git: 0a1052798c8e - main - graphics/optipng: Add fix for CVE-2023-43907

From: Robert Clausecker <fuz_at_FreeBSD.org>
Date: Fri, 03 Nov 2023 21:18:12 UTC
The branch main has been updated by fuz:

URL: https://cgit.FreeBSD.org/ports/commit/?id=0a1052798c8e4879ca869b9032830a4ca00b1c02

commit 0a1052798c8e4879ca869b9032830a4ca00b1c02
Author:     Thomas Hurst <tom@hur.st>
AuthorDate: 2023-10-30 22:45:22 +0000
Commit:     Robert Clausecker <fuz@FreeBSD.org>
CommitDate: 2023-11-03 21:16:19 +0000

    graphics/optipng: Add fix for CVE-2023-43907
    
     - Add a bounds check to prevent out-of-bounds read of buffer on
       specially-formed GIF files.
     - Remove BUNDLED_LIBPNG and BUNDLED_ZLIB, as the supplied versions are
       well out of date and offer no noted advantages.
    
    PR:             274822
    MFH:            2023Q4
    Security:       fe7ac70a-792b-11ee-bf9a-a04a5edf46d9
---
 graphics/optipng/Makefile                          | 28 ++++++++++------------
 graphics/optipng/files/patch-src_gifread_gifread.c | 14 +++++++++++
 2 files changed, 26 insertions(+), 16 deletions(-)

diff --git a/graphics/optipng/Makefile b/graphics/optipng/Makefile
index adf3fcdb59be..acbe6053199d 100644
--- a/graphics/optipng/Makefile
+++ b/graphics/optipng/Makefile
@@ -1,36 +1,32 @@
 PORTNAME=	optipng
-PORTVERSION=	0.7.7
+DISTVERSION=	0.7.7
+PORTREVISION=	1
 CATEGORIES=	graphics
 MASTER_SITES=	SF/${PORTNAME}/OptiPNG/${PORTNAME}-${PORTVERSION}
 
 MAINTAINER=	tom@hur.st
 COMMENT=	Optimizer for PNG files
-WWW=		http://optipng.sourceforge.net/
+WWW=		https://optipng.sourceforge.net/
 
 LICENSE=	ZLIB
 LICENSE_FILE=	${WRKSRC}/LICENSE.txt
 
-OPTIONS_DEFINE=	BUNDLED_LIBPNG BUNDLED_ZLIB DOCS
+LIB_DEPENDS=	libpng.so:graphics/png
 
-BUNDLED_LIBPNG_DESC=		Use bundled libpng
-BUNDLED_LIBPNG_CONFIGURE_OFF=	--with-system-libpng
-BUNDLED_LIBPNG_CONFIGURE_ON=	--without-system-libpng
-BUNDLED_LIBPNG_LIB_DEPENDS_OFF=	libpng.so:graphics/png
-BUNDLED_LIBPNG_USES_OFF=	localbase:ldflags
-
-BUNDLED_ZLIB_DESC=		Use bundled zlib
-BUNDLED_ZLIB_CONFIGURE_OFF=	--with-system-zlib
-BUNDLED_ZLIB_CONFIGURE_ON=	--without-system-zlib
+USES=		cpe gmake localbase:ldflags
+CPE_VENDOR=	optipng_project
 
-USES=		cpe gmake
 HAS_CONFIGURE=	yes
+CONFIGURE_ARGS=	--with-system-libpng \
+		--with-system-zlib
 
-CPE_VENDOR=	optipng_project
-
-PLIST_FILES=	bin/optipng man/man1/optipng.1.gz
+PLIST_FILES=	bin/optipng \
+		man/man1/optipng.1.gz
 PORTDOCS=	history.txt optipng.man.html optipng.man.pdf optipng.man.txt \
 		png_optimization.html todo.txt
 
+OPTIONS_DEFINE=	DOCS
+
 do-install:
 	${INSTALL_PROGRAM} ${WRKSRC}/src/optipng/optipng ${STAGEDIR}${PREFIX}/bin/
 	${INSTALL_MAN} ${WRKSRC}/src/optipng/man/optipng.1 ${STAGEDIR}${MAN1PREFIX}/man/man1/
diff --git a/graphics/optipng/files/patch-src_gifread_gifread.c b/graphics/optipng/files/patch-src_gifread_gifread.c
new file mode 100644
index 000000000000..bfc0112026c5
--- /dev/null
+++ b/graphics/optipng/files/patch-src_gifread_gifread.c
@@ -0,0 +1,14 @@
+--- src/gifread/gifread.c.orig	2017-12-10 23:49:00 UTC
++++ src/gifread/gifread.c
+@@ -363,6 +363,11 @@ static int LZWGetCode(int code_size, int init_flag, FI
+         lastbit = (2 + count) * 8;
+     }
+ 
++    if (code_size && (size_t)(curbit + code_size - 1) / 8 >= sizeof(buffer)) {
++        GIFError("Malformed GIF (CVE-2023-43907)");
++        return -1;
++    }
++
+     ret = 0;
+     for (i = curbit, j = 0; j < code_size; ++i, ++j)
+         ret |= ((buffer[i / 8] & (1 << (i % 8))) != 0) << j;