graphicsmagick: patch for CVE-2017-6335

pkgs/applications/graphics/graphicsmagick/cmyka-bounds.patch

@@ -0,0 +1,36 @@
+# HG changeset patch
+# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
+# Date 1487905610 21600
+# Node ID 6156b4c2992d855ece6079653b3b93c3229fc4b8
+# Parent  0392c4305a4369984ec8069055acc470c0a73647
+Fix out of bounds access when reading CMYKA tiff which claims wrong samples/pixel.
+
+diff -r 0392c4305a43 -r 6156b4c2992d coders/tiff.c
+--- a/coders/tiff.c	Sun Jan 29 10:04:57 2017 -0600
++++ b/coders/tiff.c	Thu Feb 23 21:06:50 2017 -0600
+@@ -1230,8 +1230,8 @@
+                   case 0:
+                     if (samples_per_pixel == 1)
+                       *quantum_type=GrayQuantum;
+-                      else
+-                        *quantum_type=RedQuantum;
++                    else
++                      *quantum_type=RedQuantum;
+                     break;
+                   case 1:
+                     *quantum_type=GreenQuantum;
+@@ -1411,12 +1411,12 @@
+               }
+             else
+               {
+-                if (image->matte)
++                if (image->matte && samples_per_pixel >= 5)
+                   {
+                     *quantum_type=CMYKAQuantum;
+                     *quantum_samples=5;
+                   }
+-                else
++                else if (samples_per_pixel >= 4)
+                   {
+                     *quantum_type=CMYKQuantum;
+                     *quantum_samples=4;

pkgs/applications/graphics/graphicsmagick/default.nix

@@ -42,6 +42,7 @@ stdenv.mkDerivation {
       url = "https://sources.debian.net/data/main/g/graphicsmagick/1.3.25-7/debian/patches/CVE-2016-9830.patch";
       sha256 = "0qh15sd7nx7vf9sld4453iml951bwsx2fx84hxc7plhds2k3gjpa";
     })
+    ./cmyka-bounds.patch
   ];
 
   configureFlags = [