On Tue, 25 Oct 2016 22:10:34 +0200 Salvatore Bonaccorso
<[email protected]> wrote:
> Hi,
>
> the following vulnerability was published for libwmf. Opening the bug
> to track the issue in the Debian BTS.
>
> CVE-2016-9011[0]:
> memory allocation failure in wmf_malloc (api.c)
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2016-9011
Fedora has already released a fix, which I have updated for Debian.
Please see it in the attached patch.
Origin per Fedora package's [1] changelog:
* Wed Oct 26 2016 Caolán McNamara <[email protected]> - 0.2.8.4-49
- Resolves: rhbz#1388451 (CVE-2016-9011) check max claimed record len
against max seekable position
Cheers,
Balint
[1] http://koji.fedoraproject.org/koji/buildinfo?buildID=812787
--- ./src/player.c.orig 2016-10-27 23:17:53.076604344 +0200
+++ ./src/player.c 2016-10-27 23:20:15.271078052 +0200
@@ -140,7 +140,30 @@
return (API->err);
}
- P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char));
+ U32 nMaxRecordSize = (MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char);
+ if (nMaxRecordSize)
+ {
+ //before allocating memory do a sanity check on size by seeking
+ //to claimed end to see if its possible. We're constrained here
+ //by the api and existing implementations to not simply seeking
+ //to SEEK_END. So use what we have to skip to the last byte and
+ //try and read it.
+ const long nPos = WMF_TELL (API);
+ WMF_SEEK (API, nPos + nMaxRecordSize - 1);
+ if (ERR (API))
+ { WMF_DEBUG (API,"bailing...");
+ return (API->err);
+ }
+ int byte = WMF_READ (API);
+ if (byte == (-1))
+ { WMF_ERROR (API,"Unexpected EOF!");
+ API->err = wmf_E_EOF;
+ return (API->err);
+ }
+ WMF_SEEK (API, nPos);
+ }
+
+ P->Parameters = (unsigned char*) wmf_malloc (API, nMaxRecordSize);
if (ERR (API))
{ WMF_DEBUG (API,"bailing...");
