!51 Fix CVE-2020-24292 CVE-2020-24293 CVE-2020-24295 CVE-2021-33367 CVE-2021-40263 CVE-2021-40266 CVE-2023-47995 CVE-2023-47997

From: @wk333 
Reviewed-by: @wang--ge 
Signed-off-by: @wang--ge

CVE-2020-21427-1-r1832-improved-BMP-plugin-when-working-with-malicious-images.patch

@@ -0,0 +1,445 @@
+Origin: upstream, r1832
+Index: Source/FreeImage/PluginBMP.cpp
+---
+diff --git a/Source/FreeImage/PluginBMP.cpp b/Source/FreeImage/PluginBMP.cpp
+--- a/Source/FreeImage/PluginBMP.cpp	(revision 1831)
++++ b/Source/FreeImage/PluginBMP.cpp	(revision 1832)
+@@ -181,6 +181,7 @@
+ 		}
+ 	}
+ #endif
++
+ #if FREEIMAGE_COLORORDER == FREEIMAGE_COLORORDER_RGB
+ 	if (bit_count == 24 || bit_count == 32) {
+ 		for(unsigned y = 0; y < FreeImage_GetHeight(dib); y++) {
+@@ -202,7 +203,7 @@
+ @param handle FreeImage IO handle
+ @param width Image width
+ @param height Image height
+-@param dib Image to be loaded 
++@param dib 4-bit image to be loaded 
+ @return Returns TRUE if successful, returns FALSE otherwise
+ */
+ static BOOL 
+@@ -217,7 +218,9 @@
+ 		height = abs(height);
+ 
+ 		pixels = (BYTE*)malloc(width * height * sizeof(BYTE));
+-		if(!pixels) throw(1);
++		if (!pixels) {
++			throw(1);
++		}
+ 		memset(pixels, 0, width * height * sizeof(BYTE));
+ 
+ 		BYTE *q = pixels;
+@@ -237,7 +240,7 @@
+ 					throw(1);
+ 				}
+ 				for (int i = 0; i < status_byte; i++)	{
+-					*q++=(BYTE)((i & 0x01) ? (second_byte & 0x0f) : ((second_byte >> 4) & 0x0f));
++					*q++ = (BYTE)((i & 0x01) ? (second_byte & 0x0f) : ((second_byte >> 4) & 0x0f));
+ 				}
+ 				bits += status_byte;
+ 			}
+@@ -252,7 +255,7 @@
+ 						// End of line
+ 						bits = 0;
+ 						scanline++;
+-						q = pixels + scanline*width;
++						q = pixels + scanline * width;
+ 					}
+ 					break;
+ 
+@@ -264,7 +267,6 @@
+ 					case RLE_DELTA:
+ 					{
+ 						// read the delta values
+-
+ 						BYTE delta_x = 0;
+ 						BYTE delta_y = 0;
+ 
+@@ -276,7 +278,6 @@
+ 						}
+ 
+ 						// apply them
+-
+ 						bits += delta_x;
+ 						scanline += delta_y;
+ 						q = pixels + scanline*width+bits;
+@@ -293,7 +294,7 @@
+ 									throw(1);
+ 								}
+ 							}
+-							*q++=(BYTE)((i & 0x01) ? (second_byte & 0x0f) : ((second_byte >> 4) & 0x0f));
++							*q++ = (BYTE)((i & 0x01) ? (second_byte & 0x0f) : ((second_byte >> 4) & 0x0f));
+ 						}
+ 						bits += status_byte;
+ 						// Read pad byte
+@@ -334,7 +335,9 @@
+ 		return TRUE;
+ 
+ 	} catch(int) {
+-		if(pixels) free(pixels);
++		if (pixels) {
++			free(pixels);
++		}
+ 		return FALSE;
+ 	}
+ }
+@@ -345,7 +348,7 @@
+ @param handle FreeImage IO handle
+ @param width Image width
+ @param height Image height
+-@param dib Image to be loaded 
++@param dib 8-bit image to be loaded 
+ @return Returns TRUE if successful, returns FALSE otherwise
+ */
+ static BOOL 
+@@ -354,103 +357,85 @@
+ 	BYTE second_byte = 0;
+ 	int scanline = 0;
+ 	int bits = 0;
++	int count = 0;
++	BYTE delta_x = 0;
++	BYTE delta_y = 0;
+ 
+-	for (;;) {
+-		if( io->read_proc(&status_byte, sizeof(BYTE), 1, handle) != 1) {
++	height = abs(height);
++	
++	while(scanline < height) {
++
++		if (io->read_proc(&status_byte, sizeof(BYTE), 1, handle) != 1) {
+ 			return FALSE;
+ 		}
+ 
+-		switch (status_byte) {
+-			case RLE_COMMAND :
+-				if(io->read_proc(&status_byte, sizeof(BYTE), 1, handle) != 1) {
+-					return FALSE;
+-				}
++		if (status_byte == RLE_COMMAND) {
++			if (io->read_proc(&status_byte, sizeof(BYTE), 1, handle) != 1) {
++				return FALSE;
++			}
+ 
+-				switch (status_byte) {
+-					case RLE_ENDOFLINE :
+-						bits = 0;
+-						scanline++;
+-						break;
++			switch (status_byte) {
++				case RLE_ENDOFLINE:
++					bits = 0;
++					scanline++;
++					break;
+ 
+-					case RLE_ENDOFBITMAP :
+-						return TRUE;
++				case RLE_ENDOFBITMAP:
++					return TRUE;
+ 
+-					case RLE_DELTA :
+-					{
+-						// read the delta values
++				case RLE_DELTA:
++					// read the delta values
++					delta_x = 0;
++					delta_y = 0;
++					if (io->read_proc(&delta_x, sizeof(BYTE), 1, handle) != 1) {
++						return FALSE;
++					}
++					if (io->read_proc(&delta_y, sizeof(BYTE), 1, handle) != 1) {
++						return FALSE;
++					}
++					// apply them
++					bits += delta_x;
++					scanline += delta_y;
++					break;
+ 
+-						BYTE delta_x = 0;
+-						BYTE delta_y = 0;
+-
+-						if(io->read_proc(&delta_x, sizeof(BYTE), 1, handle) != 1) {
+-							return FALSE;
+-						}
+-						if(io->read_proc(&delta_y, sizeof(BYTE), 1, handle) != 1) {
+-							return FALSE;
+-						}
+-
+-						// apply them
+-
+-						bits     += delta_x;
+-						scanline += delta_y;
+-
+-						break;
++				default:
++					// absolute mode
++					count = MIN((int)status_byte, width - bits);
++					if (count < 0) {
++						return FALSE;
+ 					}
+-
+-					default :
+-					{
+-						if(scanline >= abs(height)) {
+-							return TRUE;
+-						}
+-
+-						int count = MIN((int)status_byte, width - bits);
+-
+-						BYTE *sline = FreeImage_GetScanLine(dib, scanline);
+-
+-						if(io->read_proc((void *)(sline + bits), sizeof(BYTE) * count, 1, handle) != 1) {
++					BYTE *sline = FreeImage_GetScanLine(dib, scanline);
++					if (io->read_proc((void *)(sline + bits), sizeof(BYTE) * count, 1, handle) != 1) {
++						return FALSE;
++					}
++					// align run length to even number of bytes
++					if ((status_byte & 1) == 1) {
++						if (io->read_proc(&second_byte, sizeof(BYTE), 1, handle) != 1) {
+ 							return FALSE;
+ 						}
+-						
+-						// align run length to even number of bytes 
+-
+-						if ((status_byte & 1) == 1) {
+-							if(io->read_proc(&second_byte, sizeof(BYTE), 1, handle) != 1) {
+-								return FALSE;
+-							}
+-						}
+-
+-						bits += status_byte;													
+-
+-						break;	
+ 					}
+-				}
++					bits += status_byte;				
++					break;
+ 
+-				break;
+-
+-			default :
+-			{
+-				if(scanline >= abs(height)) {
+-					return TRUE;
+-				}
+-
+-				int count = MIN((int)status_byte, width - bits);
+-
+-				BYTE *sline = FreeImage_GetScanLine(dib, scanline);
+-
+-				if(io->read_proc(&second_byte, sizeof(BYTE), 1, handle) != 1) {
+-					return FALSE;
+-				}
+-
+-				for (int i = 0; i < count; i++) {
+-					*(sline + bits) = second_byte;
+-
+-					bits++;					
+-				}
+-
+-				break;
++			} // switch (status_byte)
++		}
++		else {
++			count = MIN((int)status_byte, width - bits);
++			if (count < 0) {
++				return FALSE;
+ 			}
++			BYTE *sline = FreeImage_GetScanLine(dib, scanline);
++			if (io->read_proc(&second_byte, sizeof(BYTE), 1, handle) != 1) {
++				return FALSE;
++			}
++			for (int i = 0; i < count; i++) {
++				*(sline + bits) = second_byte;
++				bits++;
++			}
+ 		}
+ 	}
++	
++	return FALSE;
+ }
+ 
+ // --------------------------------------------------------------------------
+@@ -463,10 +448,12 @@
+ 		BOOL header_only = (flags & FIF_LOAD_NOPIXELS) == FIF_LOAD_NOPIXELS;
+ 
+ 		// load the info header
+-
+ 		BITMAPINFOHEADER bih;
++		memset(&bih, 0, sizeof(BITMAPINFOHEADER));
++		if (io->read_proc(&bih, sizeof(BITMAPINFOHEADER), 1, handle) != 1) {
++			throw FI_MSG_ERROR_INVALID_FORMAT;
++		}
+ 
+-		io->read_proc(&bih, sizeof(BITMAPINFOHEADER), 1, handle);
+ #ifdef FREEIMAGE_BIGENDIAN
+ 		SwapInfoHeader(&bih);
+ #endif
+@@ -544,7 +531,7 @@
+ 						break;
+ 
+ 					case BI_RLE4 :
+-						if( LoadPixelDataRLE4(io, handle, width, height, dib) ) {
++						if( (bit_count == 4) && LoadPixelDataRLE4(io, handle, width, height, dib) ) {
+ 							return dib;
+ 						} else {
+ 							throw "Error encountered while decoding RLE4 BMP data";
+@@ -552,7 +539,7 @@
+ 						break;
+ 
+ 					case BI_RLE8 :
+-						if( LoadPixelDataRLE8(io, handle, width, height, dib) ) {
++						if( (bit_count == 8) && LoadPixelDataRLE8(io, handle, width, height, dib) ) {
+ 							return dib;
+ 						} else {
+ 							throw "Error encountered while decoding RLE8 BMP data";
+@@ -602,7 +589,7 @@
+ 
+ 				return dib;
+ 			}
+-			break; // 16-bit
++			break; // 16-bit RGB
+ 
+ 			case 24 :
+ 			case 32 :
+@@ -679,10 +666,12 @@
+ 		BOOL header_only = (flags & FIF_LOAD_NOPIXELS) == FIF_LOAD_NOPIXELS;
+ 
+ 		// load the info header
+-
+ 		BITMAPINFOHEADER bih;
++		memset(&bih, 0, sizeof(BITMAPINFOHEADER));
++		if (io->read_proc(&bih, sizeof(BITMAPINFOHEADER), 1, handle) != 1) {
++			throw FI_MSG_ERROR_INVALID_FORMAT;
++		}
+ 
+-		io->read_proc(&bih, sizeof(BITMAPINFOHEADER), 1, handle);
+ #ifdef FREEIMAGE_BIGENDIAN
+ 		SwapInfoHeader(&bih);
+ #endif
+@@ -767,17 +756,19 @@
+ 						return dib;
+ 
+ 					case BI_RLE4 :
+-						if( LoadPixelDataRLE4(io, handle, width, height, dib) ) {
++						if ((bit_count == 4) && LoadPixelDataRLE4(io, handle, width, height, dib)) {
+ 							return dib;
+-						} else {
++						}
++						else {
+ 							throw "Error encountered while decoding RLE4 BMP data";
+ 						}
+ 						break;
+ 
+ 					case BI_RLE8 :
+-						if( LoadPixelDataRLE8(io, handle, width, height, dib) ) {
++						if ((bit_count == 8) && LoadPixelDataRLE8(io, handle, width, height, dib)) {
+ 							return dib;
+-						} else {
++						}
++						else {
+ 							throw "Error encountered while decoding RLE8 BMP data";
+ 						}
+ 						break;
+@@ -863,9 +854,9 @@
+ 			}
+ 		}
+ 	} catch(const char *message) {
+-		if(dib)
++		if (dib) {
+ 			FreeImage_Unload(dib);
+-
++		}
+ 		FreeImage_OutputMessageProc(s_format_id, message);
+ 	}
+ 
+@@ -881,9 +872,13 @@
+ 	try {
+ 		BOOL header_only = (flags & FIF_LOAD_NOPIXELS) == FIF_LOAD_NOPIXELS;
+ 
++		// load the info header
+ 		BITMAPINFOOS2_1X_HEADER bios2_1x;
++		memset(&bios2_1x, 0, sizeof(BITMAPINFOOS2_1X_HEADER));
++		if (io->read_proc(&bios2_1x, sizeof(BITMAPINFOOS2_1X_HEADER), 1, handle) != 1) {
++			throw FI_MSG_ERROR_INVALID_FORMAT;
++		}
+ 
+-		io->read_proc(&bios2_1x, sizeof(BITMAPINFOOS2_1X_HEADER), 1, handle);
+ #ifdef FREEIMAGE_BIGENDIAN
+ 		SwapOS21XHeader(&bios2_1x);
+ #endif
+@@ -1005,9 +1000,9 @@
+ 			}
+ 		}
+ 	} catch(const char *message) {	
+-		if(dib)
++		if (dib) {
+ 			FreeImage_Unload(dib);
+-
++		}
+ 		FreeImage_OutputMessageProc(s_format_id, message);
+ 	}
+ 
+@@ -1090,19 +1085,20 @@
+ 		BITMAPFILEHEADER bitmapfileheader;
+ 		DWORD type = 0;
+ 
+-		// we use this offset value to make seemingly absolute seeks relative in the file
+-		
++		// we use this offset value to make seemingly absolute seeks relative in the file		
+ 		long offset_in_file = io->tell_proc(handle);
+ 
+ 		// read the fileheader
++		memset(&bitmapfileheader, 0, sizeof(BITMAPFILEHEADER));
++		if (io->read_proc(&bitmapfileheader, sizeof(BITMAPFILEHEADER), 1, handle) != 1) {
++			return NULL;
++		}
+ 
+-		io->read_proc(&bitmapfileheader, sizeof(BITMAPFILEHEADER), 1, handle);
+ #ifdef FREEIMAGE_BIGENDIAN
+ 		SwapFileHeader(&bitmapfileheader);
+ #endif
+ 
+ 		// check the signature
+-
+ 		if((bitmapfileheader.bfType != 0x4D42) && (bitmapfileheader.bfType != 0x4142)) {
+ 			FreeImage_OutputMessageProc(s_format_id, FI_MSG_ERROR_MAGIC_NUMBER);
+ 			return NULL;
+@@ -1109,9 +1105,9 @@
+ 		}
+ 
+ 		// read the first byte of the infoheader
+-
+ 		io->read_proc(&type, sizeof(DWORD), 1, handle);
+ 		io->seek_proc(handle, 0 - (long)sizeof(DWORD), SEEK_CUR);
++
+ #ifdef FREEIMAGE_BIGENDIAN
+ 		SwapLong(&type);
+ #endif
+@@ -1138,7 +1134,7 @@
+ 				break;
+ 		}
+ 
+-		FreeImage_OutputMessageProc(s_format_id, "unknown bmp subtype with id %d", type);
++		FreeImage_OutputMessageProc(s_format_id, "Unknown bmp subtype with id %d", type);
+ 	}
+ 
+ 	return NULL;
+@@ -1418,6 +1414,7 @@
+ 			}
+ 
+ 			free(buffer);
++
+ #ifdef FREEIMAGE_BIGENDIAN
+ 		} else if (dst_bpp == 16) {
+ 			int padding = dst_pitch - dst_width * sizeof(WORD);
+@@ -1439,6 +1436,7 @@
+ 				}
+ 			}
+ #endif
++
+ #if FREEIMAGE_COLORORDER == FREEIMAGE_COLORORDER_RGB
+ 		} else if (dst_bpp == 24) {
+ 			int padding = dst_pitch - dst_width * sizeof(FILE_BGR);

CVE-2020-21427-2-r1836-improved-BMP-plugin-when-working-with-malicious-images.patch

@@ -0,0 +1,159 @@
+Origin: upstream, r1836
+Index: Source/FreeImage/PluginBMP.cpp
+---
+diff --git a/Source/FreeImage/PluginBMP.cpp b/Source/FreeImage/PluginBMP.cpp
+--- a/Source/FreeImage/PluginBMP.cpp	(revision 1835)
++++ b/Source/FreeImage/PluginBMP.cpp	(revision 1836)
+@@ -139,6 +139,75 @@
+ // --------------------------------------------------------------------------
+ 
+ /**
++Check if a BITMAPINFOHEADER is valid
++@return Returns TRUE if successful, returns FALSE otherwise
++*/
++static BOOL
++CheckBitmapInfoHeader(BITMAPINFOHEADER *bih) {
++	if (bih->biSize != sizeof(BITMAPINFOHEADER)) {
++		// The size, in bytes, of the image.This may be set to zero for BI_RGB bitmaps.
++		// If biCompression is BI_JPEG or BI_PNG, biSizeImage indicates the size of the JPEG or PNG image buffer, respectively.
++		if ((bih->biSize == 0) && (bih->biCompression != BI_RGB)) {
++			return FALSE;
++		}
++		else if ((bih->biCompression == BI_JPEG) || (bih->biCompression == BI_PNG)) {
++			// JPEG or PNG is not yet supported
++			return FALSE;
++		}
++		else {
++			return FALSE;
++		}
++	}
++	if (bih->biWidth < 0) {
++		return FALSE;
++	}
++	if (bih->biHeight < 0) {
++		// If biHeight is negative, indicating a top-down DIB, biCompression must be either BI_RGB or BI_BITFIELDS. 
++		// Top-down DIBs cannot be compressed.
++		// If biCompression is BI_JPEG or BI_PNG, the biHeight member specifies the height of the decompressed JPEG or PNG image file, respectively.
++		if ((bih->biCompression != BI_RGB) && (bih->biCompression != BI_BITFIELDS)) {
++			return FALSE;
++		}
++	}
++	if (bih->biPlanes != 1) {
++		//  The number of planes for the target device. This value must be set to 1.
++		return FALSE;
++	}
++	switch (bih->biBitCount) {
++		case 0:
++			// The number of bits-per-pixel is specified or is implied by the JPEG or PNG format.
++			// JPEG or PNG is not yet supported			
++			return FALSE;
++			break;
++		case 1:
++		case 4:
++		case 8:
++		case 16:
++		case 24:
++		case 32:
++			break;
++		default:
++			// Unsupported bitdepth
++			return FALSE;
++	}
++	switch (bih->biCompression) {
++		case BI_RGB:
++		case BI_RLE8:
++		case BI_RLE4:
++		case BI_BITFIELDS:
++			break;
++		case BI_JPEG:
++		case BI_PNG:
++		default:
++			return FALSE;
++	}
++
++	return TRUE;
++}
++
++// --------------------------------------------------------------------------
++
++/**
+ Load uncompressed image pixels for 1-, 4-, 8-, 16-, 24- and 32-bit dib
+ @param io FreeImage IO
+ @param handle FreeImage IO handle
+@@ -458,6 +527,10 @@
+ 		SwapInfoHeader(&bih);
+ #endif
+ 
++		if (CheckBitmapInfoHeader(&bih) == FALSE) {
++			throw FI_MSG_ERROR_INVALID_FORMAT;
++		}
++
+ 		// keep some general information about the bitmap
+ 
+ 		unsigned used_colors	= bih.biClrUsed;
+@@ -555,10 +628,18 @@
+ 			case 16 :
+ 			{
+ 				int use_bitfields = 0;
+-				if (bih.biCompression == BI_BITFIELDS) use_bitfields = 3;
+-				else if (bih.biCompression == BI_ALPHABITFIELDS) use_bitfields = 4;
+-				else if (type == 52) use_bitfields = 3;
+-				else if (type >= 56) use_bitfields = 4;
++				if (bih.biCompression == BI_BITFIELDS) {
++					use_bitfields = 3;
++				}
++				else if (bih.biCompression == BI_ALPHABITFIELDS) {
++					use_bitfields = 4;
++				}
++				else if (type == 52) {
++					use_bitfields = 3;
++				}
++				else if (type >= 56) {
++					use_bitfields = 4;
++				}
+ 				
+ 				if (use_bitfields > 0) {
+  					DWORD bitfields[4];
+@@ -595,10 +676,18 @@
+ 			case 32 :
+ 			{
+ 				int use_bitfields = 0;
+-				if (bih.biCompression == BI_BITFIELDS) use_bitfields = 3;
+-				else if (bih.biCompression == BI_ALPHABITFIELDS) use_bitfields = 4;
+-				else if (type == 52) use_bitfields = 3;
+-				else if (type >= 56) use_bitfields = 4;
++				if (bih.biCompression == BI_BITFIELDS) {
++					use_bitfields = 3;
++				}
++				else if (bih.biCompression == BI_ALPHABITFIELDS) {
++					use_bitfields = 4;
++				}
++				else if (type == 52) {
++					use_bitfields = 3;
++				}
++				else if (type >= 56) {
++					use_bitfields = 4;
++				}
+ 
+  				if (use_bitfields > 0) {
+ 					DWORD bitfields[4];
+@@ -676,6 +765,10 @@
+ 		SwapInfoHeader(&bih);
+ #endif
+ 
++		if (CheckBitmapInfoHeader(&bih) == FALSE) {
++			throw FI_MSG_ERROR_INVALID_FORMAT;
++		}
++
+ 		// keep some general information about the bitmap
+ 
+ 		unsigned used_colors	= bih.biClrUsed;
+@@ -780,7 +873,7 @@
+ 
+ 			case 16 :
+ 			{
+-				if (bih.biCompression == 3) {
++				if (bih.biCompression == BI_BITFIELDS) {
+ 					DWORD bitfields[3];
+ 
+ 					io->read_proc(bitfields, 3 * sizeof(DWORD), 1, handle);

CVE-2020-21427-pre-r1830-minor-refactoring.patch

@@ -0,0 +1,15 @@
+Index: Source/Utilities.h
+===================================================================
+diff --git a/Source/Utilities.h b/Source/Utilities.h
+--- a/Source/Utilities.h	(revision 1829)
++++ b/Source/Utilities.h	(revision 1830)
+@@ -529,7 +529,8 @@
+ static const char *FI_MSG_ERROR_DIB_MEMORY = "DIB allocation failed, maybe caused by an invalid image size or by a lack of memory";
+ static const char *FI_MSG_ERROR_PARSING = "Parsing error";
+ static const char *FI_MSG_ERROR_MAGIC_NUMBER = "Invalid magic number";
+-static const char *FI_MSG_ERROR_UNSUPPORTED_FORMAT = "Unsupported format";
++static const char *FI_MSG_ERROR_UNSUPPORTED_FORMAT = "Unsupported image format";
++static const char *FI_MSG_ERROR_INVALID_FORMAT = "Invalid file format";
+ static const char *FI_MSG_ERROR_UNSUPPORTED_COMPRESSION = "Unsupported compression type";
+ static const char *FI_MSG_WARNING_INVALID_THUMBNAIL = "Warning: attached thumbnail cannot be written to output file (invalid format) - Thumbnail saving aborted";
+ 

CVE-2020-21428-r1877-improved-DDS-plugin-against-malicious-images.patch

@@ -0,0 +1,15 @@
+Origin: upstream, r1877
+Index: Source/FreeImage/PluginDDS.cpp
+===================================================================
+diff --git a/Source/FreeImage/PluginDDS.cpp b/Source/FreeImage/PluginDDS.cpp
+--- a/Source/FreeImage/PluginDDS.cpp	(revision 1876)
++++ b/Source/FreeImage/PluginDDS.cpp	(revision 1877)
+@@ -617,7 +617,7 @@
+ 	// read the file
+ 	// -------------------------------------------------------------------------
+ 
+-	const int line = CalculateLine(width, bpp);
++	const int line = CalculateLine(width, FreeImage_GetBPP(dib));
+ 	const int filePitch = ((desc->dwFlags & DDSD_PITCH) == DDSD_PITCH) ? (int)desc->dwPitchOrLinearSize : line;
+ 	const long delta = (long)filePitch - (long)line;
+ 

CVE-2020-22524-r1848-improved-PFM-plugin-against-malicious-images.patch

@@ -0,0 +1,227 @@
+Origin: upstream, r1848
+Index: Source/FreeImage/PluginPFM.cpp
+---
+diff --git a/Source/FreeImage/PluginPFM.cpp b/Source/FreeImage/PluginPFM.cpp
+--- a/Source/FreeImage/PluginPFM.cpp	(revision 1847)
++++ b/Source/FreeImage/PluginPFM.cpp	(revision 1848)
+@@ -23,6 +23,12 @@
+ #include "Utilities.h"
+ 
+ // ==========================================================
++// Plugin Interface
++// ==========================================================
++
++static int s_format_id;
++
++// ==========================================================
+ // Internal functions
+ // ==========================================================
+ 
+@@ -59,6 +65,9 @@
+ 
+ /**
+ Get an integer value from the actual position pointed by handle
++@param io
++@param handle
++@return Returns -1 in case of failure, returns the found number otherwise
+ */
+ static int
+ pfm_get_int(FreeImageIO *io, fi_handle handle) {
+@@ -65,70 +74,72 @@
+     char c = 0;
+ 	BOOL bFirstChar;
+ 
+-    // skip forward to start of next number
++	try {
+ 
+-	if(!io->read_proc(&c, 1, 1, handle)) {
+-		throw FI_MSG_ERROR_PARSING;
+-	}
++		// skip forward to start of next number
+ 
+-    while (1) {
+-        // eat comments
++		if (io->read_proc(&c, 1, 1, handle) != 1) {
++			throw FI_MSG_ERROR_PARSING;
++		}
+ 
+-        if (c == '#') {
+-			// if we're at a comment, read to end of line
++		while (1) {
++			// eat comments
+ 
+-            bFirstChar = TRUE;
++			if (c == '#') {
++				// if we're at a comment, read to end of line
+ 
+-            while (1) {
+-				if(!io->read_proc(&c, 1, 1, handle)) {
+-					throw FI_MSG_ERROR_PARSING;
+-				}
++				bFirstChar = TRUE;
+ 
+-				if (bFirstChar && c == ' ') {
+-					// loop off 1 sp after #
+-					bFirstChar = FALSE;
+-				} else if (c == '\n') {
+-					break;
++				while (1) {
++					if (io->read_proc(&c, 1, 1, handle) != 1) {
++						throw FI_MSG_ERROR_PARSING;
++					}
++
++					if (bFirstChar && c == ' ') {
++						// loop off 1 sp after #
++						bFirstChar = FALSE;
++					}
++					else if (c == '\n') {
++						break;
++					}
+ 				}
+ 			}
+-		}
+ 
+-        if (c >= '0' && c <='9') {
+-			// we've found what we were looking for
+-            break;
+-		}
++			if (c >= '0' && c <= '9') {
++				// we've found what we were looking for
++				break;
++			}
+ 
+-		if(!io->read_proc(&c, 1, 1, handle)) {
+-			throw FI_MSG_ERROR_PARSING;
++			if (io->read_proc(&c, 1, 1, handle) != 1) {
++				throw FI_MSG_ERROR_PARSING;
++			}
+ 		}
+-    }
+ 
+-    // we're at the start of a number, continue until we hit a non-number
++		// we're at the start of a number, continue until we hit a non-number
+ 
+-    int i = 0;
++		int i = 0;
+ 
+-    while (1) {
+-        i = (i * 10) + (c - '0');
++		while (1) {
++			i = (i * 10) + (c - '0');
+ 
+-		if(!io->read_proc(&c, 1, 1, handle)) {
+-			throw FI_MSG_ERROR_PARSING;
+-		}
++			if (io->read_proc(&c, 1, 1, handle) != 1) {
++				throw FI_MSG_ERROR_PARSING;
++			}
+ 
+-		if (c < '0' || c > '9') {
+-			break;
++			if (c < '0' || c > '9') {
++				break;
++			}
+ 		}
+-    }
+ 
+-    return i;
++		return i;
++	}
++	catch (const char *message) {
++		FreeImage_OutputMessageProc(s_format_id, message);
++		return -1;
++	}
+ }
+ 
+ // ==========================================================
+-// Plugin Interface
+-// ==========================================================
+-
+-static int s_format_id;
+-
+-// ==========================================================
+ // Plugin Implementation
+ // ==========================================================
+ 
+@@ -230,8 +241,12 @@
+ 		}
+ 
+ 		// Read the header information: width, height and the scale value
+-		unsigned width  = (unsigned) pfm_get_int(io, handle);
+-		unsigned height = (unsigned) pfm_get_int(io, handle);
++		int width = pfm_get_int(io, handle);
++		int height = pfm_get_int(io, handle);
++		if ((width <= 0) || (height <= 0)) {
++			throw FI_MSG_ERROR_PARSING;
++		}
++
+ 		float scalefactor = 1;
+ 
+ 		BOOL bResult = pfm_get_line(io, handle, line_buffer, PFM_MAXLINE);
+@@ -262,7 +277,7 @@
+ 				throw FI_MSG_ERROR_MEMORY;
+ 			}
+ 
+-			for (unsigned y = 0; y < height; y++) {	
++			for (int y = 0; y < height; y++) {	
+ 				FIRGBF *bits = (FIRGBF*)FreeImage_GetScanLine(dib, height - 1 - y);
+ 
+ 				if(io->read_proc(lineBuffer, sizeof(float), lineWidth, handle) != lineWidth) {
+@@ -271,7 +286,7 @@
+ 				float *channel = lineBuffer;
+ 				if(scalefactor > 0) {
+ 					// MSB
+-					for (unsigned x = 0; x < width; x++) {
++					for (int x = 0; x < width; x++) {
+ 						REVERSEBYTES(channel++, &bits[x].red);
+ 						REVERSEBYTES(channel++, &bits[x].green);
+ 						REVERSEBYTES(channel++, &bits[x].blue);
+@@ -278,7 +293,7 @@
+ 					}
+ 				} else {
+ 					// LSB					
+-					for (unsigned x = 0; x < width; x++) {
++					for (int x = 0; x < width; x++) {
+ 						bits[x].red		= *channel++;
+ 						bits[x].green	= *channel++;
+ 						bits[x].blue	= *channel++;
+@@ -296,7 +311,7 @@
+ 				throw FI_MSG_ERROR_MEMORY;
+ 			}
+ 
+-			for (unsigned y = 0; y < height; y++) {	
++			for (int y = 0; y < height; y++) {	
+ 				float *bits = (float*)FreeImage_GetScanLine(dib, height - 1 - y);
+ 
+ 				if(io->read_proc(lineBuffer, sizeof(float), lineWidth, handle) != lineWidth) {
+@@ -305,12 +320,12 @@
+ 				float *channel = lineBuffer;
+ 				if(scalefactor > 0) {
+ 					// MSB - File is Big endian
+-					for (unsigned x = 0; x < width; x++) {
++					for (int x = 0; x < width; x++) {
+ 						REVERSEBYTES(channel++, &bits[x]);
+ 					}
+ 				} else {
+ 					// LSB - File is Little Endian
+-					for (unsigned x = 0; x < width; x++) {
++					for (int x = 0; x < width; x++) {
+ 						bits[x] = *channel++;
+ 					}
+ 				}
+@@ -323,9 +338,12 @@
+ 		return dib;
+ 
+ 	} catch (const char *text)  {
+-		if(lineBuffer) free(lineBuffer);
+-		if(dib) FreeImage_Unload(dib);
+-
++		if (lineBuffer) {
++			free(lineBuffer);
++		}
++		if (dib) {
++			FreeImage_Unload(dib);
++		}
+ 		if(NULL != text) {
+ 			FreeImage_OutputMessageProc(s_format_id, text);
+ 		}

CVE-2020-24292.patch

@@ -0,0 +1,14 @@
+Origin: https://src.fedoraproject.org/rpms/freeimage/blob/f39/f/CVE-2020-24292.patch
+diff -rupN --no-dereference freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PluginICO.cpp freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PluginICO.cpp
+--- freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PluginICO.cpp	2023-09-28 19:34:45.524031668 +0200
++++ freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PluginICO.cpp	2023-09-28 19:34:47.717009813 +0200
+@@ -301,6 +301,9 @@ LoadStandardIcon(FreeImageIO *io, fi_han
+ 	int width  = bmih.biWidth;
+ 	int height = bmih.biHeight / 2; // height == xor + and mask
+ 	unsigned bit_count = bmih.biBitCount;
++	if (bit_count != 1 && bit_count != 2 && bit_count != 4 && bit_count != 8 && bit_count != 16 && bit_count != 24 && bit_count != 32) {
++	  return NULL;
++	}
+ 	unsigned line   = CalculateLine(width, bit_count);
+ 	unsigned pitch  = CalculatePitch(line);
+ 

CVE-2020-24293.patch

@@ -0,0 +1,15 @@
+Origin: https://src.fedoraproject.org/rpms/freeimage/blob/f39/f/CVE-2020-24293.patch
+diff -rupN --no-dereference freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PSDParser.cpp freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PSDParser.cpp
+--- freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PSDParser.cpp	2023-09-28 19:34:47.287014100 +0200
++++ freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PSDParser.cpp	2023-09-28 19:34:47.832008666 +0200
+@@ -780,6 +780,10 @@ int psdThumbnail::Read(FreeImageIO *io,
+ 		FreeImage_Unload(_dib);
+ 	}
+ 
++	if (_WidthBytes != _Width * _BitPerPixel / 8) {
++	  throw "Invalid PSD image";
++	}
++
+ 	if(_Format == 1) {
+ 		// kJpegRGB thumbnail image
+ 		_dib = FreeImage_LoadFromHandle(FIF_JPEG, io, handle);

CVE-2020-24295.patch

@@ -0,0 +1,22 @@
+Origin: https://src.fedoraproject.org/rpms/freeimage/blob/f39/f/CVE-2020-24295.patch
+diff -rupN --no-dereference freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PSDParser.cpp freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PSDParser.cpp
+--- freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PSDParser.cpp	2023-09-28 19:34:47.936007630 +0200
++++ freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PSDParser.cpp	2023-09-28 19:34:47.940007590 +0200
+@@ -1466,6 +1466,7 @@ FIBITMAP* psdParser::ReadImageData(FreeI
+ 	const unsigned dstBpp =  (depth == 1) ? 1 : FreeImage_GetBPP(bitmap)/8;
+ 	const unsigned dstLineSize = FreeImage_GetPitch(bitmap);
+ 	BYTE* const dst_first_line = FreeImage_GetScanLine(bitmap, nHeight - 1);//<*** flipped
++	const unsigned dst_buffer_size = dstLineSize * nHeight;
+ 
+ 	BYTE* line_start = new BYTE[lineSize]; //< fileline cache
+ 
+@@ -1481,6 +1482,9 @@ FIBITMAP* psdParser::ReadImageData(FreeI
+ 				const unsigned channelOffset = GetChannelOffset(bitmap, c) * bytes;
+ 
+ 				BYTE* dst_line_start = dst_first_line + channelOffset;
++				if (channelOffset + lineSize > dst_buffer_size) {
++					throw "Invalid PSD image";
++				}
+ 				for(unsigned h = 0; h < nHeight; ++h, dst_line_start -= dstLineSize) {//<*** flipped
+ 					io->read_proc(line_start, lineSize, 1, handle);
+ 					ReadImageLine(dst_line_start, line_start, lineSize, dstBpp, bytes);

CVE-2021-33367.patch

@@ -0,0 +1,18 @@
+Origin: https://src.fedoraproject.org/rpms/freeimage/blob/f39/f/CVE-2023-33367.patch
+diff -rupN --no-dereference freeimage-svn-r1909-FreeImage-trunk/Source/Metadata/Exif.cpp freeimage-svn-r1909-FreeImage-trunk-new/Source/Metadata/Exif.cpp
+--- freeimage-svn-r1909-FreeImage-trunk/Source/Metadata/Exif.cpp	2024-10-23 09:59:54.487770330 +0800
++++ freeimage-svn-r1909-FreeImage-trunk/Source/Metadata/Exif.cpp	2024-10-23 10:01:14.995770330 +0800
+@@ -720,7 +720,12 @@ jpeg_read_exif_dir(FIBITMAP *dib, const
+ 
+ 	const WORD entriesCount0th = ReadUint16(msb_order, ifd0th);
+ 	
+-	DWORD next_offset = ReadUint32(msb_order, DIR_ENTRY_ADDR(ifd0th, entriesCount0th));
++	const BYTE* de_addr = DIR_ENTRY_ADDR(ifd0th, entriesCount0th);
++	if(de_addr+4 >= (BYTE*)(dwLength + ifd0th - tiffp)) {
++		return TRUE; //< no thumbnail
++	}
++
++	DWORD next_offset = ReadUint32(msb_order, de_addr);
+ 	if((next_offset == 0) || (next_offset >= dwLength)) {
+ 		return TRUE; //< no thumbnail
+ 	}

CVE-2021-40263.patch

@@ -0,0 +1,16 @@
+Origin: https://src.fedoraproject.org/rpms/freeimage/blob/f39/f/CVE-2021-40263.patch
+diff -rupN --no-dereference freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PluginTIFF.cpp freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PluginTIFF.cpp
+--- freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PluginTIFF.cpp	2023-09-28 19:34:47.713009853 +0200
++++ freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PluginTIFF.cpp	2023-09-28 19:34:48.043006563 +0200
+@@ -2081,6 +2081,11 @@ Load(FreeImageIO *io, fi_handle handle,
+ 				uint32 tileRowSize = (uint32)TIFFTileRowSize(tif);
+ 				uint32 imageRowSize = (uint32)TIFFScanlineSize(tif);
+ 
++				if (width / tileWidth * tileRowSize * 8 > bitspersample * samplesperpixel * width) {
++				  free(tileBuffer);
++				  throw "Corrupted tiled TIFF file";
++				}
++
+ 
+ 				// In the tiff file the lines are saved from up to down 
+ 				// In a DIB the lines must be saved from down to up

CVE-2021-40266.patch

@@ -0,0 +1,15 @@
+Origin: https://src.fedoraproject.org/rpms/freeimage/blob/f39/f/CVE-2021-40266.patch
+diff -rupN --no-dereference freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PluginTIFF.cpp freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PluginTIFF.cpp
+--- freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PluginTIFF.cpp	2023-09-28 19:34:47.501011966 +0200
++++ freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PluginTIFF.cpp	2023-09-28 19:34:47.610010879 +0200
+@@ -357,6 +357,10 @@ static void
+ ReadPalette(TIFF *tiff, uint16 photometric, uint16 bitspersample, FIBITMAP *dib) {
+ 	RGBQUAD *pal = FreeImage_GetPalette(dib);
+ 
++	if (!pal) {
++	  return;
++	}
++
+ 	switch(photometric) {
+ 		case PHOTOMETRIC_MINISBLACK:	// bitmap and greyscale image types
+ 		case PHOTOMETRIC_MINISWHITE:

CVE-2023-47995.patch

@@ -0,0 +1,15 @@
+Origin: https://src.fedoraproject.org/rpms/freeimage/blob/f39/f/CVE-2023-47995.patch
+diff -rupN --no-dereference freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PluginJPEG.cpp freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PluginJPEG.cpp
+--- freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PluginJPEG.cpp	2024-03-10 14:22:17.818579271 +0100
++++ freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PluginJPEG.cpp	2024-03-10 14:22:18.776573816 +0100
+@@ -1086,6 +1086,10 @@ Load(FreeImageIO *io, fi_handle handle,
+ 
+ 			jpeg_read_header(&cinfo, TRUE);
+ 
++			if (cinfo.image_width > JPEG_MAX_DIMENSION || cinfo.image_height > JPEG_MAX_DIMENSION) {
++				throw FI_MSG_ERROR_DIB_MEMORY;
++			}
++
+ 			// step 4: set parameters for decompression
+ 
+ 			unsigned int scale_denom = 1;		// fraction by which to scale image

CVE-2023-47997.patch

@@ -0,0 +1,17 @@
+Origin: https://src.fedoraproject.org/rpms/freeimage/blob/f39/f/CVE-2023-47997.patch
+diff -rupN --no-dereference freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PluginTIFF.cpp freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PluginTIFF.cpp
+--- freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PluginTIFF.cpp	2024-03-10 14:22:18.669574426 +0100
++++ freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PluginTIFF.cpp	2024-03-10 14:22:18.673574403 +0100
+@@ -1435,6 +1435,12 @@ Load(FreeImageIO *io, fi_handle handle,
+ 				(int)bitspersample, (int)samplesperpixel, (int)photometric);
+ 			throw (char*)NULL;
+ 		}
++		if (planar_config == PLANARCONFIG_SEPARATE && bitspersample < 8) {
++			FreeImage_OutputMessageProc(s_format_id,
++				"Unable to handle this format: bitspersample = 8, TIFFTAG_PLANARCONFIG = PLANARCONFIG_SEPARATE"
++			);
++			throw (char*)NULL;
++		}
+ 
+ 		// ---------------------------------------------------------------------------------
+ 

FreeImage_bigendian.patch

@@ -0,0 +1,56 @@
+diff -rupN FreeImage/Source/FreeImage/PluginBMP.cpp FreeImage-new/Source/FreeImage/PluginBMP.cpp
+--- FreeImage/Source/FreeImage/PluginBMP.cpp	2016-06-15 12:35:30.000000000 +0200
++++ FreeImage-new/Source/FreeImage/PluginBMP.cpp	2018-08-01 00:56:37.322692192 +0200
+@@ -1419,7 +1419,7 @@ Save(FreeImageIO *io, FIBITMAP *dib, fi_
+ 
+ 			free(buffer);
+ #ifdef FREEIMAGE_BIGENDIAN
+-		} else if (bpp == 16) {
++		} else if (dst_bpp == 16) {
+ 			int padding = dst_pitch - dst_width * sizeof(WORD);
+ 			WORD pad = 0;
+ 			WORD pixel;
+@@ -1440,7 +1440,7 @@ Save(FreeImageIO *io, FIBITMAP *dib, fi_
+ 			}
+ #endif
+ #if FREEIMAGE_COLORORDER == FREEIMAGE_COLORORDER_RGB
+-		} else if (bpp == 24) {
++		} else if (dst_bpp == 24) {
+ 			int padding = dst_pitch - dst_width * sizeof(FILE_BGR);
+ 			DWORD pad = 0;
+ 			FILE_BGR bgr;
+@@ -1461,7 +1461,7 @@ Save(FreeImageIO *io, FIBITMAP *dib, fi_
+ 					}
+ 				}
+ 			}
+-		} else if (bpp == 32) {
++		} else if (dst_bpp == 32) {
+ 			FILE_BGRA bgra;
+ 			for(unsigned y = 0; y < dst_height; y++) {
+ 				BYTE *line = FreeImage_GetScanLine(dib, y);
+diff -rupN FreeImage/Source/FreeImage/PluginDDS.cpp FreeImage-new/Source/FreeImage/PluginDDS.cpp
+--- FreeImage/Source/FreeImage/PluginDDS.cpp	2018-07-31 17:04:56.000000000 +0200
++++ FreeImage-new/Source/FreeImage/PluginDDS.cpp	2018-08-01 01:05:52.724661471 +0200
+@@ -356,14 +356,14 @@ SwapHeader(DDSHEADER *header) {
+ 	for(int i=0; i<11; i++) {
+ 		SwapLong(&header->surfaceDesc.dwReserved1[i]);
+ 	}
+-	SwapLong(&header->surfaceDesc.ddpfPixelFormat.dwSize);
+-	SwapLong(&header->surfaceDesc.ddpfPixelFormat.dwFlags);
+-	SwapLong(&header->surfaceDesc.ddpfPixelFormat.dwFourCC);
+-	SwapLong(&header->surfaceDesc.ddpfPixelFormat.dwRGBBitCount);
+-	SwapLong(&header->surfaceDesc.ddpfPixelFormat.dwRBitMask);
+-	SwapLong(&header->surfaceDesc.ddpfPixelFormat.dwGBitMask);
+-	SwapLong(&header->surfaceDesc.ddpfPixelFormat.dwBBitMask);
+-	SwapLong(&header->surfaceDesc.ddpfPixelFormat.dwRGBAlphaBitMask);
++	SwapLong(&header->surfaceDesc.ddspf.dwSize);
++	SwapLong(&header->surfaceDesc.ddspf.dwFlags);
++	SwapLong(&header->surfaceDesc.ddspf.dwFourCC);
++	SwapLong(&header->surfaceDesc.ddspf.dwRGBBitCount);
++	SwapLong(&header->surfaceDesc.ddspf.dwRBitMask);
++	SwapLong(&header->surfaceDesc.ddspf.dwGBitMask);
++	SwapLong(&header->surfaceDesc.ddspf.dwBBitMask);
++	SwapLong(&header->surfaceDesc.ddspf.dwRGBAlphaBitMask);
+ 	SwapLong(&header->surfaceDesc.ddsCaps.dwCaps1);
+ 	SwapLong(&header->surfaceDesc.ddsCaps.dwCaps2);
+ 	SwapLong(&header->surfaceDesc.ddsCaps.dwReserved[0]);

FreeImage_doxygen.patch

@@ -0,0 +1,12 @@
+diff -rupN FreeImage/Wrapper/FreeImagePlus/doc/FreeImagePlus.dox FreeImage-new/Wrapper/FreeImagePlus/doc/FreeImagePlus.dox
+--- FreeImage/Wrapper/FreeImagePlus/doc/FreeImagePlus.dox	2015-12-31 23:07:18.000000000 +0100
++++ FreeImage-new/Wrapper/FreeImagePlus/doc/FreeImagePlus.dox	2018-07-31 23:35:53.584960114 +0200
+@@ -753,7 +753,7 @@ WARN_FORMAT            = "$file:$line: $
+ # messages should be written. If left blank the output is written to standard
+ # error (stderr).
+ 
+-WARN_LOGFILE           = .\doxygen.log
++WARN_LOGFILE           = ./doxygen.log
+ 
+ #---------------------------------------------------------------------------
+ # Configuration options related to the input files

FreeImage_unbundle.patch

@@ -0,0 +1,750 @@
+diff -rupN FreeImage/genfipsrclist.sh FreeImage-new/genfipsrclist.sh
+--- FreeImage/genfipsrclist.sh	2018-07-28 18:53:18.000000000 +0200
++++ FreeImage-new/genfipsrclist.sh	2018-07-31 23:37:58.552953202 +0200
+@@ -1,6 +1,6 @@
+ #!/bin/sh
+ 
+-DIRLIST=". Source Source/Metadata Source/FreeImageToolkit Source/LibJPEG Source/LibPNG Source/LibTIFF4 Source/ZLib Source/LibOpenJPEG Source/OpenEXR Source/OpenEXR/Half Source/OpenEXR/Iex Source/OpenEXR/IlmImf Source/OpenEXR/IlmThread Source/OpenEXR/Imath Source/OpenEXR/IexMath Source/LibRawLite Source/LibRawLite/dcraw Source/LibRawLite/internal Source/LibRawLite/libraw Source/LibRawLite/src Source/LibWebP Source/LibJXR Source/LibJXR/common/include Source/LibJXR/image/sys Source/LibJXR/jxrgluelib Wrapper/FreeImagePlus"
++DIRLIST="Wrapper/FreeImagePlus"
+ 
+ 
+ echo "VER_MAJOR = 3" > fipMakefile.srcs
+@@ -19,5 +19,6 @@ echo -n "INCLUDE =" >> fipMakefile.srcs
+ for DIR in $DIRLIST; do
+ 	echo -n " -I$DIR" >> fipMakefile.srcs
+ done
++echo -n " -IDist" >> fipMakefile.srcs
+ echo >> fipMakefile.srcs
+ 
+diff -rupN FreeImage/gensrclist.sh FreeImage-new/gensrclist.sh
+--- FreeImage/gensrclist.sh	2018-07-28 18:52:50.000000000 +0200
++++ FreeImage-new/gensrclist.sh	2018-07-31 23:37:58.555953202 +0200
+@@ -1,6 +1,6 @@
+ #!/bin/sh
+ 
+-DIRLIST=". Source Source/Metadata Source/FreeImageToolkit Source/LibJPEG Source/LibPNG Source/LibTIFF4 Source/ZLib Source/LibOpenJPEG Source/OpenEXR Source/OpenEXR/Half Source/OpenEXR/Iex Source/OpenEXR/IlmImf Source/OpenEXR/IlmThread Source/OpenEXR/Imath Source/OpenEXR/IexMath Source/LibRawLite Source/LibRawLite/dcraw Source/LibRawLite/internal Source/LibRawLite/libraw Source/LibRawLite/src Source/LibWebP Source/LibJXR Source/LibJXR/common/include Source/LibJXR/image/sys Source/LibJXR/jxrgluelib"
++DIRLIST=". Source Source/Metadata Source/FreeImageToolkit"
+ 
+ echo "VER_MAJOR = 3" > Makefile.srcs
+ echo "VER_MINOR = 18.0" >> Makefile.srcs
+diff -rupN FreeImage/Makefile.fip FreeImage-new/Makefile.fip
+--- FreeImage/Makefile.fip	2015-03-10 08:03:56.000000000 +0100
++++ FreeImage-new/Makefile.fip	2018-07-31 23:37:58.556953201 +0200
+@@ -17,20 +17,22 @@ MODULES = $(SRCS:.c=.o)
+ MODULES := $(MODULES:.cpp=.o)
+ CFLAGS ?= -O3 -fPIC -fexceptions -fvisibility=hidden
+ # OpenJPEG
+-CFLAGS += -DOPJ_STATIC
++override CFLAGS += -DOPJ_STATIC
+ # LibRaw
+-CFLAGS += -DNO_LCMS
++override CFLAGS += -DNO_LCMS
+ # LibJXR
+-CFLAGS += -DDISABLE_PERF_MEASUREMENT -D__ANSI__
+-CFLAGS += $(INCLUDE)
++override CFLAGS += -DDISABLE_PERF_MEASUREMENT -D__ANSI__
++override CFLAGS += $(INCLUDE)
+ CXXFLAGS ?= -O3 -fPIC -fexceptions -fvisibility=hidden -Wno-ctor-dtor-privacy
+ # LibJXR
+-CXXFLAGS += -D__ANSI__
+-CXXFLAGS += $(INCLUDE)
++override CXXFLAGS += -D__ANSI__
++override CXXFLAGS += $(INCLUDE)
++LDFLAGS ?=
++override LDFLAGS += -LDist -lfreeimage-$(VER_MAJOR).$(VER_MINOR)
+ 
+ ifeq ($(shell sh -c 'uname -m 2>/dev/null || echo not'),x86_64)
+-	CFLAGS += -fPIC
+-	CXXFLAGS += -fPIC
++	override CFLAGS += -fPIC
++	override CXXFLAGS += -fPIC
+ endif
+ 
+ TARGET  = freeimageplus
+@@ -68,7 +70,7 @@ $(STATICLIB): $(MODULES)
+ 	$(AR) r $@ $(MODULES)
+ 
+ $(SHAREDLIB): $(MODULES)
+-	$(CC) -s -shared -Wl,-soname,$(VERLIBNAME) $(LDFLAGS) -o $@ $(MODULES) $(LIBRARIES)
++	$(CC) -shared -Wl,-soname,$(VERLIBNAME) $(LDFLAGS) -o $@ $(MODULES) $(LIBRARIES)
+ 
+ install:
+ 	install -d $(INCDIR) $(INSTALLDIR)
+diff -rupN FreeImage/Makefile.gnu FreeImage-new/Makefile.gnu
+--- FreeImage/Makefile.gnu	2015-03-10 08:04:00.000000000 +0100
++++ FreeImage-new/Makefile.gnu	2018-07-31 23:37:58.556953201 +0200
+@@ -16,21 +16,11 @@ LIBRARIES = -lstdc++
+ MODULES = $(SRCS:.c=.o)
+ MODULES := $(MODULES:.cpp=.o)
+ CFLAGS ?= -O3 -fPIC -fexceptions -fvisibility=hidden
+-# OpenJPEG
+-CFLAGS += -DOPJ_STATIC
+-# LibRaw
+-CFLAGS += -DNO_LCMS
+-# LibJXR
+-CFLAGS += -DDISABLE_PERF_MEASUREMENT -D__ANSI__
+-CFLAGS += $(INCLUDE)
+-CXXFLAGS ?= -O3 -fPIC -fexceptions -fvisibility=hidden -Wno-ctor-dtor-privacy
+-# LibJXR
+-CXXFLAGS += -D__ANSI__
+-CXXFLAGS += $(INCLUDE)
++override CFLAGS += $(INCLUDE) -D__ANSI__ -I/usr/include/jxrlib $(shell pkg-config --cflags OpenEXR libopenjp2 libraw libpng libtiff-4 libwebp libwebpmux zlib)
++override LDFLAGS += -ljpeg -ljpegxr -ljxrglue $(shell pkg-config --libs OpenEXR libopenjp2 libraw libpng libtiff-4 libwebp libwebpmux zlib)
+ 
+ ifeq ($(shell sh -c 'uname -m 2>/dev/null || echo not'),x86_64)
+-	CFLAGS += -fPIC
+-	CXXFLAGS += -fPIC
++	override CFLAGS += -fPIC
+ endif
+ 
+ TARGET  = freeimage
+@@ -61,13 +51,13 @@ FreeImage: $(STATICLIB) $(SHAREDLIB)
+ 	$(CC) $(CFLAGS) -c $< -o $@
+ 
+ .cpp.o:
+-	$(CXX) $(CXXFLAGS) -c $< -o $@
++	$(CXX) $(CFLAGS) -c $< -o $@
+ 
+ $(STATICLIB): $(MODULES)
+ 	$(AR) r $@ $(MODULES)
+ 
+ $(SHAREDLIB): $(MODULES)
+-	$(CC) -s -shared -Wl,-soname,$(VERLIBNAME) $(LDFLAGS) -o $@ $(MODULES) $(LIBRARIES)
++	$(CC) -shared -Wl,-soname,$(VERLIBNAME) $(LDFLAGS) -o $@ $(MODULES) $(LIBRARIES)
+ 
+ install:
+ 	install -d $(INCDIR) $(INSTALLDIR)
+diff -rupN FreeImage/Source/FreeImage/J2KHelper.cpp FreeImage-new/Source/FreeImage/J2KHelper.cpp
+--- FreeImage/Source/FreeImage/J2KHelper.cpp	2015-03-03 23:07:08.000000000 +0100
++++ FreeImage-new/Source/FreeImage/J2KHelper.cpp	2018-07-31 23:37:58.557953201 +0200
+@@ -21,7 +21,7 @@
+ 
+ #include "FreeImage.h"
+ #include "Utilities.h"
+-#include "../LibOpenJPEG/openjpeg.h"
++#include <openjpeg.h>
+ #include "J2KHelper.h"
+ 
+ // --------------------------------------------------------------------------
+diff -rupN FreeImage/Source/FreeImage/Plugin.cpp FreeImage-new/Source/FreeImage/Plugin.cpp
+--- FreeImage/Source/FreeImage/Plugin.cpp	2017-02-18 14:09:28.000000000 +0100
++++ FreeImage-new/Source/FreeImage/Plugin.cpp	2018-07-31 23:37:58.558953201 +0200
+@@ -263,7 +263,12 @@ FreeImage_Initialise(BOOL load_local_plu
+ 			s_plugins->AddNode(InitDDS);
+ 	        s_plugins->AddNode(InitGIF);
+ 	        s_plugins->AddNode(InitHDR);
+-			s_plugins->AddNode(InitG3);
++/* The G3 fax format plugin is deliberately disabled in the Fedora build of
++   FreeImage as it requires that FreeImage uses a private copy of libtiff
++   which is a no no because of security reasons. */
++#if 0
++ 			s_plugins->AddNode(InitG3);
++#endif
+ 			s_plugins->AddNode(InitSGI);
+ 			s_plugins->AddNode(InitEXR);
+ 			s_plugins->AddNode(InitJ2K);
+diff -rupN FreeImage/Source/FreeImage/PluginEXR.cpp FreeImage-new/Source/FreeImage/PluginEXR.cpp
+--- FreeImage/Source/FreeImage/PluginEXR.cpp	2015-03-03 23:07:08.000000000 +0100
++++ FreeImage-new/Source/FreeImage/PluginEXR.cpp	2018-07-31 23:37:58.559953201 +0200
+@@ -28,16 +28,16 @@
+ #pragma warning (disable : 4800) // ImfVersion.h - 'const int' : forcing value to bool 'true' or 'false' (performance warning)
+ #endif 
+ 
+-#include "../OpenEXR/IlmImf/ImfIO.h"
+-#include "../OpenEXR/Iex/Iex.h"
+-#include "../OpenEXR/IlmImf/ImfOutputFile.h"
+-#include "../OpenEXR/IlmImf/ImfInputFile.h"
+-#include "../OpenEXR/IlmImf/ImfRgbaFile.h"
+-#include "../OpenEXR/IlmImf/ImfChannelList.h"
+-#include "../OpenEXR/IlmImf/ImfRgba.h"
+-#include "../OpenEXR/IlmImf/ImfArray.h"
+-#include "../OpenEXR/IlmImf/ImfPreviewImage.h"
+-#include "../OpenEXR/Half/half.h"
++#include <OpenEXR/ImfIO.h>
++#include <OpenEXR/Iex.h>
++#include <OpenEXR/ImfOutputFile.h>
++#include <OpenEXR/ImfInputFile.h>
++#include <OpenEXR/ImfRgbaFile.h>
++#include <OpenEXR/ImfChannelList.h>
++#include <OpenEXR/ImfRgba.h>
++#include <OpenEXR/ImfArray.h>
++#include <OpenEXR/ImfPreviewImage.h>
++#include <OpenEXR/half.h>
+ 
+ 
+ // ==========================================================
+diff -rupN FreeImage/Source/FreeImage/PluginJ2K.cpp FreeImage-new/Source/FreeImage/PluginJ2K.cpp
+--- FreeImage/Source/FreeImage/PluginJ2K.cpp	2015-03-03 23:07:08.000000000 +0100
++++ FreeImage-new/Source/FreeImage/PluginJ2K.cpp	2018-07-31 23:37:58.559953201 +0200
+@@ -21,7 +21,7 @@
+ 
+ #include "FreeImage.h"
+ #include "Utilities.h"
+-#include "../LibOpenJPEG/openjpeg.h"
++#include <openjpeg.h>
+ #include "J2KHelper.h"
+ 
+ // ==========================================================
+diff -rupN FreeImage/Source/FreeImage/PluginJP2.cpp FreeImage-new/Source/FreeImage/PluginJP2.cpp
+--- FreeImage/Source/FreeImage/PluginJP2.cpp	2015-03-03 23:07:08.000000000 +0100
++++ FreeImage-new/Source/FreeImage/PluginJP2.cpp	2018-07-31 23:37:58.560953201 +0200
+@@ -21,7 +21,7 @@
+ 
+ #include "FreeImage.h"
+ #include "Utilities.h"
+-#include "../LibOpenJPEG/openjpeg.h"
++#include <openjpeg.h>
+ #include "J2KHelper.h"
+ 
+ // ==========================================================
+diff -rupN FreeImage/Source/FreeImage/PluginJPEG.cpp FreeImage-new/Source/FreeImage/PluginJPEG.cpp
+--- FreeImage/Source/FreeImage/PluginJPEG.cpp	2018-07-28 19:22:22.000000000 +0200
++++ FreeImage-new/Source/FreeImage/PluginJPEG.cpp	2018-07-31 23:37:58.561953201 +0200
+@@ -35,9 +35,9 @@ extern "C" {
+ #undef FAR
+ #include <setjmp.h>
+ 
+-#include "../LibJPEG/jinclude.h"
+-#include "../LibJPEG/jpeglib.h"
+-#include "../LibJPEG/jerror.h"
++#include <stdio.h>
++#include <jpeglib.h>
++#include <jerror.h>
+ }
+ 
+ #include "FreeImage.h"
+@@ -485,116 +485,6 @@ marker_is_icc(jpeg_saved_marker_ptr mark
+ }
+ 
+ /**
+-  See if there was an ICC profile in the JPEG file being read;
+-  if so, reassemble and return the profile data.
+-
+-  TRUE is returned if an ICC profile was found, FALSE if not.
+-  If TRUE is returned, *icc_data_ptr is set to point to the
+-  returned data, and *icc_data_len is set to its length.
+-  
+-  IMPORTANT: the data at **icc_data_ptr has been allocated with malloc()
+-  and must be freed by the caller with free() when the caller no longer
+-  needs it.  (Alternatively, we could write this routine to use the
+-  IJG library's memory allocator, so that the data would be freed implicitly
+-  at jpeg_finish_decompress() time.  But it seems likely that many apps
+-  will prefer to have the data stick around after decompression finishes.)
+-  
+-  NOTE: if the file contains invalid ICC APP2 markers, we just silently
+-  return FALSE.  You might want to issue an error message instead.
+-*/
+-static BOOL 
+-jpeg_read_icc_profile(j_decompress_ptr cinfo, JOCTET **icc_data_ptr, unsigned *icc_data_len) {
+-	jpeg_saved_marker_ptr marker;
+-	int num_markers = 0;
+-	int seq_no;
+-	JOCTET *icc_data;
+-	unsigned total_length;
+-
+-	const int MAX_SEQ_NO = 255;			// sufficient since marker numbers are bytes
+-	BYTE marker_present[MAX_SEQ_NO+1];	// 1 if marker found
+-	unsigned data_length[MAX_SEQ_NO+1];	// size of profile data in marker
+-	unsigned data_offset[MAX_SEQ_NO+1];	// offset for data in marker
+-	
+-	*icc_data_ptr = NULL;		// avoid confusion if FALSE return
+-	*icc_data_len = 0;
+-	
+-	/**
+-	this first pass over the saved markers discovers whether there are
+-	any ICC markers and verifies the consistency of the marker numbering.
+-	*/
+-	
+-	memset(marker_present, 0, (MAX_SEQ_NO + 1));
+-	
+-	for(marker = cinfo->marker_list; marker != NULL; marker = marker->next) {
+-		if (marker_is_icc(marker)) {
+-			if (num_markers == 0) {
+-				// number of markers
+-				num_markers = GETJOCTET(marker->data[13]);
+-			}
+-			else if (num_markers != GETJOCTET(marker->data[13])) {
+-				return FALSE;		// inconsistent num_markers fields 
+-			}
+-			// sequence number
+-			seq_no = GETJOCTET(marker->data[12]);
+-			if (seq_no <= 0 || seq_no > num_markers) {
+-				return FALSE;		// bogus sequence number 
+-			}
+-			if (marker_present[seq_no]) {
+-				return FALSE;		// duplicate sequence numbers 
+-			}
+-			marker_present[seq_no] = 1;
+-			data_length[seq_no] = marker->data_length - ICC_HEADER_SIZE;
+-		}
+-	}
+-	
+-	if (num_markers == 0)
+-		return FALSE;
+-		
+-	/**
+-	check for missing markers, count total space needed,
+-	compute offset of each marker's part of the data.
+-	*/
+-	
+-	total_length = 0;
+-	for(seq_no = 1; seq_no <= num_markers; seq_no++) {
+-		if (marker_present[seq_no] == 0) {
+-			return FALSE;		// missing sequence number
+-		}
+-		data_offset[seq_no] = total_length;
+-		total_length += data_length[seq_no];
+-	}
+-	
+-	if (total_length <= 0)
+-		return FALSE;		// found only empty markers ?
+-	
+-	// allocate space for assembled data 
+-	icc_data = (JOCTET *) malloc(total_length * sizeof(JOCTET));
+-	if (icc_data == NULL)
+-		return FALSE;		// out of memory
+-	
+-	// and fill it in
+-	for (marker = cinfo->marker_list; marker != NULL; marker = marker->next) {
+-		if (marker_is_icc(marker)) {
+-			JOCTET FAR *src_ptr;
+-			JOCTET *dst_ptr;
+-			unsigned length;
+-			seq_no = GETJOCTET(marker->data[12]);
+-			dst_ptr = icc_data + data_offset[seq_no];
+-			src_ptr = marker->data + ICC_HEADER_SIZE;
+-			length = data_length[seq_no];
+-			while (length--) {
+-				*dst_ptr++ = *src_ptr++;
+-			}
+-		}
+-	}
+-	
+-	*icc_data_ptr = icc_data;
+-	*icc_data_len = total_length;
+-	
+-	return TRUE;
+-}
+-
+-/**
+ 	Read JPEG_APPD marker (IPTC or Adobe Photoshop profile)
+ */
+ static BOOL 
+diff -rupN FreeImage/Source/FreeImage/PluginJXR.cpp FreeImage-new/Source/FreeImage/PluginJXR.cpp
+--- FreeImage/Source/FreeImage/PluginJXR.cpp	2015-03-03 23:07:08.000000000 +0100
++++ FreeImage-new/Source/FreeImage/PluginJXR.cpp	2018-07-31 23:37:58.561953201 +0200
+@@ -23,7 +23,7 @@
+ #include "Utilities.h"
+ #include "../Metadata/FreeImageTag.h"
+ 
+-#include "../LibJXR/jxrgluelib/JXRGlue.h"
++#include <JXRGlue.h>
+ 
+ // ==========================================================
+ // Plugin Interface
+diff -rupN FreeImage/Source/FreeImage/PluginPNG.cpp FreeImage-new/Source/FreeImage/PluginPNG.cpp
+--- FreeImage/Source/FreeImage/PluginPNG.cpp	2018-07-28 20:15:24.000000000 +0200
++++ FreeImage-new/Source/FreeImage/PluginPNG.cpp	2018-07-31 23:37:58.561953201 +0200
+@@ -40,8 +40,8 @@
+ 
+ // ----------------------------------------------------------
+ 
+-#include "../ZLib/zlib.h"
+-#include "../LibPNG/png.h"
++#include <zlib.h>
++#include <png.h>
+ 
+ // ----------------------------------------------------------
+ 
+diff -rupN FreeImage/Source/FreeImage/PluginRAW.cpp FreeImage-new/Source/FreeImage/PluginRAW.cpp
+--- FreeImage/Source/FreeImage/PluginRAW.cpp	2015-03-10 10:12:04.000000000 +0100
++++ FreeImage-new/Source/FreeImage/PluginRAW.cpp	2018-07-31 23:37:58.561953201 +0200
+@@ -19,7 +19,7 @@
+ // Use at your own risk!
+ // ==========================================================
+ 
+-#include "../LibRawLite/libraw/libraw.h"
++#include <libraw/libraw.h>
+ 
+ #include "FreeImage.h"
+ #include "Utilities.h"
+diff -rupN FreeImage/Source/FreeImage/PluginTIFF.cpp FreeImage-new/Source/FreeImage/PluginTIFF.cpp
+--- FreeImage/Source/FreeImage/PluginTIFF.cpp	2018-07-29 00:24:43.000000000 +0200
++++ FreeImage-new/Source/FreeImage/PluginTIFF.cpp	2018-07-31 23:52:38.774904514 +0200
+@@ -37,9 +37,9 @@
+ 
+ #include "FreeImage.h"
+ #include "Utilities.h"
+-#include "../LibTIFF4/tiffiop.h"
++#include <tiffio.h>
+ #include "../Metadata/FreeImageTag.h"
+-#include "../OpenEXR/Half/half.h"
++#include <OpenEXR/half.h>
+ 
+ #include "FreeImageIO.h"
+ #include "PSDParser.h"
+@@ -193,17 +193,6 @@ TIFFFdOpen(thandle_t handle, const char
+ 
+ 	return tif;
+ }
+-
+-/**
+-Open a TIFF file for reading or writing
+-@param name
+-@param mode
+-*/
+-TIFF*
+-TIFFOpen(const char* name, const char* mode) {
+-	return 0;
+-}
+-
+ // ----------------------------------------------------------
+ //   TIFF library FreeImage-specific routines.
+ // ----------------------------------------------------------
+diff -rupN FreeImage/Source/FreeImage/PluginWebP.cpp FreeImage-new/Source/FreeImage/PluginWebP.cpp
+--- FreeImage/Source/FreeImage/PluginWebP.cpp	2016-06-15 15:48:12.000000000 +0200
++++ FreeImage-new/Source/FreeImage/PluginWebP.cpp	2018-07-31 23:38:40.531950880 +0200
+@@ -24,9 +24,9 @@
+ 
+ #include "../Metadata/FreeImageTag.h"
+ 
+-#include "../LibWebP/src/webp/decode.h"
+-#include "../LibWebP/src/webp/encode.h"
+-#include "../LibWebP/src/webp/mux.h"
++#include <webp/decode.h>
++#include <webp/encode.h>
++#include <webp/mux.h>
+ 
+ // ==========================================================
+ // Plugin Interface
+diff -rupN FreeImage/Source/FreeImage/PSDParser.cpp FreeImage-new/Source/FreeImage/PSDParser.cpp
+--- FreeImage/Source/FreeImage/PSDParser.cpp	2016-02-11 03:18:02.000000000 +0100
++++ FreeImage-new/Source/FreeImage/PSDParser.cpp	2018-08-01 00:17:18.323822675 +0200
+@@ -133,8 +133,8 @@ public:
+ template <>
+ class PSDGetValue<8> {
+ public:
+-	static inline UINT64 get(const BYTE * iprBuffer) {
+-		UINT64 v = ((const UINT64*)iprBuffer)[0];
++	static inline uint64_t get(const BYTE * iprBuffer) {
++		uint64_t v = ((const uint64_t*)iprBuffer)[0];
+ #ifndef FREEIMAGE_BIGENDIAN
+ 		SwapInt64(&v);
+ #endif
+@@ -147,7 +147,7 @@ public:
+ 
+ // --------------------------------------------------------------------------
+ 
+-static UINT64
++static uint64_t
+ psdReadSize(FreeImageIO *io, fi_handle handle, const psdHeaderInfo& header) {
+ 	if(header._Version == 1) {
+ 		BYTE Length[4];
+@@ -199,11 +199,11 @@ public:
+ template <>
+ class PSDSetValue<8> {
+ public:
+-	static inline void set(const BYTE * iprBuffer, UINT64 v) {
++	static inline void set(const BYTE * iprBuffer, uint64_t v) {
+ #ifndef FREEIMAGE_BIGENDIAN
+ 		SwapInt64(&v);
+ #endif
+-		((UINT64*)iprBuffer)[0] = v;
++		((uint64_t*)iprBuffer)[0] = v;
+ 	}
+ };
+ 
+@@ -213,7 +213,7 @@ public:
+ // --------------------------------------------------------------------------
+ 
+ static inline bool
+-psdWriteSize(FreeImageIO *io, fi_handle handle, const psdHeaderInfo& header, UINT64 v) {
++psdWriteSize(FreeImageIO *io, fi_handle handle, const psdHeaderInfo& header, uint64_t v) {
+ 	if(header._Version == 1) {
+ 		BYTE Length[4];
+ 		psdSetLongValue(Length, sizeof(Length), (DWORD)v);
+@@ -1063,10 +1063,10 @@ unsigned psdParser::GetChannelOffset(FIB
+ bool psdParser::ReadLayerAndMaskInfoSection(FreeImageIO *io, fi_handle handle)	{
+ 	bool bSuccess = true;
+ 
+-	UINT64 nTotalBytes = psdReadSize(io, handle, _headerInfo);
++	uint64_t nTotalBytes = psdReadSize(io, handle, _headerInfo);
+ 
+ 	// Hack to handle large PSB files without using fseeko().
+-	if (sizeof(long) < sizeof(UINT64)) {
++	if (sizeof(long) < sizeof(uint64_t)) {
+ 		const long offset = 0x10000000;
+ 		while (nTotalBytes > offset) {
+ 			if (io->seek_proc(handle, offset, SEEK_CUR) != 0) {
+@@ -1672,7 +1672,7 @@ bool psdParser::WriteLayerAndMaskInfoSec
+ 	// Short section with no layers.
+ 	BYTE IntValue[4];
+ 
+-	UINT64 size;
++	uint64_t size;
+ 	if(_headerInfo._Version == 1) {
+ 		size = 8;
+ 	} else {
+diff -rupN FreeImage/Source/FreeImage/ZLibInterface.cpp FreeImage-new/Source/FreeImage/ZLibInterface.cpp
+--- FreeImage/Source/FreeImage/ZLibInterface.cpp	2015-03-03 23:07:10.000000000 +0100
++++ FreeImage-new/Source/FreeImage/ZLibInterface.cpp	2018-07-31 23:37:58.563953201 +0200
+@@ -19,10 +19,9 @@
+ // Use at your own risk!
+ // ==========================================================
+ 
+-#include "../ZLib/zlib.h"
++#include <zlib.h>
+ #include "FreeImage.h"
+ #include "Utilities.h"
+-#include "../ZLib/zutil.h"	/* must be the last header because of error C3163 in VS2008 (_vsnprintf defined in stdio.h) */
+ 
+ /**
+ Compresses a source buffer into a target buffer, using the ZLib library. 
+@@ -115,7 +114,7 @@ FreeImage_ZLibGZip(BYTE *target, DWORD t
+ 			return 0;
+         case Z_OK: {
+             // patch header, setup crc and length (stolen from mod_trace_output)
+-            BYTE *p = target + 8; *p++ = 2; *p = OS_CODE; // xflags, os_code
++            BYTE *p = target + 8; *p++ = 2; *p = 0x03; // xflags, os_code (unix)
+  	        crc = crc32(crc, source, source_size);
+ 	        memcpy(target + 4 + dest_len, &crc, 4);
+ 	        memcpy(target + 8 + dest_len, &source_size, 4);
+diff -rupN FreeImage/Source/FreeImage.h FreeImage-new/Source/FreeImage.h
+--- FreeImage/Source/FreeImage.h	2018-03-25 18:42:20.000000000 +0200
++++ FreeImage-new/Source/FreeImage.h	2018-08-01 00:16:34.704825088 +0200
+@@ -155,8 +155,11 @@ typedef uint8_t BYTE;
+ typedef uint16_t WORD;
+ typedef uint32_t DWORD;
+ typedef int32_t LONG;
++// Disable these, they conflict with the (wrong) ones of libraw
++#if 0
+ typedef int64_t INT64;
+ typedef uint64_t UINT64;
++#endif
+ #else
+ // MS is not C99 ISO compliant
+ typedef long BOOL;
+@@ -410,7 +413,12 @@ FI_ENUM(FREE_IMAGE_FORMAT) {
+ 	FIF_DDS		= 24,
+ 	FIF_GIF     = 25,
+ 	FIF_HDR		= 26,
+-	FIF_FAXG3	= 27,
++/* The G3 fax format plugin is deliberately disabled in the Fedora build of
++   FreeImage as it requires that FreeImage uses a private copy of libtiff
++   which is a no no because of security reasons. */
++#if 0
++ 	FIF_FAXG3	= 27,
++#endif
+ 	FIF_SGI		= 28,
+ 	FIF_EXR		= 29,
+ 	FIF_J2K		= 30,
+@@ -473,6 +481,10 @@ FI_ENUM(FREE_IMAGE_DITHER) {
+ 	FID_BAYER16x16	= 6		//! Bayer ordered dispersed dot dithering (order 4 dithering matrix)
+ };
+ 
++/* The FreeImage_JPEGTransform functions are deliberately disabled in the
++   Fedora build of FreeImage as they require that FreeImage uses a private copy
++   of libjpeg which is a no no because of security reasons. */
++#if 0
+ /** Lossless JPEG transformations
+ Constants used in FreeImage_JPEGTransform
+ */
+@@ -486,6 +498,7 @@ FI_ENUM(FREE_IMAGE_JPEG_OPERATION) {
+ 	FIJPEG_OP_ROTATE_180	= 6,	//! 180-degree rotation
+ 	FIJPEG_OP_ROTATE_270	= 7		//! 270-degree clockwise (or 90 ccw)
+ };
++#endif
+ 
+ /** Tone mapping operators.
+ Constants used in FreeImage_ToneMapping.
+@@ -1088,7 +1101,10 @@ DLL_API const char* DLL_CALLCONV FreeIma
+ // --------------------------------------------------------------------------
+ // JPEG lossless transformation routines
+ // --------------------------------------------------------------------------
+-
++/* The FreeImage_JPEGTransform functions are deliberately disabled in the
+++   Fedora build of FreeImage as they require that FreeImage uses a private copy
+++   of libjpeg which is a no no because of security reasons. */
++#if 0
+ DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransform(const char *src_file, const char *dst_file, FREE_IMAGE_JPEG_OPERATION operation, BOOL perfect FI_DEFAULT(TRUE));
+ DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformU(const wchar_t *src_file, const wchar_t *dst_file, FREE_IMAGE_JPEG_OPERATION operation, BOOL perfect FI_DEFAULT(TRUE));
+ DLL_API BOOL DLL_CALLCONV FreeImage_JPEGCrop(const char *src_file, const char *dst_file, int left, int top, int right, int bottom);
+@@ -1097,6 +1113,7 @@ DLL_API BOOL DLL_CALLCONV FreeImage_JPEG
+ DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformCombined(const char *src_file, const char *dst_file, FREE_IMAGE_JPEG_OPERATION operation, int* left, int* top, int* right, int* bottom, BOOL perfect FI_DEFAULT(TRUE));
+ DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformCombinedU(const wchar_t *src_file, const wchar_t *dst_file, FREE_IMAGE_JPEG_OPERATION operation, int* left, int* top, int* right, int* bottom, BOOL perfect FI_DEFAULT(TRUE));
+ DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformCombinedFromMemory(FIMEMORY* src_stream, FIMEMORY* dst_stream, FREE_IMAGE_JPEG_OPERATION operation, int* left, int* top, int* right, int* bottom, BOOL perfect FI_DEFAULT(TRUE));
++#endif
+ 
+ 
+ // --------------------------------------------------------------------------
+diff -rupN FreeImage/Source/FreeImageToolkit/JPEGTransform.cpp FreeImage-new/Source/FreeImageToolkit/JPEGTransform.cpp
+--- FreeImage/Source/FreeImageToolkit/JPEGTransform.cpp	2015-03-03 23:07:10.000000000 +0100
++++ FreeImage-new/Source/FreeImageToolkit/JPEGTransform.cpp	2018-07-31 23:37:58.563953201 +0200
+@@ -26,10 +26,10 @@ extern "C" {
+ #undef FAR
+ #include <setjmp.h>
+ 
+-#include "../LibJPEG/jinclude.h"
+-#include "../LibJPEG/jpeglib.h"
+-#include "../LibJPEG/jerror.h"
+-#include "../LibJPEG/transupp.h"
++#include <jinclude.h>
++#include <jpeglib.h>
++#include <jerror.h>
++#include <transupp.h>
+ }
+ 
+ #include "FreeImage.h"
+diff -rupN FreeImage/Source/Metadata/TagConversion.cpp FreeImage-new/Source/Metadata/TagConversion.cpp
+--- FreeImage/Source/Metadata/TagConversion.cpp	2018-03-25 12:30:54.000000000 +0200
++++ FreeImage-new/Source/Metadata/TagConversion.cpp	2018-07-31 23:37:58.564953201 +0200
+@@ -30,6 +30,11 @@
+ 
+ #define MAX_TEXT_EXTENT	512
+ 
++// These were in FreeImage.h, but are moved here to avoid conflicts (see note in FreeImage.h)
++typedef int64_t INT64;
++typedef uint64_t UINT64;
++
++
+ /**
+ Convert a tag to a C string
+ */
+diff -rupN FreeImage/Source/Metadata/XTIFF.cpp FreeImage-new/Source/Metadata/XTIFF.cpp
+--- FreeImage/Source/Metadata/XTIFF.cpp	2015-03-03 23:07:10.000000000 +0100
++++ FreeImage-new/Source/Metadata/XTIFF.cpp	2018-07-31 23:37:58.564953201 +0200
+@@ -29,13 +29,18 @@
+ #pragma warning (disable : 4786) // identifier was truncated to 'number' characters
+ #endif
+ 
+-#include "../LibTIFF4/tiffiop.h"
++#include <tiffio.h>
+ 
+ #include "FreeImage.h"
+ #include "Utilities.h"
+ #include "FreeImageTag.h"
+ #include "FIRational.h"
+ 
++extern "C"
++{
++    int _TIFFDataSize(TIFFDataType type);
++}
++
+ // ----------------------------------------------------------
+ //   Extended TIFF Directory GEO Tag Support
+ // ----------------------------------------------------------
+@@ -224,6 +229,33 @@ tiff_write_geotiff_profile(TIFF *tif, FI
+ //   TIFF EXIF tag reading & writing
+ // ----------------------------------------------------------
+ 
++static uint32 exif_tag_ids[] = {
++  EXIFTAG_EXPOSURETIME, EXIFTAG_FNUMBER, EXIFTAG_EXPOSUREPROGRAM,
++  EXIFTAG_SPECTRALSENSITIVITY, EXIFTAG_ISOSPEEDRATINGS, EXIFTAG_OECF,
++  EXIFTAG_EXIFVERSION, EXIFTAG_DATETIMEORIGINAL, EXIFTAG_DATETIMEDIGITIZED,
++  EXIFTAG_COMPONENTSCONFIGURATION, EXIFTAG_COMPRESSEDBITSPERPIXEL,
++  EXIFTAG_SHUTTERSPEEDVALUE, EXIFTAG_APERTUREVALUE,
++  EXIFTAG_BRIGHTNESSVALUE, EXIFTAG_EXPOSUREBIASVALUE,
++  EXIFTAG_MAXAPERTUREVALUE, EXIFTAG_SUBJECTDISTANCE, EXIFTAG_METERINGMODE,
++  EXIFTAG_LIGHTSOURCE, EXIFTAG_FLASH, EXIFTAG_FOCALLENGTH,
++  EXIFTAG_SUBJECTAREA, EXIFTAG_MAKERNOTE, EXIFTAG_USERCOMMENT,
++  EXIFTAG_SUBSECTIME, EXIFTAG_SUBSECTIMEORIGINAL,
++  EXIFTAG_SUBSECTIMEDIGITIZED, EXIFTAG_FLASHPIXVERSION, EXIFTAG_COLORSPACE,
++  EXIFTAG_PIXELXDIMENSION, EXIFTAG_PIXELYDIMENSION,
++  EXIFTAG_RELATEDSOUNDFILE, EXIFTAG_FLASHENERGY,
++  EXIFTAG_SPATIALFREQUENCYRESPONSE, EXIFTAG_FOCALPLANEXRESOLUTION,
++  EXIFTAG_FOCALPLANEYRESOLUTION, EXIFTAG_FOCALPLANERESOLUTIONUNIT,
++  EXIFTAG_SUBJECTLOCATION, EXIFTAG_EXPOSUREINDEX, EXIFTAG_SENSINGMETHOD,
++  EXIFTAG_FILESOURCE, EXIFTAG_SCENETYPE, EXIFTAG_CFAPATTERN,
++  EXIFTAG_CUSTOMRENDERED, EXIFTAG_EXPOSUREMODE, EXIFTAG_WHITEBALANCE,
++  EXIFTAG_DIGITALZOOMRATIO, EXIFTAG_FOCALLENGTHIN35MMFILM,
++  EXIFTAG_SCENECAPTURETYPE, EXIFTAG_GAINCONTROL, EXIFTAG_CONTRAST,
++  EXIFTAG_SATURATION, EXIFTAG_SHARPNESS, EXIFTAG_DEVICESETTINGDESCRIPTION,
++  EXIFTAG_SUBJECTDISTANCERANGE, EXIFTAG_GAINCONTROL, EXIFTAG_GAINCONTROL,
++  EXIFTAG_IMAGEUNIQUEID
++};
++static int nExifTags = sizeof(exif_tag_ids) / sizeof(exif_tag_ids[0]);
++
+ /**
+ Read a single Exif tag
+ 
+@@ -575,45 +607,11 @@ tiff_read_exif_tags(TIFF *tif, TagLib::M
+ 
+ 	// loop over all Core Directory Tags
+ 	// ### uses private data, but there is no other way
++	// -> Fedora: Best we can do without private headers is to hard-code a list of known EXIF tags and read those
+ 	if(md_model == TagLib::EXIF_MAIN) {
+-		const TIFFDirectory *td = &tif->tif_dir;
+-
+-		uint32 lastTag = 0;	//<- used to prevent reading some tags twice (as stored in tif_fieldinfo)
+-
+-		for (int fi = 0, nfi = (int)tif->tif_nfields; nfi > 0; nfi--, fi++) {
+-			const TIFFField *fld = tif->tif_fields[fi];
+-
+-			const uint32 tag_id = TIFFFieldTag(fld);
+-
+-			if(tag_id == lastTag) {
+-				continue;
+-			}
+-
+-			// test if tag value is set
+-			// (lifted directly from LibTiff _TIFFWriteDirectory)
+-
+-			if( fld->field_bit == FIELD_CUSTOM ) {
+-				int is_set = FALSE;
+-
+-				for(int ci = 0; ci < td->td_customValueCount; ci++ ) {
+-					is_set |= (td->td_customValues[ci].info == fld);
+-				}
+-
+-				if( !is_set ) {
+-					continue;
+-				}
+-
+-			} else if(!TIFFFieldSet(tif, fld->field_bit)) {
+-				continue;
+-			}
+-
+-			// process *all* other tags (some will be ignored)
+-
+-			tiff_read_exif_tag(tif, tag_id, dib, md_model);
+-
+-			lastTag = tag_id;
++		for (int i = 0; i < nExifTags; ++i) {
++			tiff_read_exif_tag(tif, exif_tag_ids[i], dib, md_model);
+ 		}
+-
+ 	}
+ 
+ 	return TRUE;
+@@ -723,10 +721,9 @@ tiff_write_exif_tags(TIFF *tif, TagLib::
+ 	
+ 	TagLib& tag_lib = TagLib::instance();
+ 	
+-	for (int fi = 0, nfi = (int)tif->tif_nfields; nfi > 0; nfi--, fi++) {
+-		const TIFFField *fld = tif->tif_fields[fi];
+-		
+-		const uint32 tag_id = TIFFFieldTag(fld);
++	for (int fi = 0; fi < nExifTags; fi++) {
++		const uint32 tag_id = exif_tag_ids[fi];
++		const TIFFField *fld = TIFFFieldWithTag(tif, tag_id);
+ 
+ 		if(skip_write_field(tif, tag_id)) {
+ 			// skip tags that are already handled by the LibTIFF writing process
+diff -rupN FreeImage/Source/Utilities.h FreeImage-new/Source/Utilities.h
+--- FreeImage/Source/Utilities.h	2016-04-11 15:15:32.000000000 +0200
++++ FreeImage-new/Source/Utilities.h	2018-08-01 00:16:29.826825358 +0200
+@@ -446,12 +446,12 @@ SwapLong(DWORD *lp) {
+ }
+  
+ inline void
+-SwapInt64(UINT64 *arg) {
++SwapInt64(uint64_t *arg) {
+ #if defined(_MSC_VER) && _MSC_VER >= 1310
+ 	*arg = _byteswap_uint64(*arg);
+ #else
+ 	union Swap {
+-		UINT64 sv;
++		uint64_t sv;
+ 		DWORD ul[2];
+ 	} tmp, result;
+ 	tmp.sv = *arg;

freeimage.spec

@@ -5,9 +5,9 @@
 
 Name:    freeimage
 Version: 3.18.0
-Release: 3
+Release: 7
 Summary: FreeImage is a library project for developers who would like to support popular graphics image formats (PNG, JPEG, TIFF, BMP and others)
-License: GPLv2 or GPLv3 and FIPL
+License: GPLv2 or GPLv3 and FreeImage
 URL:	 https://freeimage.sourceforge.io/
 Source0: http://downloads.sourceforge.net/freeimage/FreeImage3180.zip
 
@@ -20,6 +20,22 @@ Patch2:         FreeImage_unbundle.patch
 Patch3:         FreeImage_doxygen.patch
 # Fix incorrect variable names in BIGENDIAN blocks
 Patch4:         FreeImage_bigendian.patch
+Patch5:		substream.patch
+# https://sources.debian.org/src/freeimage/3.18.0%2Bds2-10/debian/patches/
+Patch6:         CVE-2020-21427-pre-r1830-minor-refactoring.patch
+Patch7:         CVE-2020-21427-1-r1832-improved-BMP-plugin-when-working-with-malicious-images.patch
+Patch8:         CVE-2020-21428-r1877-improved-DDS-plugin-against-malicious-images.patch
+Patch9:         CVE-2020-21427-2-r1836-improved-BMP-plugin-when-working-with-malicious-images.patch
+Patch10:        CVE-2020-22524-r1848-improved-PFM-plugin-against-malicious-images.patch
+# https://src.fedoraproject.org/rpms/freeimage/tree/f39
+Patch11:        CVE-2020-24292.patch
+Patch12:        CVE-2020-24293.patch
+Patch13:        CVE-2020-24295.patch
+Patch14:        CVE-2021-33367.patch
+Patch15:        CVE-2021-40263.patch
+Patch16:        CVE-2021-40266.patch
+Patch17:        CVE-2023-47995.patch
+Patch18:        CVE-2023-47997.patch
 
 
 BuildRequires:  doxygen  gcc-c++ make jxrlib-devel libjpeg-devel libmng-devel libpng-devel libtiff-devel libwebp-devel LibRaw-devel OpenEXR-devel openjpeg2-devel
@@ -35,12 +51,7 @@ Requires: %{name} = %{version}-%{release}
 FreeImage is a library project for developers who would like to support popular graphics image formats (PNG, JPEG, TIFF, BMP and others). Some highlights are: extremely simple in use, not limited to the local PC (unique FreeImageIO) and Plugin driven!
 
 %prep
-%setup -q -n FreeImage 
-%patch0 -p1
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1
-%patch4 -p1
+%autosetup -p1 -n FreeImage 
 # remove all included libs to make sure these don't get used during compile
 rm -r Source/Lib* Source/ZLib Source/OpenEXR
 
@@ -109,6 +120,19 @@ ldconfig -n %{buildroot}%{_libdir}
 
 
 %changelog
+* Wed Oct 23 2024 wangkai <13474090681@163.com> - 3.18.0-7
+- Fix CVE-2020-24292 CVE-2020-24293 CVE-2020-24295 CVE-2021-33367
+  CVE-2021-40263 CVE-2021-40266 CVE-2023-47995 CVE-2023-47997
+
+* Mon Aug 19 2024 xu_ping <707078654@qq.com> - 3.18.0-6
+- License compliance rectification.
+
+* Mon Dec 04 2023 wangkai <13474090681@163.com> - 3.18.0-5
+- Fix CVE-2020-21427,CVE-2020-21428,CVE-2020-22524
+
+* Tue Dec 15 2020 Senlin <xiasenlin1@huawei.com> -3.18.0-4
+- Rebuild for new LibRaw
+
 * Mon Nov 09 2020 weidong <weidong@uniontech.com>
 - Unbundle bundled libraries
 - Fix incorrect path in doxyfile

substream.patch

@@ -0,0 +1,57 @@
+--- a/Source/FreeImage/PluginRAW.cpp~	2020-05-08 08:27:31.000000000 -0500
++++ a/Source/FreeImage/PluginRAW.cpp	2020-05-08 08:47:09.011816310 -0500
+@@ -63,17 +63,17 @@
+ 	}
+ 
+     int read(void *buffer, size_t size, size_t count) { 
+-		if(substream) return substream->read(buffer, size, count);
++		//if(substream) return substream->read(buffer, size, count);
+ 		return _io->read_proc(buffer, (unsigned)size, (unsigned)count, _handle);
+ 	}
+ 
+     int seek(INT64 offset, int origin) { 
+-        if(substream) return substream->seek(offset, origin);
++        //if(substream) return substream->seek(offset, origin);
+ 		return _io->seek_proc(_handle, (long)offset, origin);
+ 	}
+ 
+     INT64 tell() { 
+-		if(substream) return substream->tell();
++		//if(substream) return substream->tell();
+         return _io->tell_proc(_handle);
+     }
+ 	
+@@ -83,13 +83,13 @@
+ 
+     int get_char() { 
+ 		int c = 0;
+-		if(substream) return substream->get_char();
++		//if(substream) return substream->get_char();
+ 		if(!_io->read_proc(&c, 1, 1, _handle)) return -1;
+ 		return c;
+    }
+ 	
+ 	char* gets(char *buffer, int length) { 
+-		if (substream) return substream->gets(buffer, length);
++		//if (substream) return substream->gets(buffer, length);
+ 		memset(buffer, 0, length);
+ 		for(int i = 0; i < length; i++) {
+ 			if(!_io->read_proc(&buffer[i], 1, 1, _handle))
+@@ -104,7 +104,7 @@
+ 		std::string buffer;
+ 		char element = 0;
+ 		bool bDone = false;
+-		if(substream) return substream->scanf_one(fmt,val);				
++		//if(substream) return substream->scanf_one(fmt,val);				
+ 		do {
+ 			if(_io->read_proc(&element, 1, 1, _handle) == 1) {
+ 				switch(element) {
+@@ -127,7 +127,7 @@
+ 	}
+ 
+ 	int eof() { 
+-		if(substream) return substream->eof();
++		//if(substream) return substream->eof();
+         return (_io->tell_proc(_handle) >= _eof);
+     }
+