libwmf: Apply two patches from Fedora to address known issues

CVE-2006-3376, CVE-2009-1364

4 files changed, 52 insertions, 2 deletions

diff --git a/recipes/libwmf/files/libwmf-0.2.8.4-intoverflow.patch b/recipes/libwmf/files/libwmf-0.2.8.4-intoverflow.patch
new file mode 100644
index 0000000000..50d915c010
--- /dev/null
+++ b/recipes/libwmf/files/libwmf-0.2.8.4-intoverflow.patch
@@ -0,0 +1,31 @@
+http://cvs.fedoraproject.org/viewvc/devel/libwmf/libwmf-0.2.8.4-intoverflow.patch?view=log
+
+CVE-2006-3376 libwmf integer overflow
+
+--- libwmf-0.2.8.4.orig/src/player.c	2002-12-10 19:30:26.000000000 +0000
++++ libwmf-0.2.8.4/src/player.c	2006-07-12 15:12:52.000000000 +0100
+@@ -42,6 +42,7 @@
+ #include "player/defaults.h" /* Provides: default settings               */
+ #include "player/record.h"   /* Provides: parameter mechanism            */
+ #include "player/meta.h"     /* Provides: record interpreters            */
++#include <stdint.h>
+ 
+ /**
+  * @internal
+@@ -132,8 +134,14 @@
+ 		}
+ 	}
+ 
+-/*	P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)-3) * 2 * sizeof (unsigned char));
+- */	P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)  ) * 2 * sizeof (unsigned char));
++	if (MAX_REC_SIZE(API) > UINT32_MAX / 2)
++	{
++		API->err = wmf_E_InsMem;
++		WMF_DEBUG (API,"bailing...");
++		return (API->err);
++	}
++	
++ 	P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)  ) * 2 * sizeof (unsigned char));
+ 
+ 	if (ERR (API))
+ 	{	WMF_DEBUG (API,"bailing...");
diff --git a/recipes/libwmf/files/libwmf-0.2.8.4-useafterfree.patch b/recipes/libwmf/files/libwmf-0.2.8.4-useafterfree.patch
new file mode 100644
index 0000000000..4d2d285641
--- /dev/null
+++ b/recipes/libwmf/files/libwmf-0.2.8.4-useafterfree.patch
@@ -0,0 +1,14 @@
+
+http://cvs.fedoraproject.org/viewvc/devel/libwmf/libwmf-0.2.8.4-useafterfree.patch?view=log
+Resolves: CVE-2009-1364
+
+--- libwmf-0.2.8.4/src/extra/gd/gd_clip.c.CVE-2009-1364-im-clip-list	2009-04-24 04:06:44.000000000 -0400
++++ libwmf-0.2.8.4/src/extra/gd/gd_clip.c	2009-04-24 04:08:30.000000000 -0400
+@@ -70,6 +70,7 @@ void gdClipSetAdd(gdImagePtr im,gdClipRe
+ 	{	more = gdRealloc (im->clip->list,(im->clip->max + 8) * sizeof (gdClipRectangle));
+ 		if (more == 0) return;
+ 		im->clip->max += 8;
++                im->clip->list = more;
+ 	}
+ 	im->clip->list[im->clip->count] = (*rect);
+ 	im->clip->count++;
diff --git a/recipes/libwmf/libwmf-native_0.2.8.4.bb b/recipes/libwmf/libwmf-native_0.2.8.4.bb
index a33461fcdb..4b7c2259b6 100644
--- a/recipes/libwmf/libwmf-native_0.2.8.4.bb
+++ b/recipes/libwmf/libwmf-native_0.2.8.4.bb
@@ -1,4 +1,6 @@
 require libwmf_0.2.8.4.bb
 inherit native
 
-SRC_URI = "${SOURCEFORGE_MIRROR}/wvware/libwmf/${PV}/libwmf-${PV}.tar.gz;name=tarball"
+SRC_URI = "${SOURCEFORGE_MIRROR}/wvware/${PN}/${PV}/libwmf-${PV}.tar.gz;name=tarball \
+           file://libwmf-0.2.8.4-intoverflow.patch;patch=1                   \
+           file://libwmf-0.2.8.4-useafterfree.patch;patch=1"
diff --git a/recipes/libwmf/libwmf_0.2.8.4.bb b/recipes/libwmf/libwmf_0.2.8.4.bb
index fc02940eb3..37e69e3a2b 100644
--- a/recipes/libwmf/libwmf_0.2.8.4.bb
+++ b/recipes/libwmf/libwmf_0.2.8.4.bb
@@ -1,6 +1,8 @@
 inherit autotools_stage
 
-SRC_URI = "${SOURCEFORGE_MIRROR}/wvware/${PN}/${PV}/${P}.tar.gz;name=tarball"
+SRC_URI = "${SOURCEFORGE_MIRROR}/wvware/${PN}/${PV}/${P}.tar.gz;name=tarball \
+           file://libwmf-0.2.8.4-intoverflow.patch;patch=1                   \
+           file://libwmf-0.2.8.4-useafterfree.patch;patch=1"
 SRC_URI[tarball.md5sum] = "d1177739bf1ceb07f57421f0cee191e0"
 SRC_URI[tarball.sha256sum] = "5b345c69220545d003ad52bfd035d5d6f4f075e65204114a9e875e84895a7cf8"
 
@@ -10,3 +12,4 @@ LICENSE = "GPL-2"
 
 SECTION = "libs"
 
+PR="r1"