Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package graphviz.16305 for openSUSE:Leap:15.2:Update checked in at 2021-05-22 07:03:21 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.2:Update/graphviz.16305 (Old) and /work/SRC/openSUSE:Leap:15.2:Update/.graphviz.16305.new.2988 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "graphviz.16305" Sat May 22 07:03:21 2021 rev:1 rq:894414 version:2.40.1 Changes: -------- New Changes file: --- /dev/null 2021-04-29 10:03:23.520854754 +0200 +++ /work/SRC/openSUSE:Leap:15.2:Update/.graphviz.16305.new.2988/graphviz-addons.changes 2021-05-22 07:03:24.276033644 +0200 @@ -0,0 +1,1101 @@ +------------------------------------------------------------------- +Thu May 28 12:19:07 UTC 2020 - Christian V��gl <christian.voegl@suse.com> + +- Added graphviz-null_dereference.patch to fix CVE-2018-10196 + (boo#1093447) + +------------------------------------------------------------------- +Tue Apr 16 16:06:18 UTC 2019 - Christian V��gl <christian.voegl@suse.com> + +- Added graphivz-malformed_input.patch from commit 839085f8 + to fix CVE-2019-11023 (boo#1132091) + +------------------------------------------------------------------- +Tue Jan 16 13:50:45 UTC 2018 - dimstar@opensuse.org + +- Disable building the graphviz-ocaml package: we have no consumer + of it, but not building it allows us to elminiate a build cycle. + +------------------------------------------------------------------- +Thu Oct 26 10:01:19 CEST 2017 - pth@suse.de + +- Reverse last change. + +------------------------------------------------------------------- +Wed Oct 25 10:58:28 CEST 2017 - pth@suse.de + +- Remove pre_checkin.sh and graphviz-addon.* as they aren't needed + anymore. + +------------------------------------------------------------------- +Mon Oct 23 15:57:03 CEST 2017 - pth@suse.de + +- Replace the recommends for graphviz-gnome by a 'supplements packageand' + so that graphviz doesn't pull in all the X11 related stuff on a + machine without graphical desktop (bsc#930442). + +------------------------------------------------------------------- +Wed Oct 4 15:43:37 UTC 2017 - dimstar@opensuse.org + +- Exclude %{_mandir}/man1/smyrna.1%{ext_man} from graphiz' main + package, since the man page is packaged in the -smyrna sub + package already. + +------------------------------------------------------------------- +Mon Aug 7 11:45:08 UTC 2017 - tchvatal@suse.com + +- Add bcond for java and ocaml that can be overriden in staging prj + +------------------------------------------------------------------- +Thu Aug 3 12:56:24 UTC 2017 - tchvatal@suse.com + +- Drop smyrna and gvedit separate spec, now handled by + graphviz-addons + * Switch graphviz-gvedit to Qt5: + + graphviz-qt5.patch +- Drop graphviz-plugin subkpg in favor of graphviz-addons.spec + that is generated from graphviz directly +- Make sure all patches are applied also in main package so none + get lost by accident +- Refresh patch graphviz-plugins-fix_install_dirs.patch +- Make sure graphviz php plugins are generated using php7 + * set the php7 path in graphviz-plugins-fix_install_dirs.patch +- Remove tkspline from tcl package as it is no longer shipped +- Make sure the pic/pie is enforced on all the libs/bins + +------------------------------------------------------------------- +Wed Aug 2 12:46:02 UTC 2017 - tchvatal@suse.com + +- Update to 2.40.1 release: + * Remove usage of ast_common.h + * network-simplex fixes and optimization (Stephen North) + * built-in tred tool now available in the various swig generated + language bindings (John Ellson) + * number rounding added to SVG renderer (same as PS and TK rounding) + to aid regression testing. (John Ellson) + * additional regressson test framework, used in Travis CI builds. (Erwin Janssen) + * PHP7 support (requires swig-3.0.11 or later). (John Ellson) + * Allow user to specify clustering algorithm in gvmap. (Emden Gansner) + * Add Sierpinski graph generator to gvgen. (Emden Gansner) + * Extensive code cleanup (Erwin Janssen) + * Removal of libgd source - use vanilla libgd from separate install + * Windows builds (Erwin Janssen) + * Appveyor CI for automated Windows build testing (Erwin Janssen) + * Travis CI for Fedora/Centos builds (Erwin Janssen) + * Added JSON output format, -Tjson (Emden Gansner) + * New curved arrowhead, cylinder node shape. + * Resolves bugs: 2599, 1172 + * Add cylinder shape for databases. + * Free installed plugins + * Update makefile for dot so that the using libpanco_C in the static build include PANGOFT2 + as well as PANGOCAIRO_LIBS (needed for some versions of Ubuntu) + * Add json output format + * output class value in svg files + * Add plain shape for use with HTML-like labels. + * Add icurve arrowhead. + * Revert to old, translate to origin semantics in neato, etc. Add flag notranslate if that is + what the user desires. +- Run over with spec-cleaner and convert deps to pkgconfig +- Fix Group +- Remove unused pre requirements as there is no pre phase +- Inline sed changes and do not rely on pipes +- Do not add needless requires to devel pkg, there are no such stated + dependencies in any of the .pc files provided +- Add pre_checkin.sh scriptlet to allow generating of the extras subpkg + instead of having independent spec files + +------------------------------------------------------------------- +Sun May 28 11:46:05 UTC 2017 - bwiedemann@suse.com + +- Add reproducible.patch to not have binaries depend on build system timings + +------------------------------------------------------------------- +Wed Jun 10 06:54:27 UTC 2015 - mpluskal@suse.com + +- Remove pangocairo and lasi support as it introduces build cycle + +------------------------------------------------------------------- +Thu Apr 9 07:38:01 UTC 2015 - opensuse.lietuviu.kalba@gmail.com + +- Build with pangocairo and lasi support. + +------------------------------------------------------------------- +Mon Nov 17 03:14:00 UTC 2014 - Led <ledest@gmail.com> + +- fix ksh-specific constrictions in gvmap.sh script +- add patches: + + graphviz-2.38.0-fix-gvmap.patch + +------------------------------------------------------------------- +Tue Jul 15 11:33:27 UTC 2014 - toddrme2178@gmail.com + +- Remove upstream-included patch graphviz-ppc64le_lib64_support.patch + from graphviz-plugins.spec + +------------------------------------------------------------------- +Fri May 23 16:46:05 CEST 2014 - pth@suse.de + +- Fix URL to point to the new location of the sources. + +------------------------------------------------------------------- +Fri May 23 14:23:57 CEST 2014 - pth@suse.de + +- Update to 2.38.0. Changes since 2.36.0: + - Resolve bugs: 2409, 2413, 2417, 2420, 2422, 2423, 2425 + - Enable packing for dot + - Allow scaling to work for all non-dot layouts + - Add overline text characteristic. + - Fix bugs in gvpr and gv.cpp so edges can be created in subgraphs. + - Add edgepaint program for coloring edges to make them easier to + tell apart. + - Modify neato to avoid unnecessary translations of output. This + allows positions given on input to remain the same on output. + - Fix swig java package to work and support gv.renderresult. + - Fix test for the absence of layout (old test relied on statically + allocated Agraphinfo_t). + - HTML-like tables and cells can now specify which borders should be drawn. + - The fixedsize attribute now takes the value "shape" which allows + labels much larger than the node shape. + +- Remove graphviz-fix-includes.patch as the fix has been done + upstream. +- Add graphviz-array_overflow.patch to fix an off-by-one error. + +------------------------------------------------------------------- +Tue Feb 4 15:52:00 CET 2014 - pth@suse.de + +- Update to 2.36,0: + (graphviz tracker lives at http://www.graphviz.org/mantisbt/my_view_page.php) + + Fixed bugs: + * The xdot pad attribute is documented to have a default value of + 0.0555 (inches, equals 0002091:0000004 points). However when no + pad attribute was specified, xdot output behaved as though the + default was 0 (graphviz tracker 2372). + * Graphviz gave incorrect svg when labels contained HTML entities + (graphviz tracker 2384). + * Building gvedit failed with undefined references (graphviz + tracker 2388). + * Document that edge[style=tapered] does not support colorList and + that edge[style=tapered] does not work with arrowType:none + (graphviz tracker 2391). + * Use a stronger test for orthogonal routing and, if it fails, revert + to line segments for edges (graphviz tracker 2393). + * Fix xdot background polygon coordinates being "nan" with no nodes + (graphviz tracker 2393). + * Circo couldn't rescale a graph using the mindist attribute + (graphviz tracker 2395). + - Remove old libgraph sources from distributions. + - Move master git repo to github.com + + September 15, 2013 + - Add <S> element for strike-through to HTML-like labels. + + - This version also fixes the security bugs reported in january. + +------------------------------------------------------------------- +Tue Feb 4 13:19:20 CET 2014 - pth@suse.de ++++ 904 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:Leap:15.2:Update/.graphviz.16305.new.2988/graphviz-addons.changes New Changes file: --- /dev/null 2021-04-29 10:03:23.520854754 +0200 +++ /work/SRC/openSUSE:Leap:15.2:Update/.graphviz.16305.new.2988/graphviz.changes 2021-05-22 07:03:24.392033123 +0200 @@ -0,0 +1,1107 @@ +------------------------------------------------------------------- +Mon May 10 12:42:43 UTC 2021 - Christian V��gl <christian.voegl@suse.com> + +- Added graphviz-out-of-bounds-write.patch to fix CVE-2020-18032 + (bsc#1185833) + +------------------------------------------------------------------- +Thu May 28 12:19:07 UTC 2020 - Christian V��gl <christian.voegl@suse.com> + +- Added graphviz-null_dereference.patch to fix CVE-2018-10196 + (boo#1093447) + +------------------------------------------------------------------- +Tue Apr 16 16:06:18 UTC 2019 - Christian V��gl <christian.voegl@suse.com> + +- Added graphivz-malformed_input.patch from commit 839085f8 + to fix CVE-2019-11023 (boo#1132091) + +------------------------------------------------------------------- +Tue Jan 16 13:50:45 UTC 2018 - dimstar@opensuse.org + +- Disable building the graphviz-ocaml package: we have no consumer + of it, but not building it allows us to elminiate a build cycle. + +------------------------------------------------------------------- +Thu Oct 26 10:01:19 CEST 2017 - pth@suse.de + +- Reverse last change. + +------------------------------------------------------------------- +Wed Oct 25 10:58:28 CEST 2017 - pth@suse.de + +- Remove pre_checkin.sh and graphviz-addon.* as they aren't needed + anymore. + +------------------------------------------------------------------- +Mon Oct 23 15:57:03 CEST 2017 - pth@suse.de + +- Replace the recommends for graphviz-gnome by a 'supplements packageand' + so that graphviz doesn't pull in all the X11 related stuff on a + machine without graphical desktop (bsc#930442). + +------------------------------------------------------------------- +Wed Oct 4 15:43:37 UTC 2017 - dimstar@opensuse.org + +- Exclude %{_mandir}/man1/smyrna.1%{ext_man} from graphiz' main + package, since the man page is packaged in the -smyrna sub + package already. + +------------------------------------------------------------------- +Mon Aug 7 11:45:08 UTC 2017 - tchvatal@suse.com + +- Add bcond for java and ocaml that can be overriden in staging prj + +------------------------------------------------------------------- +Thu Aug 3 12:56:24 UTC 2017 - tchvatal@suse.com + +- Drop smyrna and gvedit separate spec, now handled by + graphviz-addons + * Switch graphviz-gvedit to Qt5: + + graphviz-qt5.patch +- Drop graphviz-plugin subkpg in favor of graphviz-addons.spec + that is generated from graphviz directly +- Make sure all patches are applied also in main package so none + get lost by accident +- Refresh patch graphviz-plugins-fix_install_dirs.patch +- Make sure graphviz php plugins are generated using php7 + * set the php7 path in graphviz-plugins-fix_install_dirs.patch +- Remove tkspline from tcl package as it is no longer shipped +- Make sure the pic/pie is enforced on all the libs/bins + +------------------------------------------------------------------- +Wed Aug 2 12:46:02 UTC 2017 - tchvatal@suse.com + +- Update to 2.40.1 release: + * Remove usage of ast_common.h + * network-simplex fixes and optimization (Stephen North) + * built-in tred tool now available in the various swig generated + language bindings (John Ellson) + * number rounding added to SVG renderer (same as PS and TK rounding) + to aid regression testing. (John Ellson) + * additional regressson test framework, used in Travis CI builds. (Erwin Janssen) + * PHP7 support (requires swig-3.0.11 or later). (John Ellson) + * Allow user to specify clustering algorithm in gvmap. (Emden Gansner) + * Add Sierpinski graph generator to gvgen. (Emden Gansner) + * Extensive code cleanup (Erwin Janssen) + * Removal of libgd source - use vanilla libgd from separate install + * Windows builds (Erwin Janssen) + * Appveyor CI for automated Windows build testing (Erwin Janssen) + * Travis CI for Fedora/Centos builds (Erwin Janssen) + * Added JSON output format, -Tjson (Emden Gansner) + * New curved arrowhead, cylinder node shape. + * Resolves bugs: 2599, 1172 + * Add cylinder shape for databases. + * Free installed plugins + * Update makefile for dot so that the using libpanco_C in the static build include PANGOFT2 + as well as PANGOCAIRO_LIBS (needed for some versions of Ubuntu) + * Add json output format + * output class value in svg files + * Add plain shape for use with HTML-like labels. + * Add icurve arrowhead. + * Revert to old, translate to origin semantics in neato, etc. Add flag notranslate if that is + what the user desires. +- Run over with spec-cleaner and convert deps to pkgconfig +- Fix Group +- Remove unused pre requirements as there is no pre phase +- Inline sed changes and do not rely on pipes +- Do not add needless requires to devel pkg, there are no such stated + dependencies in any of the .pc files provided +- Add pre_checkin.sh scriptlet to allow generating of the extras subpkg + instead of having independent spec files + +------------------------------------------------------------------- +Sun May 28 11:46:05 UTC 2017 - bwiedemann@suse.com + +- Add reproducible.patch to not have binaries depend on build system timings + +------------------------------------------------------------------- +Wed Jun 10 06:54:27 UTC 2015 - mpluskal@suse.com + +- Remove pangocairo and lasi support as it introduces build cycle + +------------------------------------------------------------------- +Thu Apr 9 07:38:01 UTC 2015 - opensuse.lietuviu.kalba@gmail.com + +- Build with pangocairo and lasi support. + +------------------------------------------------------------------- +Mon Nov 17 03:14:00 UTC 2014 - Led <ledest@gmail.com> + +- fix ksh-specific constrictions in gvmap.sh script +- add patches: + + graphviz-2.38.0-fix-gvmap.patch + +------------------------------------------------------------------- +Tue Jul 15 11:33:27 UTC 2014 - toddrme2178@gmail.com + +- Remove upstream-included patch graphviz-ppc64le_lib64_support.patch + from graphviz-plugins.spec + +------------------------------------------------------------------- +Fri May 23 16:46:05 CEST 2014 - pth@suse.de + +- Fix URL to point to the new location of the sources. + +------------------------------------------------------------------- +Fri May 23 14:23:57 CEST 2014 - pth@suse.de + +- Update to 2.38.0. Changes since 2.36.0: + - Resolve bugs: 2409, 2413, 2417, 2420, 2422, 2423, 2425 + - Enable packing for dot + - Allow scaling to work for all non-dot layouts + - Add overline text characteristic. + - Fix bugs in gvpr and gv.cpp so edges can be created in subgraphs. + - Add edgepaint program for coloring edges to make them easier to + tell apart. + - Modify neato to avoid unnecessary translations of output. This + allows positions given on input to remain the same on output. + - Fix swig java package to work and support gv.renderresult. + - Fix test for the absence of layout (old test relied on statically + allocated Agraphinfo_t). + - HTML-like tables and cells can now specify which borders should be drawn. + - The fixedsize attribute now takes the value "shape" which allows + labels much larger than the node shape. + +- Remove graphviz-fix-includes.patch as the fix has been done + upstream. +- Add graphviz-array_overflow.patch to fix an off-by-one error. + +------------------------------------------------------------------- +Tue Feb 4 15:52:00 CET 2014 - pth@suse.de + +- Update to 2.36,0: + (graphviz tracker lives at http://www.graphviz.org/mantisbt/my_view_page.php) + + Fixed bugs: + * The xdot pad attribute is documented to have a default value of + 0.0555 (inches, equals 0002091:0000004 points). However when no + pad attribute was specified, xdot output behaved as though the + default was 0 (graphviz tracker 2372). + * Graphviz gave incorrect svg when labels contained HTML entities + (graphviz tracker 2384). + * Building gvedit failed with undefined references (graphviz + tracker 2388). + * Document that edge[style=tapered] does not support colorList and + that edge[style=tapered] does not work with arrowType:none + (graphviz tracker 2391). + * Use a stronger test for orthogonal routing and, if it fails, revert + to line segments for edges (graphviz tracker 2393). + * Fix xdot background polygon coordinates being "nan" with no nodes + (graphviz tracker 2393). + * Circo couldn't rescale a graph using the mindist attribute + (graphviz tracker 2395). + - Remove old libgraph sources from distributions. + - Move master git repo to github.com + + September 15, 2013 ++++ 910 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:Leap:15.2:Update/.graphviz.16305.new.2988/graphviz.changes New: ---- graphviz-2.20.2-interpreter_names.patch graphviz-2.40.1.tar.gz graphviz-addons.changes graphviz-addons.spec graphviz-array_overflow.patch graphviz-fix-pkgIndex.patch graphviz-malformed_input.patch graphviz-no_strict_aliasing.patch graphviz-null_dereference.patch graphviz-out-of-bounds-write.patch graphviz-plugins-fix_install_dirs.patch graphviz-qt5.patch graphviz-rpmlintrc graphviz-smyrna-link_against_glu.patch graphviz-useless_warnings.patch graphviz.changes graphviz.spec pre_checkin.sh reproducible.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ graphviz-addons.spec ++++++ ++++ 639 lines (skipped) graphviz.spec: same change ++++++ graphviz-2.20.2-interpreter_names.patch ++++++ --- tclpkg/gv/demo/modgraph.lua +++ tclpkg/gv/demo/modgraph.lua @@ -1,4 +1,4 @@ -#!/usr/bin/lua +#!/usr/bin/lua5.1 -- display the kernel module dependencies ++++++ graphviz-array_overflow.patch ++++++ --- lib/common/htmltable.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) Index: lib/common/htmltable.c =================================================================== --- lib/common/htmltable.c.orig 2014-04-13 22:40:25.000000000 +0200 +++ lib/common/htmltable.c 2014-05-23 00:01:41.203062717 +0200 @@ -300,8 +300,8 @@ static void doBorder(GVJ_t * job, htmlda gvrender_polyline(job, AF+2, 4); break; case BORDER_TOP|BORDER_LEFT|BORDER_BOTTOM : - AF[5] = AF[1]; - AF[6] = AF[2]; + AF[4] = AF[1]; + AF[5] = AF[2]; gvrender_polyline(job, AF+3, 4); break; case BORDER_LEFT|BORDER_BOTTOM|BORDER_RIGHT : ++++++ graphviz-fix-pkgIndex.patch ++++++ --- tclpkg/mkpkgindex.sh +++ tclpkg/mkpkgindex.sh @@ -22,4 +22,4 @@ echo " package require Tk 8.3" >>pkgIndex.tcl ;; esac -echo " load [file join \$dir $lib] $2\"" >>pkgIndex.tcl +echo " load $lib $2\"" >>pkgIndex.tcl ++++++ graphviz-malformed_input.patch ++++++ diff --git a/cmd/tools/graphml2gv.c b/cmd/tools/graphml2gv.c index f4798089e616b03bb6e612e92bb2a1577be4d0b9..b9fc9730c410c67160713d74f76e4e75bd33f486 100644 --- a/cmd/tools/graphml2gv.c +++ b/cmd/tools/graphml2gv.c @@ -468,8 +468,10 @@ startElementHandler(void *userData, const char *name, const char **atts) if (pos > 0) { const char *attrname; attrname = atts[pos]; - - bind_node(attrname); + if (G == 0) + fprintf(stderr,"node %s outside graph, ignored\n",attrname); + else + bind_node(attrname); pushString(&ud->elements, attrname); } @@ -495,21 +497,25 @@ startElementHandler(void *userData, const char *name, const char **atts) if (tname) head = tname; - bind_edge(tail, head); + if (G == 0) + fprintf(stderr,"edge source %s target %s outside graph, ignored\n",(char*)tail,(char*)head); + else { + bind_edge(tail, head); - t = AGTAIL(E); - tname = agnameof(t); + t = AGTAIL(E); + tname = agnameof(t); - if (strcmp(tname, tail) == 0) { - ud->edgeinverted = FALSE; - } else if (strcmp(tname, head) == 0) { - ud->edgeinverted = TRUE; - } + if (strcmp(tname, tail) == 0) { + ud->edgeinverted = FALSE; + } else if (strcmp(tname, head) == 0) { + ud->edgeinverted = TRUE; + } - pos = get_xml_attr("id", atts); - if (pos > 0) { - setEdgeAttr(E, GRAPHML_ID, (char *) atts[pos], ud); - } + pos = get_xml_attr("id", atts); + if (pos > 0) { + setEdgeAttr(E, GRAPHML_ID, (char *) atts[pos], ud); + } + } } else { /* must be some extension */ fprintf(stderr, @@ -530,7 +536,7 @@ static void endElementHandler(void *userData, const char *name) char *ele_name = topString(ud->elements); if (ud->closedElementType == TAG_GRAPH) { Agnode_t *node = agnode(root, ele_name, 0); - agdelete(root, node); + if (node) agdelete(root, node); } popString(&ud->elements); Current_class = TAG_GRAPH; diff --git a/lib/cgraph/grammar.y b/lib/cgraph/grammar.y index 90aa27387100330692861912636fe241b83809b7..127a7241a3a91586fc0f8e7f777d76856e37499e 100644 --- a/lib/cgraph/grammar.y +++ b/lib/cgraph/grammar.y @@ -22,6 +22,7 @@ extern void yyerror(char *); /* gets mapped to aagerror, see below */ #endif static char Key[] = "key"; +static int SubgraphDepth = 0; typedef union s { /* possible items in generic list */ Agnode_t *n; @@ -542,6 +543,7 @@ static void startgraph(char *name, int directed, int strict) static Agdesc_t req; /* get rid of warnings */ if (G == NILgraph) { + SubgraphDepth = 0; req.directed = directed; req.strict = strict; req.maingraph = TRUE; @@ -562,6 +564,11 @@ static void endgraph() static void opensubg(char *name) { + if (++SubgraphDepth >= YYMAXDEPTH/2) { + char buf[128]; + sprintf(buf,"subgraphs nested more than %d deep",YYMAXDEPTH); + agerr(AGERR,buf); + } S = push(S,agsubg(S->g,name,TRUE)); agstrfree(G,name); } @@ -569,6 +576,7 @@ static void opensubg(char *name) static void closesubg() { Agraph_t *subg = S->g; + --SubgraphDepth; S = pop(S); S->subg = subg; assert(subg); diff --git a/lib/cgraph/obj.c b/lib/cgraph/obj.c index 7b1c8c1010d5ae31f7adf116be4d97a831f34bd8..709774e3db42e9069d17b90f855390b19ae8beb2 100644 --- a/lib/cgraph/obj.c +++ b/lib/cgraph/obj.c @@ -168,6 +168,8 @@ void agdelcb(Agraph_t * g, void *obj, Agcbstack_t * cbstack) Agraph_t *agroot(void* obj) { + // fixes CVE-2019-11023 by moving the problem to the caller :-) + if (obj == 0) return NILgraph; switch (AGTYPE(obj)) { case AGINEDGE: case AGOUTEDGE: ++++++ graphviz-no_strict_aliasing.patch ++++++ --- lib/vmalloc/Makefile.am | 2 ++ 1 file changed, 2 insertions(+) Index: lib/vmalloc/Makefile.am =================================================================== --- lib/vmalloc/Makefile.am.orig 2013-09-07 03:07:52.000000000 +0200 +++ lib/vmalloc/Makefile.am 2013-09-11 18:51:30.719515603 +0200 @@ -9,6 +9,8 @@ libvmalloc_C_la_SOURCES = malloc.c vmbes vmprofile.c vmregion.c vmsegment.c vmset.c vmstat.c vmstrdup.c \ vmtrace.c vmwalk.c +libvmalloc_C_la_CFLAGS = -fno-strict-aliasing + ${top_builddir}/FEATURE/vmalloc: ${top_srcdir}/lib/vmalloc/features/vmalloc mkdir -p ${top_builddir}/FEATURE ${top_srcdir}/iffe - set cc $(CC) $(CCMODE) $(CXFLAGS) : run ${top_srcdir}/lib/vmalloc/features/vmalloc > $@ ++++++ graphviz-null_dereference.patch ++++++ diff --git a/lib/dotgen/conc.c b/lib/dotgen/conc.c index dd13e936b..f7307d23b 100644 --- a/lib/dotgen/conc.c +++ b/lib/dotgen/conc.c @@ -159,7 +159,11 @@ static void rebuild_vlists(graph_t * g) for (r = GD_minrank(g); r <= GD_maxrank(g); r++) { lead = GD_rankleader(g)[r]; - if (GD_rank(dot_root(g))[r].v[ND_order(lead)] != lead) { + if (lead == NULL) { + agerr(AGERR, "rebuiltd_vlists: lead is null for rank %d\n", r); + longjmp(jbuf, 1); + } + else if (GD_rank(dot_root(g))[r].v[ND_order(lead)] != lead) { agerr(AGERR, "rebuiltd_vlists: rank lead %s not in order %d of rank %d\n", agnameof(lead), ND_order(lead), r); longjmp(jbuf, 1); ++++++ graphviz-out-of-bounds-write.patch ++++++ From 784411ca3655c80da0f6025ab20634b2a6ff696b Mon Sep 17 00:00:00 2001 From: Matthew Fernandez <matthew.fernandez@gmail.com> Date: Sat, 25 Jul 2020 19:31:01 -0700 Subject: [PATCH] fix: out-of-bounds write on invalid label When the label for a node cannot be parsed (due to it being malformed), it falls back on the symbol name of the node itself. I.e. the default label the node would have had if it had no label attribute at all. However, this is applied by dynamically altering the node's label to "\N", a shortcut for the symbol name of the node. All of this is fine, however if the hand written label itself is shorter than the literal string "\N", not enough memory would have been allocated to write "\N" into the label text. Here we account for the possibility of error during label parsing, and assume that the label text may need to be overwritten with "\N" after the fact. Fixes issue #1700. --- lib/common/shapes.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/lib/common/shapes.c b/lib/common/shapes.c index 0a0635fc3..9dca9ba6e 100644 --- a/lib/common/shapes.c +++ b/lib/common/shapes.c @@ -3546,9 +3546,10 @@ static void record_init(node_t * n) reclblp = ND_label(n)->text; len = strlen(reclblp); /* For some forgotten reason, an empty label is parsed into a space, so - * we need at least two bytes in textbuf. + * we need at least two bytes in textbuf, as well as accounting for the + * error path involving "\\N" below. */ - len = MAX(len, 1); + len = MAX(MAX(len, 1), (int)strlen("\\N")); textbuf = N_NEW(len + 1, char); if (!(info = parse_reclbl(n, flip, TRUE, textbuf))) { agerr(AGERR, "bad label format %s\n", ND_label(n)->text); -- ++++++ graphviz-plugins-fix_install_dirs.patch ++++++ --- configure | 6 +++--- configure.ac | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) Index: configure =================================================================== --- configure.orig +++ configure @@ -22158,8 +22158,8 @@ test -n "$PHP" || PHP="php" PHP_INCLUDES="-I/usr/include/php -I/usr/include/php/main -I/usr/include/php/TSRM -I/usr/include/php/Zend -I/usr/include/php/ext -I/usr/include/php/ext/date/lib" fi fi - PHP_INSTALL_DIR="/usr/lib${LIBPOSTFIX}/php/modules" - PHP_INSTALL_DATADIR="/usr/share/php" + PHP_INSTALL_DIR="/usr/lib${LIBPOSTFIX}/php7/extensions" + PHP_INSTALL_DATADIR="/usr/share/php7" PHP_LIBS= save_CPPFLAGS=$CPPFLAGS CPPFLAGS="$CPPFLAGS $PHP_INCLUDES" @@ -23834,7 +23834,7 @@ $as_echo "using $TCLCONFIG" >&6; } $as_echo "$as_me: WARNING: Unable to find tclConfig.sh. The Tcl packages will not be built" >&2;} use_tcl="No (missing tclConfig.sh)" fi - TCL_INSTALL_DIR="${TCLSH_EXEC_PREFIX}/lib${LIBPOSTFIX}/tcl${TCL_VERSION_FOUND}" + TCL_INSTALL_DIR="${TCLSH_EXEC_PREFIX}/lib${LIBPOSTFIX} fi if test "x$use_tcl" = "x"; then Index: configure.ac =================================================================== --- configure.ac.orig +++ configure.ac @@ -1102,8 +1102,8 @@ else PHP_INCLUDES="-I/usr/include/php -I/usr/include/php/main -I/usr/include/php/TSRM -I/usr/include/php/Zend -I/usr/include/php/ext -I/usr/include/php/ext/date/lib" fi fi - PHP_INSTALL_DIR="/usr/lib${LIBPOSTFIX}/php/modules" - PHP_INSTALL_DATADIR="/usr/share/php" + PHP_INSTALL_DIR="/usr/lib${LIBPOSTFIX}/php7/extensions" + PHP_INSTALL_DATADIR="/usr/share/php7" PHP_LIBS= save_CPPFLAGS=$CPPFLAGS CPPFLAGS="$CPPFLAGS $PHP_INCLUDES" ++++++ graphviz-qt5.patch ++++++ Index: graphviz-2.40.1/cmd/gvedit/csettings.cpp =================================================================== --- graphviz-2.40.1.orig/cmd/gvedit/csettings.cpp +++ graphviz-2.40.1/cmd/gvedit/csettings.cpp @@ -16,7 +16,7 @@ #include "csettings.h" #include "qmessagebox.h" #include "qfiledialog.h" -#include <QtGui> +#include <QtWidgets> #include <qfile.h> #include "mdichild.h" #include "string.h" Index: graphviz-2.40.1/cmd/gvedit/imageviewer.h =================================================================== --- graphviz-2.40.1.orig/cmd/gvedit/imageviewer.h +++ graphviz-2.40.1/cmd/gvedit/imageviewer.h @@ -15,7 +15,7 @@ #ifndef IMAGEVIEWER_H #define IMAGEVIEWER_H -#include <QtGui> +#include <QtWidgets> #include <QMainWindow> #include <QPrinter> Index: graphviz-2.40.1/cmd/gvedit/mainwindow.cpp =================================================================== --- graphviz-2.40.1.orig/cmd/gvedit/mainwindow.cpp +++ graphviz-2.40.1/cmd/gvedit/mainwindow.cpp @@ -11,7 +11,7 @@ * Contributors: See CVS logs. Details at http://www.graphviz.org/ *************************************************************************/ -#include <QtGui> +#include <QtWidgets> #include <qframe.h> #include "mainwindow.h" #include "mdichild.h" Index: graphviz-2.40.1/cmd/gvedit/mdichild.cpp =================================================================== --- graphviz-2.40.1.orig/cmd/gvedit/mdichild.cpp +++ graphviz-2.40.1/cmd/gvedit/mdichild.cpp @@ -12,7 +12,7 @@ *************************************************************************/ -#include <QtGui> +#include <QtWidgets> #include "mdichild.h" #include "mainwindow.h" Index: graphviz-2.40.1/cmd/gvedit/ui_settings.h =================================================================== --- graphviz-2.40.1.orig/cmd/gvedit/ui_settings.h +++ graphviz-2.40.1/cmd/gvedit/ui_settings.h @@ -10,22 +10,22 @@ #ifndef UI_SETTINGS_H #define UI_SETTINGS_H -#include <QtCore/QVariant> -#include <QtGui/QAction> -#include <QtGui/QApplication> -#include <QtGui/QButtonGroup> -#include <QtGui/QComboBox> -#include <QtGui/QDialog> -#include <QtGui/QFrame> -#include <QtGui/QHBoxLayout> -#include <QtGui/QHeaderView> -#include <QtGui/QLabel> -#include <QtGui/QLineEdit> -#include <QtGui/QPushButton> -#include <QtGui/QSpacerItem> -#include <QtGui/QTextEdit> -#include <QtGui/QVBoxLayout> -#include <QtGui/QWidget> +#include <QVariant> +#include <QAction> +#include <QApplication> +#include <QButtonGroup> +#include <QComboBox> +#include <QDialog> +#include <QFrame> +#include <QHBoxLayout> +#include <QHeaderView> +#include <QLabel> +#include <QLineEdit> +#include <QPushButton> +#include <QSpacerItem> +#include <QTextEdit> +#include <QVBoxLayout> +#include <QWidget> QT_BEGIN_NAMESPACE Index: graphviz-2.40.1/configure.ac =================================================================== --- graphviz-2.40.1.orig/configure.ac +++ graphviz-2.40.1/configure.ac @@ -2561,10 +2561,10 @@ if test "x$with_qt" != "xyes"; then use_qt="No (disabled)" else - AC_CHECK_PROGS(QMAKE,qmake-qt4 qmake-qt3 qmake,false) + AC_CHECK_PROGS(QMAKE,qmake-qt5 qmake,false) if test "$QMAKE" != "false"; then - PKG_CHECK_MODULES(QTCORE, [QtCore],[ - PKG_CHECK_MODULES(QTGUI, [QtGui],[ + PKG_CHECK_MODULES(QTCORE, [Qt5Core],[ + PKG_CHECK_MODULES(QTGUI, [Qt5Widgets Qt5PrintSupport],[ use_qt="Yes" ],[ use_qt="No (QtGui not available)" ++++++ graphviz-rpmlintrc ++++++ # This line is mandatory to access the configuration functions from Config import * addFilter("graphviz.* shlib-policy-missing-suffix") addFilter("graphviz.* rpm-buildroot-usage") addFilter("graphviz.* postun-without-ldconfig") addFilter("graphviz.* non-devel-buildrequires") addFilter("graphviz.* %install-no-mkdir-buildroot") addFilter("graphviz-perl.* perl5-naming-policy-not-applied") addFilter("graphviz-python.* python-naming-policy-not-applied") addFilter("graphviz.* devel-file-in-non-devel-package") ++++++ graphviz-smyrna-link_against_glu.patch ++++++ --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Index: configure.ac =================================================================== --- configure.ac.orig 2013-10-23 17:25:44.020188917 +0200 +++ configure.ac 2013-10-23 17:26:17.637411247 +0200 @@ -2811,7 +2811,7 @@ else AC_CHECK_HEADER(GL/glut.h, AC_CHECK_LIB(glut,main, - [GLUT_LIBS="$GLUT_LIBS -lglut" + [GLUT_LIBS="$GLUT_LIBS -lglut $(pkg-config --libs glu)" use_glut="Yes" AC_DEFINE_UNQUOTED(HAVE_GLUT,1,[Define if you have the GLUT library])], use_glut="No (missing libglut)" ++++++ graphviz-useless_warnings.patch ++++++ --- tclpkg/gv/Makefile.am | 2 ++ 1 file changed, 2 insertions(+) Index: tclpkg/gv/Makefile.am =================================================================== --- tclpkg/gv/Makefile.am.orig 2013-09-05 17:59:52.837755940 +0200 +++ tclpkg/gv/Makefile.am 2013-09-05 18:00:53.696332434 +0200 @@ -20,6 +20,8 @@ AM_CPPFLAGS = \ -I$(top_srcdir)/lib/cdt \ -I$(top_srcdir)/lib/pathplan +AM_CXXFLAGS = -Wno-unused-label -Wno-unused-function \ + -Wno-unused-but-set-variable LIBS = -lc BASESOURCES = gv.cpp gv.i gv_builtins.c ++++++ pre_checkin.sh ++++++ #!/usr/bin/sh cp graphviz.changes graphviz-addons.changes sed \ -e 's:%bcond_with extras:%bcond_without extras:' \ -e 's#Name: graphviz#Name: graphviz-addons#' \ graphviz.spec > graphviz-addons.spec ++++++ reproducible.patch ++++++ Do not have binaries depend on build system timings because we are building in VMs anyway and users might have different hardware Index: graphviz-2.38.0/lib/sfio/features/sfio =================================================================== --- graphviz-2.38.0.orig/lib/sfio/features/sfio +++ graphviz-2.38.0/lib/sfio/features/sfio @@ -260,9 +260,7 @@ tst output{ unlink(file); - if(4*mmtm <= 3*rdtm) /* mmap is great! */ - printf("#define _mmap_worthy 2 \n"); - else if(4*mmtm <= 5*rdtm) /* mmap is good */ + /* mmap is good */ printf("#define _mmap_worthy 1 \n"); return 0;