Details: https://nvd.nist.gov/vuln/detail/CVE-2015-0848 https://nvd.nist.gov/vuln/detail/CVE-2015-4588
Pick the commit that mentions the CVE IDs explicitly. The same patch fixes both vulnerabilities. Signed-off-by: Gyorgy Sarvari <[email protected]> --- .../libwmf/CVE-2015-0848-CVE-2015-4588.patch | 135 ++++++++++++++++++ .../recipes-extended/libwmf/libwmf_0.2.8.4.bb | 3 +- 2 files changed, 137 insertions(+), 1 deletion(-) create mode 100644 meta-oe/recipes-extended/libwmf/libwmf/CVE-2015-0848-CVE-2015-4588.patch diff --git a/meta-oe/recipes-extended/libwmf/libwmf/CVE-2015-0848-CVE-2015-4588.patch b/meta-oe/recipes-extended/libwmf/libwmf/CVE-2015-0848-CVE-2015-4588.patch new file mode 100644 index 0000000000..b65610aa88 --- /dev/null +++ b/meta-oe/recipes-extended/libwmf/libwmf/CVE-2015-0848-CVE-2015-4588.patch @@ -0,0 +1,135 @@ +From f42e4f4505b07278f4baccddfc1f47059ae4f931 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <[email protected]> +Date: Wed, 8 Aug 2018 13:59:18 +0100 +Subject: [PATCH] CVE-2015-0848+CVE-2015-4588 + +CVE: CVE-2015-0848 CVE-2015-4588 +Upstream-Status: Backport [https://github.com/caolanm/libwmf/commit/879d6bffa6dd21b8c0e9ec3b5aa31b6ae090ef83] +Signed-off-by: Gyorgy Sarvari <[email protected]> +--- + src/ipa/ipa.h | 2 +- + src/ipa/ipa/bmp.h | 38 +++++++++++++++++++++++++++++++------- + 2 files changed, 32 insertions(+), 8 deletions(-) + +diff --git a/src/ipa/ipa.h b/src/ipa/ipa.h +index d050a7e..3003540 100644 +--- a/src/ipa/ipa.h ++++ b/src/ipa/ipa.h +@@ -48,7 +48,7 @@ static int ReadBlobByte (BMPSource*); + static unsigned short ReadBlobLSBShort (BMPSource*); + static unsigned long ReadBlobLSBLong (BMPSource*); + static long TellBlob (BMPSource*); +-static void DecodeImage (wmfAPI*,wmfBMP*,BMPSource*,unsigned int,unsigned char*); ++static int DecodeImage (wmfAPI*,wmfBMP*,BMPSource*,unsigned int,unsigned char*); + static void ReadBMPImage (wmfAPI*,wmfBMP*,BMPSource*); + static int ExtractColor (wmfAPI*,wmfBMP*,wmfRGB*,unsigned int,unsigned int); + static void SetColor (wmfAPI*,wmfBMP*,wmfRGB*,unsigned char,unsigned int,unsigned int); +diff --git a/src/ipa/ipa/bmp.h b/src/ipa/ipa/bmp.h +index 29eee34..7751a36 100644 +--- a/src/ipa/ipa/bmp.h ++++ b/src/ipa/ipa/bmp.h +@@ -859,7 +859,7 @@ static long TellBlob (BMPSource* src) + % + % + */ +-static void DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels) ++static int DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels) + { int byte; + int count; + int i; +@@ -870,12 +870,14 @@ static void DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int com + U32 u; + + unsigned char* q; ++ unsigned char* end; + + for (u = 0; u < ((U32) bmp->width * (U32) bmp->height); u++) pixels[u] = 0; + + byte = 0; + x = 0; + q = pixels; ++ end = pixels + bmp->width * bmp->height; + + for (y = 0; y < bmp->height; ) + { count = ReadBlobByte (src); +@@ -884,7 +886,10 @@ static void DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int com + { /* Encoded mode. */ + byte = ReadBlobByte (src); + for (i = 0; i < count; i++) +- { if (compression == 1) ++ { ++ if (q == end) ++ return 0; ++ if (compression == 1) + { (*(q++)) = (unsigned char) byte; + } + else +@@ -896,13 +901,15 @@ static void DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int com + else + { /* Escape mode. */ + count = ReadBlobByte (src); +- if (count == 0x01) return; ++ if (count == 0x01) return 1; + switch (count) + { + case 0x00: + { /* End of line. */ + x = 0; + y++; ++ if (y >= bmp->height) ++ return 0; + q = pixels + y * bmp->width; + break; + } +@@ -910,13 +917,20 @@ static void DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int com + { /* Delta mode. */ + x += ReadBlobByte (src); + y += ReadBlobByte (src); ++ if (y >= bmp->height) ++ return 0; ++ if (x >= bmp->width) ++ return 0; + q = pixels + y * bmp->width + x; + break; + } + default: + { /* Absolute mode. */ + for (i = 0; i < count; i++) +- { if (compression == 1) ++ { ++ if (q == end) ++ return 0; ++ if (compression == 1) + { (*(q++)) = ReadBlobByte (src); + } + else +@@ -943,7 +957,7 @@ static void DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int com + byte = ReadBlobByte (src); /* end of line */ + byte = ReadBlobByte (src); + +- return; ++ return 1; + } + + /* +@@ -1143,8 +1157,18 @@ static void ReadBMPImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src) + } + } + else +- { /* Convert run-length encoded raster pixels. */ +- DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image); ++ { ++ if (bmp_info.bits_per_pixel == 8) /* Convert run-length encoded raster pixels. */ ++ { ++ if (!DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image)) ++ { WMF_ERROR (API,"corrupt bmp"); ++ API->err = wmf_E_BadFormat; ++ } ++ } ++ else ++ { WMF_ERROR (API,"Unexpected pixel depth"); ++ API->err = wmf_E_BadFormat; ++ } + } + + if (ERR (API)) diff --git a/meta-oe/recipes-extended/libwmf/libwmf_0.2.8.4.bb b/meta-oe/recipes-extended/libwmf/libwmf_0.2.8.4.bb index 93b58057ce..bea9ed6dc8 100644 --- a/meta-oe/recipes-extended/libwmf/libwmf_0.2.8.4.bb +++ b/meta-oe/recipes-extended/libwmf/libwmf_0.2.8.4.bb @@ -19,7 +19,8 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/wvware/${BPN}/${PV}/${BPN}-${PV}.tar.gz;name=ta file://libwmf-0.2.8.4-intoverflow.patch \ file://libwmf-0.2.8.4-useafterfree.patch \ file://0001-configure-use-pkg-config-for-freetype.patch \ - " + file://CVE-2015-0848-CVE-2015-4588.patch \ + " SRC_URI[tarball.md5sum] = "d1177739bf1ceb07f57421f0cee191e0" SRC_URI[tarball.sha256sum] = "5b345c69220545d003ad52bfd035d5d6f4f075e65204114a9e875e84895a7cf8"
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#121845): https://lists.openembedded.org/g/openembedded-devel/message/121845 Mute This Topic: https://lists.openembedded.org/mt/116354043/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
