Date: Wednesday, December 21, 2016 @ 20:41:17
Author: anthraxx
Revision: 284392
upgpkg: libwmf 0.2.8.4-14 (security fixes)
FS#49162
Added:
libwmf/trunk/libwmf-0.2.8.4-CAN-2004-0941.patch
libwmf/trunk/libwmf-0.2.8.4-CVE-2007-0455.patch
libwmf/trunk/libwmf-0.2.8.4-CVE-2007-2756.patch
libwmf/trunk/libwmf-0.2.8.4-CVE-2007-3472.patch
libwmf/trunk/libwmf-0.2.8.4-CVE-2007-3473.patch
libwmf/trunk/libwmf-0.2.8.4-CVE-2007-3477.patch
libwmf/trunk/libwmf-0.2.8.4-CVE-2009-3546.patch
libwmf/trunk/libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch
libwmf/trunk/libwmf-0.2.8.4-CVE-2015-4695.patch
libwmf/trunk/libwmf-0.2.8.4-CVE-2015-4696.patch
libwmf/trunk/libwmf-0.2.8.4-CVE-2016-9011.patch
libwmf/trunk/libwmf-0.2.8.4-intoverflow-CVE-2006-3376.patch
libwmf/trunk/libwmf-0.2.8.4-useafterfree-CVE-2009-1364.patch
Modified:
libwmf/trunk/PKGBUILD
Deleted:
libwmf/trunk/libwmf-0.2.8.4-useafterfree.patch
--------------------------------------------------+
PKGBUILD | 45 +++++++-
libwmf-0.2.8.4-CAN-2004-0941.patch | 17 +++
libwmf-0.2.8.4-CVE-2007-0455.patch | 11 +
libwmf-0.2.8.4-CVE-2007-2756.patch | 16 ++
libwmf-0.2.8.4-CVE-2007-3472.patch | 59 ++++++++++
libwmf-0.2.8.4-CVE-2007-3473.patch | 13 ++
libwmf-0.2.8.4-CVE-2007-3477.patch | 38 ++++++
libwmf-0.2.8.4-CVE-2009-3546.patch | 13 ++
libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch | 118 +++++++++++++++++++++
libwmf-0.2.8.4-CVE-2015-4695.patch | 56 +++++++++
libwmf-0.2.8.4-CVE-2015-4696.patch | 23 ++++
libwmf-0.2.8.4-CVE-2016-9011.patch | 36 ++++++
libwmf-0.2.8.4-intoverflow-CVE-2006-3376.patch | 27 ++++
libwmf-0.2.8.4-useafterfree-CVE-2009-1364.patch | 10 +
libwmf-0.2.8.4-useafterfree.patch | 10 -
15 files changed, 478 insertions(+), 14 deletions(-)
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2016-12-21 19:11:44 UTC (rev 284391)
+++ PKGBUILD 2016-12-21 20:41:17 UTC (rev 284392)
@@ -3,7 +3,7 @@
pkgname=libwmf
pkgver=0.2.8.4
-pkgrel=13
+pkgrel=14
pkgdesc="A library for reading vector images in Microsoft's native Windows
Metafile Format (WMF)"
arch=('i686' 'x86_64')
url="http://wvware.sourceforge.net/libwmf.html";
@@ -13,15 +13,52 @@
optdepends=('gdk-pixbuf2: for pixbuf loader')
options=('!docs' '!emptydirs')
source=(http://downloads.sourceforge.net/sourceforge/wvware/${pkgname}-${pkgver}.tar.gz
- libwmf-0.2.8.4-libpng-1.5.patch libwmf-0.2.8.4-useafterfree.patch)
+ libwmf-0.2.8.4-libpng-1.5.patch
+ libwmf-0.2.8.4-useafterfree-CVE-2009-1364.patch
+ libwmf-0.2.8.4-intoverflow-CVE-2006-3376.patch
+ libwmf-0.2.8.4-CAN-2004-0941.patch
+ libwmf-0.2.8.4-CVE-2007-0455.patch
+ libwmf-0.2.8.4-CVE-2007-2756.patch
+ libwmf-0.2.8.4-CVE-2007-3472.patch
+ libwmf-0.2.8.4-CVE-2007-3473.patch
+ libwmf-0.2.8.4-CVE-2007-3477.patch
+ libwmf-0.2.8.4-CVE-2009-3546.patch
+ libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch
+ libwmf-0.2.8.4-CVE-2015-4695.patch
+ libwmf-0.2.8.4-CVE-2015-4696.patch
+ libwmf-0.2.8.4-CVE-2016-9011.patch)
sha1sums=('822ab3bd0f5e8f39ad732f2774a8e9f18fc91e89'
'42aa4c2a82e4e14044c875a7f439baea732a355a'
- 'ea6d28880840e86c96f9079bfd591da54dcffa5c')
+ 'ea6d28880840e86c96f9079bfd591da54dcffa5c'
+ '6f130ea9f639ccf88fef0fda74cf9fa3956f81b5'
+ '2f8a46698dac6d5f5c3109cb56ad675ff1efaee0'
+ '380d59744f174e12d4ba4f5cb63f14b6092850fa'
+ '45ae37f79b351fe738212caa3a3c61c9b6fa2d5b'
+ '1836f07750d3a8b4dd6354660875436b0e5c3b07'
+ 'c778b89445f621fd5e44b0bbf9d441cceea90d6c'
+ 'd0a6fefedd327f99c3ca1c2f7f19adddc2cef50a'
+ '83f32dac05c1492eef1e652c553a5ffc80a3e656'
+ '5608d0565890f2f89435bc13ad57279900ed83b4'
+ '408cfff29160b037b8baa26b4647e02f373b8b85'
+ 'e250f5ecefde4bf5c06f7fbc562566ce64204f2a'
+ '9f8670ef0b4862bb84aecc582bfbec45573a8831')
prepare() {
cd ${pkgname}-${pkgver}
patch -p1 -i "${srcdir}/libwmf-0.2.8.4-libpng-1.5.patch"
- patch -p1 -i "${srcdir}/libwmf-0.2.8.4-useafterfree.patch"
+ patch -p1 -i "${srcdir}/libwmf-0.2.8.4-useafterfree-CVE-2009-1364.patch"
+ patch -p1 -i "${srcdir}/libwmf-0.2.8.4-intoverflow-CVE-2006-3376.patch"
+ patch -p1 -i "${srcdir}/libwmf-0.2.8.4-CAN-2004-0941.patch"
+ patch -p1 -i "${srcdir}/libwmf-0.2.8.4-CVE-2007-0455.patch"
+ patch -p1 -i "${srcdir}/libwmf-0.2.8.4-CVE-2007-2756.patch"
+ patch -p1 -i "${srcdir}/libwmf-0.2.8.4-CVE-2007-3472.patch"
+ patch -p1 -i "${srcdir}/libwmf-0.2.8.4-CVE-2007-3473.patch"
+ patch -p1 -i "${srcdir}/libwmf-0.2.8.4-CVE-2007-3477.patch"
+ patch -p1 -i "${srcdir}/libwmf-0.2.8.4-CVE-2009-3546.patch"
+ patch -p1 -i "${srcdir}/libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch"
+ patch -p1 -i "${srcdir}/libwmf-0.2.8.4-CVE-2015-4695.patch"
+ patch -p1 -i "${srcdir}/libwmf-0.2.8.4-CVE-2015-4696.patch"
+ patch -p1 -i "${srcdir}/libwmf-0.2.8.4-CVE-2016-9011.patch"
}
build() {
Added: libwmf-0.2.8.4-CAN-2004-0941.patch
===================================================================
--- libwmf-0.2.8.4-CAN-2004-0941.patch (rev 0)
+++ libwmf-0.2.8.4-CAN-2004-0941.patch 2016-12-21 20:41:17 UTC (rev 284392)
@@ -0,0 +1,17 @@
+--- libwmf-0.2.8.4/src/extra/gd/gd_png.c 2004-11-11 14:02:37.407589824
-0500
++++ libwmf-0.2.8.4/src/extra/gd/gd_png.c 2004-11-11 14:04:29.672522960
-0500
+@@ -188,6 +188,14 @@
+
+ png_get_IHDR (png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
+ &interlace_type, NULL, NULL);
++ if (overflow2(sizeof (int), width))
++ {
++ return NULL;
++ }
++ if (overflow2(sizeof (int) * width, height))
++ {
++ return NULL;
++ }
+ if ((color_type == PNG_COLOR_TYPE_RGB) ||
+ (color_type == PNG_COLOR_TYPE_RGB_ALPHA))
+ {
Added: libwmf-0.2.8.4-CVE-2007-0455.patch
===================================================================
--- libwmf-0.2.8.4-CVE-2007-0455.patch (rev 0)
+++ libwmf-0.2.8.4-CVE-2007-0455.patch 2016-12-21 20:41:17 UTC (rev 284392)
@@ -0,0 +1,11 @@
+--- libwmf-0.2.8.4/src/extra/gd/gdft.c 2010-12-06 11:18:26.000000000 +0000
++++ libwmf-0.2.8.4/src/extra/gd/gdft.c 2010-12-06 11:21:09.000000000 +0000
+@@ -811,7 +811,7 @@
+ {
+ ch = c & 0xFF; /* don't extend sign */
+ }
+- next++;
++ if (*next) next++;
+ }
+ else
+ {
Added: libwmf-0.2.8.4-CVE-2007-2756.patch
===================================================================
--- libwmf-0.2.8.4-CVE-2007-2756.patch (rev 0)
+++ libwmf-0.2.8.4-CVE-2007-2756.patch 2016-12-21 20:41:17 UTC (rev 284392)
@@ -0,0 +1,16 @@
+--- libwmf-0.2.8.4/src/extra/gd/gd_png.c 1 Apr 2007 20:41:01 -0000
1.21.2.1
++++ libwmf-0.2.8.4/src/extra/gd/gd_png.c 16 May 2007 19:06:11 -0000
+@@ -78,8 +78,11 @@
+ gdPngReadData (png_structp png_ptr,
+ png_bytep data, png_size_t length)
+ {
+- gdGetBuf (data, length, (gdIOCtx *)
+- png_get_io_ptr (png_ptr));
++ int check;
++ check = gdGetBuf (data, length, (gdIOCtx *) png_get_io_ptr (png_ptr));
++ if (check != length) {
++ png_error(png_ptr, "Read Error: truncated data");
++ }
+ }
+
+ static void
Added: libwmf-0.2.8.4-CVE-2007-3472.patch
===================================================================
--- libwmf-0.2.8.4-CVE-2007-3472.patch (rev 0)
+++ libwmf-0.2.8.4-CVE-2007-3472.patch 2016-12-21 20:41:17 UTC (rev 284392)
@@ -0,0 +1,59 @@
+--- libwmf-0.2.8.4/src/extra/gd/gd.c
++++ libwmf-0.2.8.4/src/extra/gd/gd.c
+@@ -106,6 +106,18 @@
+ gdImagePtr im;
+ unsigned long cpa_size;
+
++ if (overflow2(sx, sy)) {
++ return NULL;
++ }
++
++ if (overflow2(sizeof (int *), sy)) {
++ return NULL;
++ }
++
++ if (overflow2(sizeof(int), sx)) {
++ return NULL;
++ }
++
+ im = (gdImage *) gdMalloc (sizeof (gdImage));
+ if (im == 0) return 0;
+ memset (im, 0, sizeof (gdImage));
+--- libwmf-0.2.8.4/src/extra/gd/gdhelpers.c 2010-12-06 11:47:31.000000000
+0000
++++ libwmf-0.2.8.4/src/extra/gd/gdhelpers.c 2010-12-06 11:48:04.000000000
+0000
+@@ -2,6 +2,7 @@
+ #include "gdhelpers.h"
+ #include <stdlib.h>
+ #include <string.h>
++#include <limits.h>
+
+ /* TBB: gd_strtok_r is not portable; provide an implementation */
+
+@@ -94,3 +95,18 @@
+ {
+ free (ptr);
+ }
++
++int overflow2(int a, int b)
++{
++ if(a < 0 || b < 0) {
++ fprintf(stderr, "gd warning: one parameter to a memory
allocation multiplication is negative, failing operation gracefully\n");
++ return 1;
++ }
++ if(b == 0)
++ return 0;
++ if(a > INT_MAX / b) {
++ fprintf(stderr, "gd warning: product of memory allocation
multiplication would exceed INT_MAX, failing operation gracefully\n");
++ return 1;
++ }
++ return 0;
++}
+--- libwmf-0.2.8.4/src/extra/gd/gdhelpers.h 2010-12-06 11:47:17.000000000
+0000
++++ libwmf-0.2.8.4/src/extra/gd/gdhelpers.h 2010-12-06 11:48:36.000000000
+0000
+@@ -15,4 +15,6 @@
+ void *gdMalloc(size_t size);
+ void *gdRealloc(void *ptr, size_t size);
+
++int overflow2(int a, int b);
++
+ #endif /* GDHELPERS_H */
Added: libwmf-0.2.8.4-CVE-2007-3473.patch
===================================================================
--- libwmf-0.2.8.4-CVE-2007-3473.patch (rev 0)
+++ libwmf-0.2.8.4-CVE-2007-3473.patch 2016-12-21 20:41:17 UTC (rev 284392)
@@ -0,0 +1,13 @@
+--- libwmf-0.2.8.4/src/extra/gd/gd.c
++++ libwmf-0.2.8.4/src/extra/gd/gd.c
+@@ -2483,6 +2483,10 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromXbm (FILE * fd)
+ }
+ bytes = (w * h / 8) + 1;
+ im = gdImageCreate (w, h);
++ if (!im) {
++ return 0;
++ }
++
+ gdImageColorAllocate (im, 255, 255, 255);
+ gdImageColorAllocate (im, 0, 0, 0);
+ x = 0;
Added: libwmf-0.2.8.4-CVE-2007-3477.patch
===================================================================
--- libwmf-0.2.8.4-CVE-2007-3477.patch (rev 0)
+++ libwmf-0.2.8.4-CVE-2007-3477.patch 2016-12-21 20:41:17 UTC (rev 284392)
@@ -0,0 +1,38 @@
+--- libwmf-0.2.8.4/src/extra/gd/gd.c
++++ libwmf-0.2.8.4/src/extra/gd/gd.c
+@@ -1335,10 +1335,31 @@
+ int w2, h2;
+ w2 = w / 2;
+ h2 = h / 2;
+- while (e < s)
+- {
+- e += 360;
+- }
++
++ if ((s % 360) == (e % 360)) {
++ s = 0; e = 360;
++ } else {
++ if (s > 360) {
++ s = s % 360;
++ }
++
++ if (e > 360) {
++ e = e % 360;
++ }
++
++ while (s < 0) {
++ s += 360;
++ }
++
++ while (e < s) {
++ e += 360;
++ }
++
++ if (s == e) {
++ s = 0; e = 360;
++ }
++ }
++
+ for (i = s; (i <= e); i++)
+ {
+ int x, y;
Added: libwmf-0.2.8.4-CVE-2009-3546.patch
===================================================================
--- libwmf-0.2.8.4-CVE-2009-3546.patch (rev 0)
+++ libwmf-0.2.8.4-CVE-2009-3546.patch 2016-12-21 20:41:17 UTC (rev 284392)
@@ -0,0 +1,13 @@
+--- libwmf-0.2.8.4/src/extra/gd/gd_gd.c 2010-12-06 14:56:06.000000000
+0000
++++ libwmf-0.2.8.4/src/extra/gd/gd_gd.c 2010-12-06 14:57:04.000000000
+0000
+@@ -42,6 +42,10 @@
+ {
+ goto fail1;
+ }
++ if (&im->colorsTotal > gdMaxColors)
++ {
++ goto fail1;
++ }
+ }
+ /* Int to accommodate truecolor single-color transparency */
+ if (!gdGetInt (&im->transparent, in))
Added: libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch
===================================================================
--- libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch
(rev 0)
+++ libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch 2016-12-21 20:41:17 UTC
(rev 284392)
@@ -0,0 +1,118 @@
+--- libwmf-0.2.8.4/src/ipa/ipa/bmp.h 2015-06-08 14:46:24.591876404 +0100
++++ libwmf-0.2.8.4/src/ipa/ipa/bmp.h 2015-06-08 14:46:35.345993247 +0100
+@@ -859,7 +859,7 @@
+ %
+ %
+ */
+-static void DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int
compression,unsigned char* pixels)
++static int DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int
compression,unsigned char* pixels)
+ { int byte;
+ int count;
+ int i;
+@@ -870,12 +870,14 @@
+ U32 u;
+
+ unsigned char* q;
++ unsigned char* end;
+
+ for (u = 0; u < ((U32) bmp->width * (U32) bmp->height); u++) pixels[u]
= 0;
+
+ byte = 0;
+ x = 0;
+ q = pixels;
++ end = pixels + bmp->width * bmp->height;
+
+ for (y = 0; y < bmp->height; )
+ { count = ReadBlobByte (src);
+@@ -884,7 +886,10 @@
+ { /* Encoded mode. */
+ byte = ReadBlobByte (src);
+ for (i = 0; i < count; i++)
+- { if (compression == 1)
++ {
++ if (q == end)
++ return 0;
++ if (compression == 1)
+ { (*(q++)) = (unsigned char) byte;
+ }
+ else
+@@ -896,13 +901,15 @@
+ else
+ { /* Escape mode. */
+ count = ReadBlobByte (src);
+- if (count == 0x01) return;
++ if (count == 0x01) return 1;
+ switch (count)
+ {
+ case 0x00:
+ { /* End of line. */
+ x = 0;
+ y++;
++ if (y >= bmp->height)
++ return 0;
+ q = pixels + y * bmp->width;
+ break;
+ }
+@@ -910,13 +917,20 @@
+ { /* Delta mode. */
+ x += ReadBlobByte (src);
+ y += ReadBlobByte (src);
++ if (y >= bmp->height)
++ return 0;
++ if (x >= bmp->width)
++ return 0;
+ q = pixels + y * bmp->width + x;
+ break;
+ }
+ default:
+ { /* Absolute mode. */
+ for (i = 0; i < count; i++)
+- { if (compression == 1)
++ {
++ if (q == end)
++ return 0;
++ if (compression == 1)
+ { (*(q++)) = ReadBlobByte (src);
+ }
+ else
+@@ -943,7 +957,7 @@
+ byte = ReadBlobByte (src); /* end of line */
+ byte = ReadBlobByte (src);
+
+- return;
++ return 1;
+ }
+
+ /*
+@@ -1143,8 +1157,18 @@
+ }
+ }
+ else
+- { /* Convert run-length encoded raster pixels. */
+- DecodeImage (API,bmp,src,(unsigned int)
bmp_info.compression,data->image);
++ {
++ if (bmp_info.bits_per_pixel == 8) /* Convert run-length
encoded raster pixels. */
++ {
++ if (!DecodeImage (API,bmp,src,(unsigned int)
bmp_info.compression,data->image))
++ { WMF_ERROR (API,"corrupt bmp");
++ API->err = wmf_E_BadFormat;
++ }
++ }
++ else
++ { WMF_ERROR (API,"Unexpected pixel depth");
++ API->err = wmf_E_BadFormat;
++ }
+ }
+
+ if (ERR (API))
+--- libwmf-0.2.8.4/src/ipa/ipa.h 2015-06-08 14:46:24.590876393 +0100
++++ libwmf-0.2.8.4/src/ipa/ipa.h 2015-06-08 14:46:35.345993247 +0100
+@@ -48,7 +48,7 @@
+ static unsigned short ReadBlobLSBShort (BMPSource*);
+ static unsigned long ReadBlobLSBLong (BMPSource*);
+ static long TellBlob (BMPSource*);
+-static void DecodeImage (wmfAPI*,wmfBMP*,BMPSource*,unsigned
int,unsigned char*);
++static int DecodeImage (wmfAPI*,wmfBMP*,BMPSource*,unsigned
int,unsigned char*);
+ static void ReadBMPImage (wmfAPI*,wmfBMP*,BMPSource*);
+ static int ExtractColor (wmfAPI*,wmfBMP*,wmfRGB*,unsigned
int,unsigned int);
+ static void SetColor (wmfAPI*,wmfBMP*,wmfRGB*,unsigned
char,unsigned int,unsigned int);
Added: libwmf-0.2.8.4-CVE-2015-4695.patch
===================================================================
--- libwmf-0.2.8.4-CVE-2015-4695.patch (rev 0)
+++ libwmf-0.2.8.4-CVE-2015-4695.patch 2016-12-21 20:41:17 UTC (rev 284392)
@@ -0,0 +1,56 @@
+--- libwmf-0.2.8.4/src/player/meta.h
++++ libwmf-0.2.8.4/src/player/meta.h
+@@ -1565,7 +1565,7 @@ static int meta_rgn_create (wmfAPI* API,
+ objects = P->objects;
+
+ i = 0;
+- while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
++ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
+
+ if (i == NUM_OBJECTS (API))
+ { WMF_ERROR (API,"Object out of range!");
+@@ -2142,7 +2142,7 @@ static int meta_dib_brush (wmfAPI* API,w
+ objects = P->objects;
+
+ i = 0;
+- while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
++ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
+
+ if (i == NUM_OBJECTS (API))
+ { WMF_ERROR (API,"Object out of range!");
+@@ -3067,7 +3067,7 @@ static int meta_pen_create (wmfAPI* API,
+ objects = P->objects;
+
+ i = 0;
+- while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
++ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
+
+ if (i == NUM_OBJECTS (API))
+ { WMF_ERROR (API,"Object out of range!");
+@@ -3181,7 +3181,7 @@ static int meta_brush_create (wmfAPI* AP
+ objects = P->objects;
+
+ i = 0;
+- while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
++ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
+
+ if (i == NUM_OBJECTS (API))
+ { WMF_ERROR (API,"Object out of range!");
+@@ -3288,7 +3288,7 @@ static int meta_font_create (wmfAPI* API
+ objects = P->objects;
+
+ i = 0;
+- while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
++ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
+
+ if (i == NUM_OBJECTS (API))
+ { WMF_ERROR (API,"Object out of range!");
+@@ -3396,7 +3396,7 @@ static int meta_palette_create (wmfAPI*
+ objects = P->objects;
+
+ i = 0;
+- while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
++ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
+
+ if (i == NUM_OBJECTS (API))
+ { WMF_ERROR (API,"Object out of range!");
Added: libwmf-0.2.8.4-CVE-2015-4696.patch
===================================================================
--- libwmf-0.2.8.4-CVE-2015-4696.patch (rev 0)
+++ libwmf-0.2.8.4-CVE-2015-4696.patch 2016-12-21 20:41:17 UTC (rev 284392)
@@ -0,0 +1,23 @@
+--- libwmf-0.2.8.4/src/player/meta.h
++++ libwmf-0.2.8.4/src/player/meta.h
+@@ -2585,6 +2585,8 @@
+ polyrect.BR[i] = clip->rects[i].BR;
+ }
+
++ if (FR->region_clip) FR->region_clip (API,&polyrect);
++
+ wmf_free (API,polyrect.TL);
+ wmf_free (API,polyrect.BR);
+ }
+@@ -2593,9 +2595,10 @@
+ polyrect.BR = 0;
+
+ polyrect.count = 0;
++
++ if (FR->region_clip) FR->region_clip (API,&polyrect);
+ }
+
+- if (FR->region_clip) FR->region_clip (API,&polyrect);
+
+ return (changed);
+ }
Added: libwmf-0.2.8.4-CVE-2016-9011.patch
===================================================================
--- libwmf-0.2.8.4-CVE-2016-9011.patch (rev 0)
+++ libwmf-0.2.8.4-CVE-2016-9011.patch 2016-12-21 20:41:17 UTC (rev 284392)
@@ -0,0 +1,36 @@
+--- libwmf-0.2.8.4/src/player.c
++++ libwmf-0.2.8.4/src/player.c
+@@ -139,8 +139,31 @@
+ WMF_DEBUG (API,"bailing...");
+ return (API->err);
+ }
+-
+- P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) )
* 2 * sizeof (unsigned char));
++
++ U32 nMaxRecordSize = (MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char);
++ if (nMaxRecordSize)
++ {
++ //before allocating memory do a sanity check on size by seeking
++ //to claimed end to see if its possible. We're constrained here
++ //by the api and existing implementations to not simply seeking
++ //to SEEK_END. So use what we have to skip to the last byte and
++ //try and read it.
++ const long nPos = WMF_TELL (API);
++ WMF_SEEK (API, nPos + nMaxRecordSize - 1);
++ if (ERR (API))
++ { WMF_DEBUG (API,"bailing...");
++ return (API->err);
++ }
++ int byte = WMF_READ (API);
++ if (byte == (-1))
++ { WMF_ERROR (API,"Unexpected EOF!");
++ API->err = wmf_E_EOF;
++ return (API->err);
++ }
++ WMF_SEEK (API, nPos);
++ }
++
++ P->Parameters = (unsigned char*) wmf_malloc (API, nMaxRecordSize);
+
+ if (ERR (API))
+ { WMF_DEBUG (API,"bailing...");
Added: libwmf-0.2.8.4-intoverflow-CVE-2006-3376.patch
===================================================================
--- libwmf-0.2.8.4-intoverflow-CVE-2006-3376.patch
(rev 0)
+++ libwmf-0.2.8.4-intoverflow-CVE-2006-3376.patch 2016-12-21 20:41:17 UTC
(rev 284392)
@@ -0,0 +1,27 @@
+--- libwmf-0.2.8.4.orig/src/player.c 2002-12-10 19:30:26.000000000 +0000
++++ libwmf-0.2.8.4/src/player.c 2006-07-12 15:12:52.000000000 +0100
+@@ -42,6 +42,7 @@
+ #include "player/defaults.h" /* Provides: default settings */
+ #include "player/record.h" /* Provides: parameter mechanism */
+ #include "player/meta.h" /* Provides: record interpreters */
++#include <stdint.h>
+
+ /**
+ * @internal
+@@ -132,8 +134,14 @@
+ }
+ }
+
+-/* P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)-3)
* 2 * sizeof (unsigned char));
+- */ P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) )
* 2 * sizeof (unsigned char));
++ if (MAX_REC_SIZE(API) > UINT32_MAX / 2)
++ {
++ API->err = wmf_E_InsMem;
++ WMF_DEBUG (API,"bailing...");
++ return (API->err);
++ }
++
++ P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) )
* 2 * sizeof (unsigned char));
+
+ if (ERR (API))
+ { WMF_DEBUG (API,"bailing...");
Added: libwmf-0.2.8.4-useafterfree-CVE-2009-1364.patch
===================================================================
--- libwmf-0.2.8.4-useafterfree-CVE-2009-1364.patch
(rev 0)
+++ libwmf-0.2.8.4-useafterfree-CVE-2009-1364.patch 2016-12-21 20:41:17 UTC
(rev 284392)
@@ -0,0 +1,10 @@
+--- libwmf-0.2.8.4/src/extra/gd/gd_clip.c.CVE-2009-1364-im-clip-list
2009-04-24 04:06:44.000000000 -0400
++++ libwmf-0.2.8.4/src/extra/gd/gd_clip.c 2009-04-24 04:08:30.000000000
-0400
+@@ -70,6 +70,7 @@ void gdClipSetAdd(gdImagePtr im,gdClipRe
+ { more = gdRealloc (im->clip->list,(im->clip->max + 8) * sizeof
(gdClipRectangle));
+ if (more == 0) return;
+ im->clip->max += 8;
++ im->clip->list = more;
+ }
+ im->clip->list[im->clip->count] = (*rect);
+ im->clip->count++;
Deleted: libwmf-0.2.8.4-useafterfree.patch
===================================================================
--- libwmf-0.2.8.4-useafterfree.patch 2016-12-21 19:11:44 UTC (rev 284391)
+++ libwmf-0.2.8.4-useafterfree.patch 2016-12-21 20:41:17 UTC (rev 284392)
@@ -1,10 +0,0 @@
---- libwmf-0.2.8.4/src/extra/gd/gd_clip.c.CVE-2009-1364-im-clip-list
2009-04-24 04:06:44.000000000 -0400
-+++ libwmf-0.2.8.4/src/extra/gd/gd_clip.c 2009-04-24 04:08:30.000000000
-0400
-@@ -70,6 +70,7 @@ void gdClipSetAdd(gdImagePtr im,gdClipRe
- { more = gdRealloc (im->clip->list,(im->clip->max + 8) * sizeof
(gdClipRectangle));
- if (more == 0) return;
- im->clip->max += 8;
-+ im->clip->list = more;
- }
- im->clip->list[im->clip->count] = (*rect);
- im->clip->count++;
