diff options
| author | Holger Hans Peter Freyther <zecke@selfish.org> | 2010-03-15 12:36:17 +0800 |
|---|---|---|
| committer | Holger Hans Peter Freyther <zecke@selfish.org> | 2010-03-15 12:38:59 +0800 |
| commit | 727ac89c81f9284667acd6e820204e2bad8ccc73 (patch) | |
| tree | 732421b6760fb63c8408a13c149291f6ba195f06 /recipes/libwmf/files | |
| parent | 9e45884d6991cf7264a36966684a4240bde29f71 (diff) | |
libwmf: Apply two patches from Fedora to address known issues
CVE-2006-3376, CVE-2009-1364
Diffstat (limited to 'recipes/libwmf/files')
| -rw-r--r-- | recipes/libwmf/files/libwmf-0.2.8.4-intoverflow.patch | 31 | ||||
| -rw-r--r-- | recipes/libwmf/files/libwmf-0.2.8.4-useafterfree.patch | 14 |
2 files changed, 45 insertions, 0 deletions
diff --git a/recipes/libwmf/files/libwmf-0.2.8.4-intoverflow.patch b/recipes/libwmf/files/libwmf-0.2.8.4-intoverflow.patch new file mode 100644 index 0000000000..50d915c010 --- /dev/null +++ b/recipes/libwmf/files/libwmf-0.2.8.4-intoverflow.patch @@ -0,0 +1,31 @@ +http://cvs.fedoraproject.org/viewvc/devel/libwmf/libwmf-0.2.8.4-intoverflow.patch?view=log + +CVE-2006-3376 libwmf integer overflow + +--- libwmf-0.2.8.4.orig/src/player.c 2002-12-10 19:30:26.000000000 +0000 ++++ libwmf-0.2.8.4/src/player.c 2006-07-12 15:12:52.000000000 +0100 +@@ -42,6 +42,7 @@ + #include "player/defaults.h" /* Provides: default settings */ + #include "player/record.h" /* Provides: parameter mechanism */ + #include "player/meta.h" /* Provides: record interpreters */ ++#include <stdint.h> + + /** + * @internal +@@ -132,8 +134,14 @@ + } + } + +-/* P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)-3) * 2 * sizeof (unsigned char)); +- */ P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char)); ++ if (MAX_REC_SIZE(API) > UINT32_MAX / 2) ++ { ++ API->err = wmf_E_InsMem; ++ WMF_DEBUG (API,"bailing..."); ++ return (API->err); ++ } ++ ++ P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char)); + + if (ERR (API)) + { WMF_DEBUG (API,"bailing..."); diff --git a/recipes/libwmf/files/libwmf-0.2.8.4-useafterfree.patch b/recipes/libwmf/files/libwmf-0.2.8.4-useafterfree.patch new file mode 100644 index 0000000000..4d2d285641 --- /dev/null +++ b/recipes/libwmf/files/libwmf-0.2.8.4-useafterfree.patch @@ -0,0 +1,14 @@ + +http://cvs.fedoraproject.org/viewvc/devel/libwmf/libwmf-0.2.8.4-useafterfree.patch?view=log +Resolves: CVE-2009-1364 + +--- libwmf-0.2.8.4/src/extra/gd/gd_clip.c.CVE-2009-1364-im-clip-list 2009-04-24 04:06:44.000000000 -0400 ++++ libwmf-0.2.8.4/src/extra/gd/gd_clip.c 2009-04-24 04:08:30.000000000 -0400 +@@ -70,6 +70,7 @@ void gdClipSetAdd(gdImagePtr im,gdClipRe + { more = gdRealloc (im->clip->list,(im->clip->max + 8) * sizeof (gdClipRectangle)); + if (more == 0) return; + im->clip->max += 8; ++ im->clip->list = more; + } + im->clip->list[im->clip->count] = (*rect); + im->clip->count++; |