-						} else {
++						}
++						else {
+ 							throw "Error encountered while decoding RLE4 BMP data";
+ 						}
+ 						break;
+ 
+ 					case BI_RLE8 :
+-						if( LoadPixelDataRLE8(io, handle, width, height, dib) ) {
++						if ((bit_count == 8) && LoadPixelDataRLE8(io, handle, width, height, dib)) {
+ 							return dib;
+-						} else {
++						}
++						else {
+ 							throw "Error encountered while decoding RLE8 BMP data";
+ 						}
+ 						break;
+@@ -863,9 +854,9 @@
+ 			}
+ 		}
+ 	} catch(const char *message) {
+-		if(dib)
++		if (dib) {
+ 			FreeImage_Unload(dib);
+-
++		}
+ 		FreeImage_OutputMessageProc(s_format_id, message);
+ 	}
+ 
+@@ -881,9 +872,13 @@
+ 	try {
+ 		BOOL header_only = (flags & FIF_LOAD_NOPIXELS) == FIF_LOAD_NOPIXELS;
+ 
++		// load the info header
+ 		BITMAPINFOOS2_1X_HEADER bios2_1x;
++		memset(&bios2_1x, 0, sizeof(BITMAPINFOOS2_1X_HEADER));
++		if (io->read_proc(&bios2_1x, sizeof(BITMAPINFOOS2_1X_HEADER), 1, handle) != 1) {
++			throw FI_MSG_ERROR_INVALID_FORMAT;
++		}
+ 
+-		io->read_proc(&bios2_1x, sizeof(BITMAPINFOOS2_1X_HEADER), 1, handle);
+ #ifdef FREEIMAGE_BIGENDIAN
+ 		SwapOS21XHeader(&bios2_1x);
+ #endif
+@@ -1005,9 +1000,9 @@
+ 			}
+ 		}
+ 	} catch(const char *message) {	
+-		if(dib)
++		if (dib) {
+ 			FreeImage_Unload(dib);
+-
++		}
+ 		FreeImage_OutputMessageProc(s_format_id, message);
+ 	}
+ 
+@@ -1090,19 +1085,20 @@
+ 		BITMAPFILEHEADER bitmapfileheader;
+ 		DWORD type = 0;
+ 
+-		// we use this offset value to make seemingly absolute seeks relative in the file
+-		
++		// we use this offset value to make seemingly absolute seeks relative in the file		
+ 		long offset_in_file = io->tell_proc(handle);
+ 
+ 		// read the fileheader
++		memset(&bitmapfileheader, 0, sizeof(BITMAPFILEHEADER));
++		if (io->read_proc(&bitmapfileheader, sizeof(BITMAPFILEHEADER), 1, handle) != 1) {
++			return NULL;
++		}
+ 
+-		io->read_proc(&bitmapfileheader, sizeof(BITMAPFILEHEADER), 1, handle);
+ #ifdef FREEIMAGE_BIGENDIAN
+ 		SwapFileHeader(&bitmapfileheader);
+ #endif
+ 
+ 		// check the signature
+-
+ 		if((bitmapfileheader.bfType != 0x4D42) && (bitmapfileheader.bfType != 0x4142)) {
+ 			FreeImage_OutputMessageProc(s_format_id, FI_MSG_ERROR_MAGIC_NUMBER);
+ 			return NULL;
+@@ -1109,9 +1105,9 @@
+ 		}
+ 
+ 		// read the first byte of the infoheader
+-
+ 		io->read_proc(&type, sizeof(DWORD), 1, handle);
+ 		io->seek_proc(handle, 0 - (long)sizeof(DWORD), SEEK_CUR);
++
+ #ifdef FREEIMAGE_BIGENDIAN
+ 		SwapLong(&type);
+ #endif
+@@ -1138,7 +1134,7 @@
+ 				break;
+ 		}
+ 
+-		FreeImage_OutputMessageProc(s_format_id, "unknown bmp subtype with id %d", type);
++		FreeImage_OutputMessageProc(s_format_id, "Unknown bmp subtype with id %d", type);
+ 	}
+ 
+ 	return NULL;
+@@ -1418,6 +1414,7 @@
+ 			}
+ 
+ 			free(buffer);
++
+ #ifdef FREEIMAGE_BIGENDIAN
+ 		} else if (dst_bpp == 16) {
+ 			int padding = dst_pitch - dst_width * sizeof(WORD);
+@@ -1439,6 +1436,7 @@
+ 				}
+ 			}
+ #endif
++
+ #if FREEIMAGE_COLORORDER == FREEIMAGE_COLORORDER_RGB
+ 		} else if (dst_bpp == 24) {
+ 			int padding = dst_pitch - dst_width * sizeof(FILE_BGR);

CVE-2020-21427-2-r1836-improved-BMP-plugin-when-working-with-malicious-images.patch

@@ -0,0 +1,159 @@
+Origin: upstream, r1836
+Index: Source/FreeImage/PluginBMP.cpp
+---
+diff --git a/Source/FreeImage/PluginBMP.cpp b/Source/FreeImage/PluginBMP.cpp
+--- a/Source/FreeImage/PluginBMP.cpp	(revision 1835)
++++ b/Source/FreeImage/PluginBMP.cpp	(revision 1836)
+@@ -139,6 +139,75 @@
+ // --------------------------------------------------------------------------
+ 
+ /**
++Check if a BITMAPINFOHEADER is valid
++@return Returns TRUE if successful, returns FALSE otherwise
++*/
++static BOOL
++CheckBitmapInfoHeader(BITMAPINFOHEADER *bih) {
++	if (bih->biSize != sizeof(BITMAPINFOHEADER)) {
++		// The size, in bytes, of the image.This may be set to zero for BI_RGB bitmaps.
++		// If biCompression is BI_JPEG or BI_PNG, biSizeImage indicates the size of the JPEG or PNG image buffer, respectively.
++		if ((bih->biSize == 0) && (bih->biCompression != BI_RGB)) {
++			return FALSE;
++		}
++		else if ((bih->biCompression == BI_JPEG) || (bih->biCompression == BI_PNG)) {
++			// JPEG or PNG is not yet supported
++			return FALSE;
++		}
++		else {
++			return FALSE;
++		}
++	}
++	if (bih->biWidth < 0) {
++		return FALSE;
++	}
++	if (bih->biHeight < 0) {
++		// If biHeight is negative, indicating a top-down DIB, biCompression must be either BI_RGB or BI_BITFIELDS. 
++		// Top-down DIBs cannot be compressed.
++		// If biCompression is BI_JPEG or BI_PNG, the biHeight member specifies the height of the decompressed JPEG or PNG image file, respectively.
++		if ((bih->biCompression != BI_RGB) && (bih->biCompression != BI_BITFIELDS)) {
++			return FALSE;
++		}
++	}
++	if (bih->biPlanes != 1) {
++		//  The number of planes for the target device. This value must be set to 1.
++		return FALSE;
++	}
++	switch (bih->biBitCount) {
++		case 0:
++			// The number of bits-per-pixel is specified or is implied by the JPEG or PNG format.
++			// JPEG or PNG is not yet supported			
++			return FALSE;
++			break;
++		case 1:
++		case 4:
++		case 8:
++		case 16:
++		case 24:
++		case 32:
++			break;
++		default:
++			// Unsupported bitdepth
++			return FALSE;
++	}
++	switch (bih->biCompression) {
++		case BI_RGB:
++		case BI_RLE8:
++		case BI_RLE4:
++		case BI_BITFIELDS:
++			break;
++		case BI_JPEG:
++		case BI_PNG:
++		default:
++			return FALSE;
++	}
++
++	return TRUE;
++}
++
++// --------------------------------------------------------------------------
++
++/**
+ Load uncompressed image pixels for 1-, 4-, 8-, 16-, 24- and 32-bit dib
+ @param io FreeImage IO
+ @param handle FreeImage IO handle
+@@ -458,6 +527,10 @@
+ 		SwapInfoHeader(&bih);
+ #endif
+ 
++		if (CheckBitmapInfoHeader(&bih) == FALSE) {
++			throw FI_MSG_ERROR_INVALID_FORMAT;
++		}
++
+ 		// keep some general information about the bitmap
+ 
+ 		unsigned used_colors	= bih.biClrUsed;
+@@ -555,10 +628,18 @@
+ 			case 16 :
+ 			{
+ 				int use_bitfields = 0;
+-				if (bih.biCompression == BI_BITFIELDS) use_bitfields = 3;
+-				else if (bih.biCompression == BI_ALPHABITFIELDS) use_bitfields = 4;
+-				else if (type == 52) use_bitfields = 3;
+-				else if (type >= 56) use_bitfields = 4;
++				if (bih.biCompression == BI_BITFIELDS) {
++					use_bitfields = 3;
++				}
++				else if (bih.biCompression == BI_ALPHABITFIELDS) {
++					use_bitfields = 4;
++				}
++				else if (type == 52) {
++					use_bitfields = 3;
++				}
++				else if (type >= 56) {
++					use_bitfields = 4;
++				}
+ 				
+ 				if (use_bitfields > 0) {
+  					DWORD bitfields[4];
+@@ -595,10 +676,18 @@
+ 			case 32 :
+ 			{
+ 				int use_bitfields = 0;
+-				if (bih.biCompression == BI_BITFIELDS) use_bitfields = 3;
+-				else if (bih.biCompression == BI_ALPHABITFIELDS) use_bitfields = 4;
+-				else if (type == 52) use_bitfields = 3;
+-				else if (type >= 56) use_bitfields = 4;
++				if (bih.biCompression == BI_BITFIELDS) {
++					use_bitfields = 3;
++				}
++				else if (bih.biCompression == BI_ALPHABITFIELDS) {
++					use_bitfields = 4;
++				}
++				else if (type == 52) {
++					use_bitfields = 3;
++				}
++				else if (type >= 56) {
++					use_bitfields = 4;
++				}
+ 
+  				if (use_bitfields > 0) {
+ 					DWORD bitfields[4];
+@@ -676,6 +765,10 @@
+ 		SwapInfoHeader(&bih);
+ #endif
+ 
++		if (CheckBitmapInfoHeader(&bih) == FALSE) {
++			throw FI_MSG_ERROR_INVALID_FORMAT;
++		}
++
+ 		// keep some general information about the bitmap
+ 
+ 		unsigned used_colors	= bih.biClrUsed;
+@@ -780,7 +873,7 @@
+ 
+ 			case 16 :
+ 			{
+-				if (bih.biCompression == 3) {
++				if (bih.biCompression == BI_BITFIELDS) {
+ 					DWORD bitfields[3];
+ 
+ 					io->read_proc(bitfields, 3 * sizeof(DWORD), 1, handle);

CVE-2020-21427-pre-r1830-minor-refactoring.patch

@@ -0,0 +1,15 @@
+Index: Source/Utilities.h
+===================================================================
+diff --git a/Source/Utilities.h b/Source/Utilities.h
+--- a/Source/Utilities.h	(revision 1829)
++++ b/Source/Utilities.h	(revision 1830)
+@@ -529,7 +529,8 @@
+ static const char *FI_MSG_ERROR_DIB_MEMORY = "DIB allocation failed, maybe caused by an invalid image size or by a lack of memory";
+ static const char *FI_MSG_ERROR_PARSING = "Parsing error";
+ static const char *FI_MSG_ERROR_MAGIC_NUMBER = "Invalid magic number";
+-static const char *FI_MSG_ERROR_UNSUPPORTED_FORMAT = "Unsupported format";
++static const char *FI_MSG_ERROR_UNSUPPORTED_FORMAT = "Unsupported image format";
++static const char *FI_MSG_ERROR_INVALID_FORMAT = "Invalid file format";
+ static const char *FI_MSG_ERROR_UNSUPPORTED_COMPRESSION = "Unsupported compression type";
+ static const char *FI_MSG_WARNING_INVALID_THUMBNAIL = "Warning: attached thumbnail cannot be written to output file (invalid format) - Thumbnail saving aborted";
+ 

CVE-2020-21428-r1877-improved-DDS-plugin-against-malicious-images.patch

@@ -0,0 +1,15 @@
+Origin: upstream, r1877
+Index: Source/FreeImage/PluginDDS.cpp
+===================================================================
+diff --git a/Source/FreeImage/PluginDDS.cpp b/Source/FreeImage/PluginDDS.cpp
+--- a/Source/FreeImage/PluginDDS.cpp	(revision 1876)
++++ b/Source/FreeImage/PluginDDS.cpp	(revision 1877)
+@@ -617,7 +617,7 @@
+ 	// read the file
+ 	// -------------------------------------------------------------------------
+ 
+-	const int line = CalculateLine(width, bpp);
++	const int line = CalculateLine(width, FreeImage_GetBPP(dib));
+ 	const int filePitch = ((desc->dwFlags & DDSD_PITCH) == DDSD_PITCH) ? (int)desc->dwPitchOrLinearSize : line;
+ 	const long delta = (long)filePitch - (long)line;
+ 

CVE-2020-22524-r1848-improved-PFM-plugin-against-malicious-images.patch

@@ -0,0 +1,227 @@
+Origin: upstream, r1848
+Index: Source/FreeImage/PluginPFM.cpp
+---
+diff --git a/Source/FreeImage/PluginPFM.cpp b/Source/FreeImage/PluginPFM.cpp
+--- a/Source/FreeImage/PluginPFM.cpp	(revision 1847)
++++ b/Source/FreeImage/PluginPFM.cpp	(revision 1848)
+@@ -23,6 +23,12 @@
+ #include "Utilities.h"
+ 
+ // ==========================================================
++// Plugin Interface
++// ==========================================================
++
++static int s_format_id;
++
++// ==========================================================
+ // Internal functions
+ // ==========================================================
+ 
+@@ -59,6 +65,9 @@
+ 
+ /**
+ Get an integer value from the actual position pointed by handle
++@param io
++@param handle
++@return Returns -1 in case of failure, returns the found number otherwise
+ */
+ static int
+ pfm_get_int(FreeImageIO *io, fi_handle handle) {
+@@ -65,70 +74,72 @@
+     char c = 0;
+ 	BOOL bFirstChar;
+ 
+-    // skip forward to start of next number
++	try {
+ 
+-	if(!io->read_proc(&c, 1, 1, handle)) {
+-		throw FI_MSG_ERROR_PARSING;
+-	}
++		// skip forward to start of next number
+ 
+-    while (1) {
+-        // eat comments
++		if (io->read_proc(&c, 1, 1, handle) != 1) {
++			throw FI_MSG_ERROR_PARSING;
++		}
+ 
+-        if (c == '#') {
+-			// if we're at a comment, read to end of line
++		while (1) {
++			// eat comments
+ 
+-            bFirstChar = TRUE;
++			if (c == '#') {
++				// if we're at a comment, read to end of line
+ 
+-            while (1) {
+-				if(!io->read_proc(&c, 1, 1, handle)) {
+-					throw FI_MSG_ERROR_PARSING;
+-				}
++				bFirstChar = TRUE;
+ 
+-				if (bFirstChar && c == ' ') {
+-					// loop off 1 sp after #
+-					bFirstChar = FALSE;
+-				} else if (c == '\n') {
+-					break;
++				while (1) {
++					if (io->read_proc(&c, 1, 1, handle) != 1) {
++						throw FI_MSG_ERROR_PARSING;
++					}
++
++					if (bFirstChar && c == ' ') {
++						// loop off 1 sp after #
++						bFirstChar = FALSE;
++					}
++					else if (c == '\n') {
++						break;
++					}
+ 				}
+ 			}
+-		}
+ 
+-        if (c >= '0' && c <='9') {
+-			// we've found what we were looking for
+-            break;
+-		}
++			if (c >= '0' && c <= '9') {
++				// we've found what we were looking for
++				break;
++			}
+ 
+-		if(!io->read_proc(&c, 1, 1, handle)) {
+-			throw FI_MSG_ERROR_PARSING;
++			if (io->read_proc(&c, 1, 1, handle) != 1) {
++				throw FI_MSG_ERROR_PARSING;
++			}
+ 		}
+-    }
+ 
+-    // we're at the start of a number, continue until we hit a non-number
++		// we're at the start of a number, continue until we hit a non-number
+ 
+-    int i = 0;
++		int i = 0;
+ 
+-    while (1) {
+-        i = (i * 10) + (c - '0');
++		while (1) {
++			i = (i * 10) + (c - '0');
+ 
+-		if(!io->read_proc(&c, 1, 1, handle)) {
+-			throw FI_MSG_ERROR_PARSING;
+-		}
++			if (io->read_proc(&c, 1, 1, handle) != 1) {
++				throw FI_MSG_ERROR_PARSING;
++			}
+ 
+-		if (c < '0' || c > '9') {
+-			break;
++			if (c < '0' || c > '9') {
++				break;
++			}
+ 		}
+-    }
+ 
+-    return i;
++		return i;
++	}
++	catch (const char *message) {
++		FreeImage_OutputMessageProc(s_format_id, message);
++		return -1;
++	}
+ }
+ 
+ // ==========================================================
+-// Plugin Interface
+-// ==========================================================
+-
+-static int s_format_id;
+-
+-// ==========================================================
+ // Plugin Implementation
+ // ==========================================================
+ 
+@@ -230,8 +241,12 @@
+ 		}
+ 
+ 		// Read the header information: width, height and the scale value
+-		unsigned width  = (unsigned) pfm_get_int(io, handle);
+-		unsigned height = (unsigned) pfm_get_int(io, handle);
++		int width = pfm_get_int(io, handle);
++		int height = pfm_get_int(io, handle);
++		if ((width <= 0) || (height <= 0)) {
++			throw FI_MSG_ERROR_PARSING;
++		}
++
+ 		float scalefactor = 1;
+ 
+ 		BOOL bResult = pfm_get_line(io, handle, line_buffer, PFM_MAXLINE);
+@@ -262,7 +277,7 @@
+ 				throw FI_MSG_ERROR_MEMORY;
+ 			}
+ 
+-			for (unsigned y = 0; y < height; y++) {	
++			for (int y = 0; y < height; y++) {	
+ 				FIRGBF *bits = (FIRGBF*)FreeImage_GetScanLine(dib, height - 1 - y);
+ 
+ 				if(io->read_proc(lineBuffer, sizeof(float), lineWidth, handle) != lineWidth) {
+@@ -271,7 +286,7 @@
+ 				float *channel = lineBuffer;
+ 				if(scalefactor > 0) {
+ 					// MSB
+-					for (unsigned x = 0; x < width; x++) {
++					for (int x = 0; x < width; x++) {
+ 						REVERSEBYTES(channel++, &bits[x].red);
+ 						REVERSEBYTES(channel++, &bits[x].green);
+ 						REVERSEBYTES(channel++, &bits[x].blue);
+@@ -278,7 +293,7 @@
+ 					}
+ 				} else {
+ 					// LSB					
+-					for (unsigned x = 0; x < width; x++) {
++					for (int x = 0; x < width; x++) {
+ 						bits[x].red		= *channel++;
+ 						bits[x].green	= *channel++;
+ 						bits[x].blue	= *channel++;
+@@ -296,7 +311,7 @@
+ 				throw FI_MSG_ERROR_MEMORY;
+ 			}
+ 
+-			for (unsigned y = 0; y < height; y++) {	
++			for (int y = 0; y < height; y++) {	
+ 				float *bits = (float*)FreeImage_GetScanLine(dib, height - 1 - y);
+ 
+ 				if(io->read_proc(lineBuffer, sizeof(float), lineWidth, handle) != lineWidth) {
+@@ -305,12 +320,12 @@
+ 				float *channel = lineBuffer;
+ 				if(scalefactor > 0) {
+ 					// MSB - File is Big endian
+-					for (unsigned x = 0; x < width; x++) {
++					for (int x = 0; x < width; x++) {
+ 						REVERSEBYTES(channel++, &bits[x]);
+ 					}
+ 				} else {
+ 					// LSB - File is Little Endian
+-					for (unsigned x = 0; x < width; x++) {
++					for (int x = 0; x < width; x++) {
+ 						bits[x] = *channel++;
+ 					}
+ 				}
+@@ -323,9 +338,12 @@
+ 		return dib;
+ 
+ 	} catch (const char *text)  {
+-		if(lineBuffer) free(lineBuffer);
+-		if(dib) FreeImage_Unload(dib);
+-
++		if (lineBuffer) {
++			free(lineBuffer);
++		}
++		if (dib) {
++			FreeImage_Unload(dib);
++		}
+ 		if(NULL != text) {
+ 			FreeImage_OutputMessageProc(s_format_id, text);
+ 		}

CVE-2020-24292.patch

@@ -0,0 +1,14 @@
+Origin: https://src.fedoraproject.org/rpms/freeimage/blob/f39/f/CVE-2020-24292.patch
+diff -rupN --no-dereference freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PluginICO.cpp freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PluginICO.cpp
+--- freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PluginICO.cpp	2023-09-28 19:34:45.524031668 +0200
++++ freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PluginICO.cpp	2023-09-28 19:34:47.717009813 +0200
+@@ -301,6 +301,9 @@ LoadStandardIcon(FreeImageIO *io, fi_han
+ 	int width  = bmih.biWidth;
+ 	int height = bmih.biHeight / 2; // height == xor + and mask
+ 	unsigned bit_count = bmih.biBitCount;
++	if (bit_count != 1 && bit_count != 2 && bit_count != 4 && bit_count != 8 && bit_count != 16 && bit_count != 24 && bit_count != 32) {
++	  return NULL;
++	}
+ 	unsigned line   = CalculateLine(width, bit_count);
+ 	unsigned pitch  = CalculatePitch(line);
+ 

CVE-2020-24293.patch

@@ -0,0 +1,15 @@
+Origin: https://src.fedoraproject.org/rpms/freeimage/blob/f39/f/CVE-2020-24293.patch
+diff -rupN --no-dereference freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PSDParser.cpp freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PSDParser.cpp
+--- freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PSDParser.cpp	2023-09-28 19:34:47.287014100 +0200
++++ freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PSDParser.cpp	2023-09-28 19:34:47.832008666 +0200
+@@ -780,6 +780,10 @@ int psdThumbnail::Read(FreeImageIO *io,
+ 		FreeImage_Unload(_dib);
+ 	}
+ 
++	if (_WidthBytes != _Width * _BitPerPixel / 8) {
++	  throw "Invalid PSD image";
++	}
++
+ 	if(_Format == 1) {
+ 		// kJpegRGB thumbnail image
+ 		_dib = FreeImage_LoadFromHandle(FIF_JPEG, io, handle);

CVE-2020-24295.patch

@@ -0,0 +1,22 @@
+Origin: https://src.fedoraproject.org/rpms/freeimage/blob/f39/f/CVE-2020-24295.patch
+diff -rupN --no-dereference freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PSDParser.cpp freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PSDParser.cpp
+--- freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PSDParser.cpp	2023-09-28 19:34:47.936007630 +0200
++++ freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PSDParser.cpp	2023-09-28 19:34:47.940007590 +0200
+@@ -1466,6 +1466,7 @@ FIBITMAP* psdParser::ReadImageData(FreeI
+ 	const unsigned dstBpp =  (depth == 1) ? 1 : FreeImage_GetBPP(bitmap)/8;
+ 	const unsigned dstLineSize = FreeImage_GetPitch(bitmap);
+ 	BYTE* const dst_first_line = FreeImage_GetScanLine(bitmap, nHeight - 1);//<*** flipped
++	const unsigned dst_buffer_size = dstLineSize * nHeight;
+ 
+ 	BYTE* line_start = new BYTE[lineSize]; //< fileline cache
+ 
+@@ -1481,6 +1482,9 @@ FIBITMAP* psdParser::ReadImageData(FreeI
+ 				const unsigned channelOffset = GetChannelOffset(bitmap, c) * bytes;
+ 
+ 				BYTE* dst_line_start = dst_first_line + channelOffset;
++				if (channelOffset + lineSize > dst_buffer_size) {
++					throw "Invalid PSD image";
++				}
+ 				for(unsigned h = 0; h < nHeight; ++h, dst_line_start -= dstLineSize) {//<*** flipped
+ 					io->read_proc(line_start, lineSize, 1, handle);
+ 					ReadImageLine(dst_line_start, line_start, lineSize, dstBpp, bytes);

CVE-2021-33367.patch

@@ -0,0 +1,18 @@
+Origin: https://src.fedoraproject.org/rpms/freeimage/blob/f39/f/CVE-2023-33367.patch
+diff -rupN --no-dereference freeimage-svn-r1909-FreeImage-trunk/Source/Metadata/Exif.cpp freeimage-svn-r1909-FreeImage-trunk-new/Source/Metadata/Exif.cpp
+--- freeimage-svn-r1909-FreeImage-trunk/Source/Metadata/Exif.cpp	2024-10-23 09:59:54.487770330 +0800
++++ freeimage-svn-r1909-FreeImage-trunk/Source/Metadata/Exif.cpp	2024-10-23 10:01:14.995770330 +0800
+@@ -720,7 +720,12 @@ jpeg_read_exif_dir(FIBITMAP *dib, const
+ 
+ 	const WORD entriesCount0th = ReadUint16(msb_order, ifd0th);
+ 	
+-	DWORD next_offset = ReadUint32(msb_order, DIR_ENTRY_ADDR(ifd0th, entriesCount0th));
++	const BYTE* de_addr = DIR_ENTRY_ADDR(ifd0th, entriesCount0th);
++	if(de_addr+4 >= (BYTE*)(dwLength + ifd0th - tiffp)) {
++		return TRUE; //< no thumbnail
++	}
++
++	DWORD next_offset = ReadUint32(msb_order, de_addr);
+ 	if((next_offset == 0) || (next_offset >= dwLength)) {
+ 		return TRUE; //< no thumbnail
+ 	}

CVE-2021-40263.patch

@@ -0,0 +1,16 @@
+Origin: https://src.fedoraproject.org/rpms/freeimage/blob/f39/f/CVE-2021-40263.patch
+diff -rupN --no-dereference freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PluginTIFF.cpp freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PluginTIFF.cpp
+--- freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PluginTIFF.cpp	2023-09-28 19:34:47.713009853 +0200
++++ freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PluginTIFF.cpp	2023-09-28 19:34:48.043006563 +0200
+@@ -2081,6 +2081,11 @@ Load(FreeImageIO *io, fi_handle handle,
+ 				uint32 tileRowSize = (uint32)TIFFTileRowSize(tif);
+ 				uint32 imageRowSize = (uint32)TIFFScanlineSize(tif);
+ 
++				if (width / tileWidth * tileRowSize * 8 > bitspersample * samplesperpixel * width) {
++				  free(tileBuffer);
++				  throw "Corrupted tiled TIFF file";
++				}
++
+ 
+ 				// In the tiff file the lines are saved from up to down 
+ 				// In a DIB the lines must be saved from down to up

CVE-2021-40266.patch

@@ -0,0 +1,15 @@
+Origin: https://src.fedoraproject.org/rpms/freeimage/blob/f39/f/CVE-2021-40266.patch
+diff -rupN --no-dereference freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PluginTIFF.cpp freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PluginTIFF.cpp
+--- freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PluginTIFF.cpp	2023-09-28 19:34:47.501011966 +0200
++++ freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PluginTIFF.cpp	2023-09-28 19:34:47.610010879 +0200
+@@ -357,6 +357,10 @@ static void
+ ReadPalette(TIFF *tiff, uint16 photometric, uint16 bitspersample, FIBITMAP *dib) {
+ 	RGBQUAD *pal = FreeImage_GetPalette(dib);
+ 
++	if (!pal) {
++	  return;
++	}
++
+ 	switch(photometric) {
+ 		case PHOTOMETRIC_MINISBLACK:	// bitmap and greyscale image types
+ 		case PHOTOMETRIC_MINISWHITE:

CVE-2023-47995.patch

@@ -0,0 +1,15 @@
+Origin: https://src.fedoraproject.org/rpms/freeimage/blob/f39/f/CVE-2023-47995.patch
+diff -rupN --no-dereference freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PluginJPEG.cpp freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PluginJPEG.cpp
+--- freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PluginJPEG.cpp	2024-03-10 14:22:17.818579271 +0100
++++ freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PluginJPEG.cpp	2024-03-10 14:22:18.776573816 +0100
+@@ -1086,6 +1086,10 @@ Load(FreeImageIO *io, fi_handle handle,
+ 
+ 			jpeg_read_header(&cinfo, TRUE);
+ 
++			if (cinfo.image_width > JPEG_MAX_DIMENSION || cinfo.image_height > JPEG_MAX_DIMENSION) {
++				throw FI_MSG_ERROR_DIB_MEMORY;
++			}
++
+ 			// step 4: set parameters for decompression
+ 
+ 			unsigned int scale_denom = 1;		// fraction by which to scale image

CVE-2023-47997.patch

@@ -0,0 +1,17 @@
+Origin: https://src.fedoraproject.org/rpms/freeimage/blob/f39/f/CVE-2023-47997.patch
+diff -rupN --no-dereference freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PluginTIFF.cpp freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PluginTIFF.cpp
+--- freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PluginTIFF.cpp	2024-03-10 14:22:18.669574426 +0100
++++ freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PluginTIFF.cpp	2024-03-10 14:22:18.673574403 +0100
+@@ -1435,6 +1435,12 @@ Load(FreeImageIO *io, fi_handle handle,
+ 				(int)bitspersample, (int)samplesperpixel, (int)photometric);
+ 			throw (char*)NULL;
+ 		}
++		if (planar_config == PLANARCONFIG_SEPARATE && bitspersample < 8) {
++			FreeImage_OutputMessageProc(s_format_id,
++				"Unable to handle this format: bitspersample = 8, TIFFTAG_PLANARCONFIG = PLANARCONFIG_SEPARATE"
++			);
++			throw (char*)NULL;
++		}
+ 
+ 		// ---------------------------------------------------------------------------------
+ 

Fix-build-failure-with-LibRaw-0.21.1.patch

@@ -0,0 +1,13 @@
+diff -rupN --no-dereference freeimage-svn-r1889-FreeImage-trunk/Source/FreeImage/PluginRAW.cpp freeimage-svn-r1889-FreeImage-trunk-new/Source/FreeImage/PluginRAW.cpp
+--- freeimage-svn-r1889-FreeImage-trunk/Source/FreeImage/PluginRAW.cpp	2023-04-13 15:28:11.206544177 +0200
++++ freeimage-svn-r1889-FreeImage-trunk-new/Source/FreeImage/PluginRAW.cpp	2023-04-13 15:28:11.524544641 +0200
+@@ -701,7 +701,7 @@ Load(FreeImageIO *io, fi_handle handle,
+ 		// --------------------------------------------
+ 
+ 		// (-s [0..N-1]) Select one raw image from input file
+-		RawProcessor->imgdata.params.shot_select = 0;
++		RawProcessor->imgdata.rawparams.shot_select = 0;
+ 		// (-w) Use camera white balance, if possible (otherwise, fallback to auto_wb)
+ 		RawProcessor->imgdata.params.use_camera_wb = 1;
+ 		// (-M) Use any color matrix from the camera metadata. This option only affects Olympus, Leaf, and Phase One cameras.
+

freeimage-libtiff45.patch

@@ -0,0 +1,12 @@
+diff -Nur a/Source/Metadata/XTIFF.cpp b/Source/Metadata/XTIFF.cpp
+--- a/Source/Metadata/XTIFF.cpp	2023-02-13 11:08:06.161477974 +0800
++++ b/Source/Metadata/XTIFF.cpp	2023-02-13 11:15:35.831996396 +0800
+@@ -749,7 +749,7 @@
+ 				continue;
+ 			}
+ 			// type of storage may differ (e.g. rationnal array vs float array type)
+-			if((unsigned)_TIFFDataSize(tif_tag_type) != FreeImage_TagDataWidth(tag_type)) {
++			if((unsigned)TIFFFieldSetGetSize(fld) != FreeImage_TagDataWidth(tag_type)) {
+ 				// skip tag or _TIFFmemcpy will fail
+ 				continue;
+ 			}

freeimage.spec

@@ -1,13 +1,12 @@
-#%global debug_package %{nil}
 %undefine _ld_as_needed
   
 %define major 3
 
 Name:    freeimage
 Version: 3.18.0
-Release: 7
+Release: 13
 Summary: FreeImage is a library project for developers who would like to support popular graphics image formats (PNG, JPEG, TIFF, BMP and others)
-License: GPLv2 or GPLv3 and FIPL
+License: GPLv2 or GPLv3 and FreeImage
 URL:	 https://freeimage.sourceforge.io/
 Source0: http://downloads.sourceforge.net/freeimage/FreeImage3180.zip
 
@@ -22,7 +21,23 @@ Patch3:         FreeImage_doxygen.patch
 Patch4:         FreeImage_bigendian.patch
 Patch5:		substream.patch
 Patch6:		Fix-build-failure-with-OpenEXR-3.0.patch
-
+Patch7:         freeimage-libtiff45.patch
+Patch8:         Fix-build-failure-with-LibRaw-0.21.1.patch 
+# https://sources.debian.org/src/freeimage/3.18.0%2Bds2-10/debian/patches/
+Patch9:         CVE-2020-21427-pre-r1830-minor-refactoring.patch
+Patch10:        CVE-2020-21427-1-r1832-improved-BMP-plugin-when-working-with-malicious-images.patch
+Patch11:        CVE-2020-21428-r1877-improved-DDS-plugin-against-malicious-images.patch
+Patch12:        CVE-2020-21427-2-r1836-improved-BMP-plugin-when-working-with-malicious-images.patch
+Patch13:        CVE-2020-22524-r1848-improved-PFM-plugin-against-malicious-images.patch
+# https://src.fedoraproject.org/rpms/freeimage/tree/f39
+Patch14:        CVE-2020-24292.patch
+Patch15:        CVE-2020-24293.patch
+Patch16:        CVE-2020-24295.patch
+Patch17:        CVE-2021-33367.patch
+Patch18:        CVE-2021-40263.patch
+Patch19:        CVE-2021-40266.patch
+Patch20:        CVE-2023-47995.patch
+Patch21:        CVE-2023-47997.patch
 
 BuildRequires:  doxygen  gcc-c++ make jxrlib-devel libjpeg-devel libmng-devel libpng-devel libtiff-devel libwebp-devel LibRaw-devel OpenEXR-devel openjpeg2-devel
 
@@ -106,6 +121,25 @@ ldconfig -n %{buildroot}%{_libdir}
 
 
 %changelog
+* Wed Oct 23 2024 wangkai <13474090681@163.com> - 3.18.0-13
+- Fix CVE-2020-24292 CVE-2020-24293 CVE-2020-24295 CVE-2021-33367
+  CVE-2021-40263 CVE-2021-40266 CVE-2023-47995 CVE-2023-47997
+
+* Mon Aug 19 2024 xu_ping <707078654@qq.com> - 3.18.0-12
+- License compliance rectification.
+
+* Mon Dec 04 2023 wangkai <13474090681@163.com> - 3.18.0-11
+- Fix CVE-2020-21427,CVE-2020-21428,CVE-2020-22524
+
+* Wed Jul 5 2023 liyanan <thistleslyn@163.com> - 3.18.0-10
+- Fix compilation failure caused by LibRaw upgrade 
+
+* Mon Feb 13 2023 wulei <wulei80@h-partners.com> - 3.18.0-9
+- Add patch for libtiff-4.5.0 comptability
+
+* Wed Aug 24 2022 caodongxia <caodongxia@h-partners.com> -3.18.0-8
+- Add debug package to add strip
+
 * Tue Mar 01 2022 weidong <weidong@uniontech.com> -3.18.0-7
 - Fix build error