From 820eb4f3a698ae7477f1338bade0536de909a58c Mon Sep 17 00:00:00 2001
From: Pol Dellaiera <pol.dellaiera@protonmail.com>
Date: Tue, 1 Oct 2024 09:19:35 +0200
Subject: [PATCH 1/2] jbigkit: add patch to fix security issue CVE-2017-9937

---
 pkgs/development/libraries/jbigkit/default.nix | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/pkgs/development/libraries/jbigkit/default.nix b/pkgs/development/libraries/jbigkit/default.nix
index 8678cde4370a..6d4647fb583c 100644
--- a/pkgs/development/libraries/jbigkit/default.nix
+++ b/pkgs/development/libraries/jbigkit/default.nix
@@ -1,4 +1,4 @@
-{ lib, stdenv, fetchurl }:
+{ lib, stdenv, fetchurl, fetchpatch }:
 
 stdenv.mkDerivation rec {
   pname = "jbigkit";
@@ -9,6 +9,14 @@ stdenv.mkDerivation rec {
     sha256 = "0cnrcdr1dwp7h7m0a56qw09bv08krb37mpf7cml5sjdgpyv0cwfy";
   };
 
+  patches = [
+    # Archlinux patch: this helps users to reduce denial-of-service risks, as in CVE-2017-9937
+    (fetchpatch {
+      url = "https://gitlab.archlinux.org/archlinux/packaging/packages/jbigkit/-/raw/main/0013-new-jbig.c-limit-s-maxmem-maximum-decoded-image-size.patch";
+      hash = "sha256-Yq5qCTF7KZTrm4oeWbpctb+QLt3shJUGEReZvd0ey9k=";
+    })
+  ];
+
   makeFlags = [
     "CC=${stdenv.cc}/bin/${stdenv.cc.targetPrefix}cc"
     "AR=${lib.getBin stdenv.cc.bintools.bintools}/bin/${stdenv.cc.targetPrefix}ar"

From 0115bf0f8090f1a9d09fe0faa239b580e49a00d9 Mon Sep 17 00:00:00 2001
From: Pol Dellaiera <pol.dellaiera@protonmail.com>
Date: Thu, 3 Oct 2024 14:40:44 +0200
Subject: [PATCH 2/2] jbigkit: add Archlinux patch to fix heap overflow issue

---
 pkgs/development/libraries/jbigkit/default.nix | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/pkgs/development/libraries/jbigkit/default.nix b/pkgs/development/libraries/jbigkit/default.nix
index 6d4647fb583c..00c284c8bc9e 100644
--- a/pkgs/development/libraries/jbigkit/default.nix
+++ b/pkgs/development/libraries/jbigkit/default.nix
@@ -15,6 +15,11 @@ stdenv.mkDerivation rec {
       url = "https://gitlab.archlinux.org/archlinux/packaging/packages/jbigkit/-/raw/main/0013-new-jbig.c-limit-s-maxmem-maximum-decoded-image-size.patch";
       hash = "sha256-Yq5qCTF7KZTrm4oeWbpctb+QLt3shJUGEReZvd0ey9k=";
     })
+    # Archlinux patch: fix heap overflow
+    (fetchpatch {
+      url = "https://gitlab.archlinux.org/archlinux/packaging/packages/jbigkit/-/raw/main/0015-jbg_newlen-check-for-end-of-file-within-MARKER_NEWLE.patch";
+      hash = "sha256-F3qA/btR9D9NfzrNY76X4Z6vG6NrisI36SjCDjS+F5s=";
+    })
   ];
 
   makeFlags = [