From 576a97a0d0574af262e89ff2f3332a8493977d09 Mon Sep 17 00:00:00 2001
From: ash <ash@sorrel.sh>
Date: Sun, 26 Jun 2022 14:50:43 +0100
Subject: [PATCH] xcftools: patch CVE-2019-5086 and CVE-2019-5087

---
 pkgs/tools/graphics/xcftools/default.nix | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/pkgs/tools/graphics/xcftools/default.nix b/pkgs/tools/graphics/xcftools/default.nix
index e83e3c13ae3f..7b3d45421291 100644
--- a/pkgs/tools/graphics/xcftools/default.nix
+++ b/pkgs/tools/graphics/xcftools/default.nix
@@ -1,4 +1,4 @@
-{lib, stdenv, fetchurl, libpng, perl, gettext }:
+{lib, stdenv, fetchpatch, fetchurl, libpng, perl, gettext }:
 
 stdenv.mkDerivation rec {
   pname = "xcftools";
@@ -11,7 +11,15 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ libpng perl gettext ];
 
-  patchPhase = ''
+  patches = [
+    (fetchpatch {
+      name = "CVE-2019-5086.CVE-2019-5087.patch";
+      url = "https://github.com/gladk/xcftools/commit/59c38e3e45b9112c2bcb4392bccf56e297854f8a.patch";
+      sha256 = "sha256-a1Biv6viXzTSaLDzinOyu0HdDTUPsKITsdKu9B9Y8GE=";
+    })
+  ];
+
+  postPatch = ''
     # Required if building with libpng-1.6, innocuous otherwise
     substituteInPlace xcf2png.c         \
       --replace png_voidp_NULL NULL     \