Browse Source
* gnu/packages/patches/libwmf-CAN-2004-0941.patch, gnu/packages/patches/libwmf-CVE-2007-0455.patch, gnu/packages/patches/libwmf-CVE-2007-2756.patch, gnu/packages/patches/libwmf-CVE-2007-3472.patch, gnu/packages/patches/libwmf-CVE-2007-3473.patch, gnu/packages/patches/libwmf-CVE-2007-3477.patch, gnu/packages/patches/libwmf-CVE-2009-3546.patch: New files. * gnu/packages/patches/libwmf-CVE-2015-0848+4588+4695+4696.patch: Delete file. Replace with ... * gnu/packages/patches/libwmf-CVE-2015-0848+CVE-2015-4588.patch, gnu/packages/patches/libwmf-CVE-2015-4695.patch, gnu/packages/patches/libwmf-CVE-2015-4696.patch: ... these new files. * gnu-system.am (dist_patch_DATA): Adjust accordingly. * gnu/packages/image.scm (libwmf)[source]: Adjust set of patches.wip-container
Mark H Weaver
7 years ago
13 changed files with 425 additions and 192 deletions
@ -0,0 +1,21 @@ |
|||
Copied from Fedora. |
|||
|
|||
http://pkgs.fedoraproject.org/cgit/libwmf.git/tree/libwmf-0.2.8.4-CAN-2004-0941.patch |
|||
|
|||
--- libwmf-0.2.8.4/src/extra/gd/gd_png.c 2004-11-11 14:02:37.407589824 -0500
|
|||
+++ libwmf-0.2.8.4/src/extra/gd/gd_png.c 2004-11-11 14:04:29.672522960 -0500
|
|||
@@ -188,6 +188,14 @@
|
|||
|
|||
png_get_IHDR (png_ptr, info_ptr, &width, &height, &bit_depth, &color_type, |
|||
&interlace_type, NULL, NULL); |
|||
+ if (overflow2(sizeof (int), width))
|
|||
+ {
|
|||
+ return NULL;
|
|||
+ }
|
|||
+ if (overflow2(sizeof (int) * width, height))
|
|||
+ {
|
|||
+ return NULL;
|
|||
+ }
|
|||
if ((color_type == PNG_COLOR_TYPE_RGB) || |
|||
(color_type == PNG_COLOR_TYPE_RGB_ALPHA)) |
|||
{ |
|||
@ -0,0 +1,15 @@ |
|||
Copied from Fedora. |
|||
|
|||
http://pkgs.fedoraproject.org/cgit/libwmf.git/tree/libwmf-0.2.8.4-CVE-2007-0455.patch |
|||
|
|||
--- libwmf-0.2.8.4/src/extra/gd/gdft.c 2010-12-06 11:18:26.000000000 +0000
|
|||
+++ libwmf-0.2.8.4/src/extra/gd/gdft.c 2010-12-06 11:21:09.000000000 +0000
|
|||
@@ -811,7 +811,7 @@
|
|||
{ |
|||
ch = c & 0xFF; /* don't extend sign */ |
|||
} |
|||
- next++;
|
|||
+ if (*next) next++;
|
|||
} |
|||
else |
|||
{ |
|||
@ -0,0 +1,20 @@ |
|||
Copied from Fedora. |
|||
|
|||
http://pkgs.fedoraproject.org/cgit/libwmf.git/tree/libwmf-0.2.8.4-CVE-2007-2756.patch |
|||
|
|||
--- libwmf-0.2.8.4/src/extra/gd/gd_png.c 1 Apr 2007 20:41:01 -0000 1.21.2.1
|
|||
+++ libwmf-0.2.8.4/src/extra/gd/gd_png.c 16 May 2007 19:06:11 -0000
|
|||
@@ -78,8 +78,11 @@
|
|||
gdPngReadData (png_structp png_ptr, |
|||
png_bytep data, png_size_t length) |
|||
{ |
|||
- gdGetBuf (data, length, (gdIOCtx *)
|
|||
- png_get_io_ptr (png_ptr));
|
|||
+ int check;
|
|||
+ check = gdGetBuf (data, length, (gdIOCtx *) png_get_io_ptr (png_ptr));
|
|||
+ if (check != length) {
|
|||
+ png_error(png_ptr, "Read Error: truncated data");
|
|||
+ }
|
|||
} |
|||
|
|||
static void |
|||
@ -0,0 +1,63 @@ |
|||
Based on a patch from Fedora. |
|||
|
|||
http://pkgs.fedoraproject.org/cgit/libwmf.git/tree/libwmf-0.2.8.4-CVE-2007-3472.patch |
|||
|
|||
--- libwmf-0.2.8.4/src/extra/gd/gd.c
|
|||
+++ libwmf-0.2.8.4/src/extra/gd/gd.c
|
|||
@@ -106,6 +106,18 @@
|
|||
gdImagePtr im; |
|||
unsigned long cpa_size; |
|||
|
|||
+ if (overflow2(sx, sy)) {
|
|||
+ return NULL;
|
|||
+ }
|
|||
+
|
|||
+ if (overflow2(sizeof (int *), sy)) {
|
|||
+ return NULL;
|
|||
+ }
|
|||
+
|
|||
+ if (overflow2(sizeof(int), sx)) {
|
|||
+ return NULL;
|
|||
+ }
|
|||
+
|
|||
im = (gdImage *) gdMalloc (sizeof (gdImage)); |
|||
if (im == 0) return 0; |
|||
memset (im, 0, sizeof (gdImage)); |
|||
--- libwmf-0.2.8.4/src/extra/gd/gdhelpers.c 2010-12-06 11:47:31.000000000 +0000
|
|||
+++ libwmf-0.2.8.4/src/extra/gd/gdhelpers.c 2010-12-06 11:48:04.000000000 +0000
|
|||
@@ -2,6 +2,7 @@
|
|||
#include "gdhelpers.h" |
|||
#include <stdlib.h> |
|||
#include <string.h> |
|||
+#include <limits.h>
|
|||
|
|||
/* TBB: gd_strtok_r is not portable; provide an implementation */ |
|||
|
|||
@@ -94,3 +95,18 @@
|
|||
{ |
|||
free (ptr); |
|||
} |
|||
+
|
|||
+int overflow2(int a, int b)
|
|||
+{
|
|||
+ if(a < 0 || b < 0) {
|
|||
+ fprintf(stderr, "gd warning: one parameter to a memory allocation multiplication is negative, failing operation gracefully\n");
|
|||
+ return 1;
|
|||
+ }
|
|||
+ if(b == 0)
|
|||
+ return 0;
|
|||
+ if(a > INT_MAX / b) {
|
|||
+ fprintf(stderr, "gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully\n");
|
|||
+ return 1;
|
|||
+ }
|
|||
+ return 0;
|
|||
+}
|
|||
--- libwmf-0.2.8.4/src/extra/gd/gdhelpers.h 2010-12-06 11:47:17.000000000 +0000
|
|||
+++ libwmf-0.2.8.4/src/extra/gd/gdhelpers.h 2010-12-06 11:48:36.000000000 +0000
|
|||
@@ -15,4 +15,6 @@
|
|||
void *gdMalloc(size_t size); |
|||
void *gdRealloc(void *ptr, size_t size); |
|||
|
|||
+int overflow2(int a, int b);
|
|||
+
|
|||
#endif /* GDHELPERS_H */ |
|||
@ -0,0 +1,17 @@ |
|||
Copied from Fedora. |
|||
|
|||
http://pkgs.fedoraproject.org/cgit/libwmf.git/tree/libwmf-0.2.8.4-CVE-2007-3473.patch |
|||
|
|||
--- libwmf-0.2.8.4/src/extra/gd/gd.c
|
|||
+++ libwmf-0.2.8.4/src/extra/gd/gd.c
|
|||
@@ -2483,6 +2483,10 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromXbm (FILE * fd)
|
|||
} |
|||
bytes = (w * h / 8) + 1; |
|||
im = gdImageCreate (w, h); |
|||
+ if (!im) {
|
|||
+ return 0;
|
|||
+ }
|
|||
+
|
|||
gdImageColorAllocate (im, 255, 255, 255); |
|||
gdImageColorAllocate (im, 0, 0, 0); |
|||
x = 0; |
|||
@ -0,0 +1,42 @@ |
|||
Copied from Fedora. |
|||
|
|||
http://pkgs.fedoraproject.org/cgit/libwmf.git/tree/libwmf-0.2.8.4-CVE-2007-3477.patch |
|||
|
|||
--- libwmf-0.2.8.4/src/extra/gd/gd.c
|
|||
+++ libwmf-0.2.8.4/src/extra/gd/gd.c
|
|||
@@ -1335,10 +1335,31 @@
|
|||
int w2, h2; |
|||
w2 = w / 2; |
|||
h2 = h / 2; |
|||
- while (e < s)
|
|||
- {
|
|||
- e += 360;
|
|||
- }
|
|||
+
|
|||
+ if ((s % 360) == (e % 360)) {
|
|||
+ s = 0; e = 360;
|
|||
+ } else {
|
|||
+ if (s > 360) {
|
|||
+ s = s % 360;
|
|||
+ }
|
|||
+
|
|||
+ if (e > 360) {
|
|||
+ e = e % 360;
|
|||
+ }
|
|||
+
|
|||
+ while (s < 0) {
|
|||
+ s += 360;
|
|||
+ }
|
|||
+
|
|||
+ while (e < s) {
|
|||
+ e += 360;
|
|||
+ }
|
|||
+
|
|||
+ if (s == e) {
|
|||
+ s = 0; e = 360;
|
|||
+ }
|
|||
+ }
|
|||
+
|
|||
for (i = s; (i <= e); i++) |
|||
{ |
|||
int x, y; |
|||
@ -0,0 +1,17 @@ |
|||
Copied from Fedora. |
|||
|
|||
http://pkgs.fedoraproject.org/cgit/libwmf.git/tree/libwmf-0.2.8.4-CVE-2009-3546.patch |
|||
|
|||
--- libwmf-0.2.8.4/src/extra/gd/gd_gd.c 2010-12-06 14:56:06.000000000 +0000
|
|||
+++ libwmf-0.2.8.4/src/extra/gd/gd_gd.c 2010-12-06 14:57:04.000000000 +0000
|
|||
@@ -42,6 +42,10 @@
|
|||
{ |
|||
goto fail1; |
|||
} |
|||
+ if (&im->colorsTotal > gdMaxColors)
|
|||
+ {
|
|||
+ goto fail1;
|
|||
+ }
|
|||
} |
|||
/* Int to accommodate truecolor single-color transparency */ |
|||
if (!gdGetInt (&im->transparent, in)) |
|||
@ -1,189 +0,0 @@ |
|||
Fix CVE-2015-0848, CVE-2015-4588, CVE-2015-4695, and CVE-2015-4696. |
|||
Copied from Debian. |
|||
|
|||
--- libwmf-0.2.8.4.orig/src/player/meta.h
|
|||
+++ libwmf-0.2.8.4/src/player/meta.h
|
|||
@@ -1565,7 +1565,7 @@ static int meta_rgn_create (wmfAPI* API,
|
|||
objects = P->objects; |
|||
|
|||
i = 0; |
|||
- while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
|
|||
+ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
|
|||
|
|||
if (i == NUM_OBJECTS (API)) |
|||
{ WMF_ERROR (API,"Object out of range!"); |
|||
@@ -2142,7 +2142,7 @@ static int meta_dib_brush (wmfAPI* API,w
|
|||
objects = P->objects; |
|||
|
|||
i = 0; |
|||
- while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
|
|||
+ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
|
|||
|
|||
if (i == NUM_OBJECTS (API)) |
|||
{ WMF_ERROR (API,"Object out of range!"); |
|||
@@ -2593,9 +2593,10 @@ static int meta_dc_restore (wmfAPI* API,
|
|||
polyrect.BR = 0; |
|||
|
|||
polyrect.count = 0; |
|||
+
|
|||
+ if (FR->region_clip) FR->region_clip (API,&polyrect);
|
|||
} |
|||
|
|||
- if (FR->region_clip) FR->region_clip (API,&polyrect);
|
|||
|
|||
return (changed); |
|||
} |
|||
@@ -3067,7 +3068,7 @@ static int meta_pen_create (wmfAPI* API,
|
|||
objects = P->objects; |
|||
|
|||
i = 0; |
|||
- while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
|
|||
+ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
|
|||
|
|||
if (i == NUM_OBJECTS (API)) |
|||
{ WMF_ERROR (API,"Object out of range!"); |
|||
@@ -3181,7 +3182,7 @@ static int meta_brush_create (wmfAPI* AP
|
|||
objects = P->objects; |
|||
|
|||
i = 0; |
|||
- while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
|
|||
+ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
|
|||
|
|||
if (i == NUM_OBJECTS (API)) |
|||
{ WMF_ERROR (API,"Object out of range!"); |
|||
@@ -3288,7 +3289,7 @@ static int meta_font_create (wmfAPI* API
|
|||
objects = P->objects; |
|||
|
|||
i = 0; |
|||
- while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
|
|||
+ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
|
|||
|
|||
if (i == NUM_OBJECTS (API)) |
|||
{ WMF_ERROR (API,"Object out of range!"); |
|||
@@ -3396,7 +3397,7 @@ static int meta_palette_create (wmfAPI*
|
|||
objects = P->objects; |
|||
|
|||
i = 0; |
|||
- while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
|
|||
+ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
|
|||
|
|||
if (i == NUM_OBJECTS (API)) |
|||
{ WMF_ERROR (API,"Object out of range!"); |
|||
--- libwmf-0.2.8.4.orig/src/ipa/ipa.h
|
|||
+++ libwmf-0.2.8.4/src/ipa/ipa.h
|
|||
@@ -48,7 +48,7 @@ static int ReadBlobByte (BMPS
|
|||
static unsigned short ReadBlobLSBShort (BMPSource*); |
|||
static unsigned long ReadBlobLSBLong (BMPSource*); |
|||
static long TellBlob (BMPSource*); |
|||
-static void DecodeImage (wmfAPI*,wmfBMP*,BMPSource*,unsigned int,unsigned char*);
|
|||
+static int DecodeImage (wmfAPI*,wmfBMP*,BMPSource*,unsigned int,unsigned char*);
|
|||
static void ReadBMPImage (wmfAPI*,wmfBMP*,BMPSource*); |
|||
static int ExtractColor (wmfAPI*,wmfBMP*,wmfRGB*,unsigned int,unsigned int); |
|||
static void SetColor (wmfAPI*,wmfBMP*,wmfRGB*,unsigned char,unsigned int,unsigned int); |
|||
--- libwmf-0.2.8.4.orig/src/ipa/ipa/bmp.h
|
|||
+++ libwmf-0.2.8.4/src/ipa/ipa/bmp.h
|
|||
@@ -859,7 +859,7 @@ static long TellBlob (BMPSource* src)
|
|||
% |
|||
% |
|||
*/ |
|||
-static void DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels)
|
|||
+static int DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels)
|
|||
{ int byte; |
|||
int count; |
|||
int i; |
|||
@@ -870,12 +870,14 @@ static void DecodeImage (wmfAPI* API,wmf
|
|||
U32 u; |
|||
|
|||
unsigned char* q; |
|||
+ unsigned char* end;
|
|||
|
|||
for (u = 0; u < ((U32) bmp->width * (U32) bmp->height); u++) pixels[u] = 0; |
|||
|
|||
byte = 0; |
|||
x = 0; |
|||
q = pixels; |
|||
+ end = pixels + bmp->width * bmp->height;
|
|||
|
|||
for (y = 0; y < bmp->height; ) |
|||
{ count = ReadBlobByte (src); |
|||
@@ -884,7 +886,10 @@ static void DecodeImage (wmfAPI* API,wmf
|
|||
{ /* Encoded mode. */ |
|||
byte = ReadBlobByte (src); |
|||
for (i = 0; i < count; i++) |
|||
- { if (compression == 1)
|
|||
+ {
|
|||
+ if (q == end)
|
|||
+ return 0;
|
|||
+ if (compression == 1)
|
|||
{ (*(q++)) = (unsigned char) byte; |
|||
} |
|||
else |
|||
@@ -896,13 +901,15 @@ static void DecodeImage (wmfAPI* API,wmf
|
|||
else |
|||
{ /* Escape mode. */ |
|||
count = ReadBlobByte (src); |
|||
- if (count == 0x01) return;
|
|||
+ if (count == 0x01) return 1;
|
|||
switch (count) |
|||
{ |
|||
case 0x00: |
|||
{ /* End of line. */ |
|||
x = 0; |
|||
y++; |
|||
+ if (y >= bmp->height)
|
|||
+ return 0;
|
|||
q = pixels + y * bmp->width; |
|||
break; |
|||
} |
|||
@@ -910,13 +917,20 @@ static void DecodeImage (wmfAPI* API,wmf
|
|||
{ /* Delta mode. */ |
|||
x += ReadBlobByte (src); |
|||
y += ReadBlobByte (src); |
|||
+ if (y >= bmp->height)
|
|||
+ return 0;
|
|||
+ if (x >= bmp->width)
|
|||
+ return 0;
|
|||
q = pixels + y * bmp->width + x; |
|||
break; |
|||
} |
|||
default: |
|||
{ /* Absolute mode. */ |
|||
for (i = 0; i < count; i++) |
|||
- { if (compression == 1)
|
|||
+ {
|
|||
+ if (q == end)
|
|||
+ return 0;
|
|||
+ if (compression == 1)
|
|||
{ (*(q++)) = ReadBlobByte (src); |
|||
} |
|||
else |
|||
@@ -943,7 +957,7 @@ static void DecodeImage (wmfAPI* API,wmf
|
|||
byte = ReadBlobByte (src); /* end of line */ |
|||
byte = ReadBlobByte (src); |
|||
|
|||
- return;
|
|||
+ return 1;
|
|||
} |
|||
|
|||
/* |
|||
@@ -1143,8 +1157,18 @@ static void ReadBMPImage (wmfAPI* API,wm
|
|||
} |
|||
} |
|||
else |
|||
- { /* Convert run-length encoded raster pixels. */
|
|||
- DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image);
|
|||
+ {
|
|||
+ if (bmp_info.bits_per_pixel == 8) /* Convert run-length encoded raster pixels. */
|
|||
+ {
|
|||
+ if (!DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image))
|
|||
+ { WMF_ERROR (API,"corrupt bmp");
|
|||
+ API->err = wmf_E_BadFormat;
|
|||
+ }
|
|||
+ }
|
|||
+ else
|
|||
+ { WMF_ERROR (API,"Unexpected pixel depth");
|
|||
+ API->err = wmf_E_BadFormat;
|
|||
+ }
|
|||
} |
|||
|
|||
if (ERR (API)) |
|||
@ -0,0 +1,122 @@ |
|||
Copied from Fedora. |
|||
|
|||
http://pkgs.fedoraproject.org/cgit/libwmf.git/tree/libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch |
|||
|
|||
--- libwmf-0.2.8.4/src/ipa/ipa/bmp.h 2015-06-08 14:46:24.591876404 +0100
|
|||
+++ libwmf-0.2.8.4/src/ipa/ipa/bmp.h 2015-06-08 14:46:35.345993247 +0100
|
|||
@@ -859,7 +859,7 @@
|
|||
% |
|||
% |
|||
*/ |
|||
-static void DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels)
|
|||
+static int DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels)
|
|||
{ int byte; |
|||
int count; |
|||
int i; |
|||
@@ -870,12 +870,14 @@
|
|||
U32 u; |
|||
|
|||
unsigned char* q; |
|||
+ unsigned char* end;
|
|||
|
|||
for (u = 0; u < ((U32) bmp->width * (U32) bmp->height); u++) pixels[u] = 0; |
|||
|
|||
byte = 0; |
|||
x = 0; |
|||
q = pixels; |
|||
+ end = pixels + bmp->width * bmp->height;
|
|||
|
|||
for (y = 0; y < bmp->height; ) |
|||
{ count = ReadBlobByte (src); |
|||
@@ -884,7 +886,10 @@
|
|||
{ /* Encoded mode. */ |
|||
byte = ReadBlobByte (src); |
|||
for (i = 0; i < count; i++) |
|||
- { if (compression == 1)
|
|||
+ {
|
|||
+ if (q == end)
|
|||
+ return 0;
|
|||
+ if (compression == 1)
|
|||
{ (*(q++)) = (unsigned char) byte; |
|||
} |
|||
else |
|||
@@ -896,13 +901,15 @@
|
|||
else |
|||
{ /* Escape mode. */ |
|||
count = ReadBlobByte (src); |
|||
- if (count == 0x01) return;
|
|||
+ if (count == 0x01) return 1;
|
|||
switch (count) |
|||
{ |
|||
case 0x00: |
|||
{ /* End of line. */ |
|||
x = 0; |
|||
y++; |
|||
+ if (y >= bmp->height)
|
|||
+ return 0;
|
|||
q = pixels + y * bmp->width; |
|||
break; |
|||
} |
|||
@@ -910,13 +917,20 @@
|
|||
{ /* Delta mode. */ |
|||
x += ReadBlobByte (src); |
|||
y += ReadBlobByte (src); |
|||
+ if (y >= bmp->height)
|
|||
+ return 0;
|
|||
+ if (x >= bmp->width)
|
|||
+ return 0;
|
|||
q = pixels + y * bmp->width + x; |
|||
break; |
|||
} |
|||
default: |
|||
{ /* Absolute mode. */ |
|||
for (i = 0; i < count; i++) |
|||
- { if (compression == 1)
|
|||
+ {
|
|||
+ if (q == end)
|
|||
+ return 0;
|
|||
+ if (compression == 1)
|
|||
{ (*(q++)) = ReadBlobByte (src); |
|||
} |
|||
else |
|||
@@ -943,7 +957,7 @@
|
|||
byte = ReadBlobByte (src); /* end of line */ |
|||
byte = ReadBlobByte (src); |
|||
|
|||
- return;
|
|||
+ return 1;
|
|||
} |
|||
|
|||
/* |
|||
@@ -1143,8 +1157,18 @@
|
|||
} |
|||
} |
|||
else |
|||
- { /* Convert run-length encoded raster pixels. */
|
|||
- DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image);
|
|||
+ {
|
|||
+ if (bmp_info.bits_per_pixel == 8) /* Convert run-length encoded raster pixels. */
|
|||
+ {
|
|||
+ if (!DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image))
|
|||
+ { WMF_ERROR (API,"corrupt bmp");
|
|||
+ API->err = wmf_E_BadFormat;
|
|||
+ }
|
|||
+ }
|
|||
+ else
|
|||
+ { WMF_ERROR (API,"Unexpected pixel depth");
|
|||
+ API->err = wmf_E_BadFormat;
|
|||
+ }
|
|||
} |
|||
|
|||
if (ERR (API)) |
|||
--- libwmf-0.2.8.4/src/ipa/ipa.h 2015-06-08 14:46:24.590876393 +0100
|
|||
+++ libwmf-0.2.8.4/src/ipa/ipa.h 2015-06-08 14:46:35.345993247 +0100
|
|||
@@ -48,7 +48,7 @@
|
|||
static unsigned short ReadBlobLSBShort (BMPSource*); |
|||
static unsigned long ReadBlobLSBLong (BMPSource*); |
|||
static long TellBlob (BMPSource*); |
|||
-static void DecodeImage (wmfAPI*,wmfBMP*,BMPSource*,unsigned int,unsigned char*);
|
|||
+static int DecodeImage (wmfAPI*,wmfBMP*,BMPSource*,unsigned int,unsigned char*);
|
|||
static void ReadBMPImage (wmfAPI*,wmfBMP*,BMPSource*); |
|||
static int ExtractColor (wmfAPI*,wmfBMP*,wmfRGB*,unsigned int,unsigned int); |
|||
static void SetColor (wmfAPI*,wmfBMP*,wmfRGB*,unsigned char,unsigned int,unsigned int); |
|||
@ -0,0 +1,60 @@ |
|||
Copied from Fedora. |
|||
|
|||
http://pkgs.fedoraproject.org/cgit/libwmf.git/tree/libwmf-0.2.8.4-CVE-2015-4695.patch |
|||
|
|||
--- libwmf-0.2.8.4/src/player/meta.h
|
|||
+++ libwmf-0.2.8.4/src/player/meta.h
|
|||
@@ -1565,7 +1565,7 @@ static int meta_rgn_create (wmfAPI* API,
|
|||
objects = P->objects; |
|||
|
|||
i = 0; |
|||
- while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
|
|||
+ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
|
|||
|
|||
if (i == NUM_OBJECTS (API)) |
|||
{ WMF_ERROR (API,"Object out of range!"); |
|||
@@ -2142,7 +2142,7 @@ static int meta_dib_brush (wmfAPI* API,w
|
|||
objects = P->objects; |
|||
|
|||
i = 0; |
|||
- while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
|
|||
+ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
|
|||
|
|||
if (i == NUM_OBJECTS (API)) |
|||
{ WMF_ERROR (API,"Object out of range!"); |
|||
@@ -3067,7 +3067,7 @@ static int meta_pen_create (wmfAPI* API,
|
|||
objects = P->objects; |
|||
|
|||
i = 0; |
|||
- while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
|
|||
+ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
|
|||
|
|||
if (i == NUM_OBJECTS (API)) |
|||
{ WMF_ERROR (API,"Object out of range!"); |
|||
@@ -3181,7 +3181,7 @@ static int meta_brush_create (wmfAPI* AP
|
|||
objects = P->objects; |
|||
|
|||
i = 0; |
|||
- while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
|
|||
+ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
|
|||
|
|||
if (i == NUM_OBJECTS (API)) |
|||
{ WMF_ERROR (API,"Object out of range!"); |
|||
@@ -3288,7 +3288,7 @@ static int meta_font_create (wmfAPI* API
|
|||
objects = P->objects; |
|||
|
|||
i = 0; |
|||
- while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
|
|||
+ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
|
|||
|
|||
if (i == NUM_OBJECTS (API)) |
|||
{ WMF_ERROR (API,"Object out of range!"); |
|||
@@ -3396,7 +3396,7 @@ static int meta_palette_create (wmfAPI*
|
|||
objects = P->objects; |
|||
|
|||
i = 0; |
|||
- while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
|
|||
+ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
|
|||
|
|||
if (i == NUM_OBJECTS (API)) |
|||
{ WMF_ERROR (API,"Object out of range!"); |
|||
@ -0,0 +1,27 @@ |
|||
Copied from Fedora. |
|||
|
|||
http://pkgs.fedoraproject.org/cgit/libwmf.git/tree/libwmf-0.2.8.4-CVE-2015-4696.patch |
|||
|
|||
--- libwmf-0.2.8.4/src/player/meta.h
|
|||
+++ libwmf-0.2.8.4/src/player/meta.h
|
|||
@@ -2585,6 +2585,8 @@
|
|||
polyrect.BR[i] = clip->rects[i].BR; |
|||
} |
|||
|
|||
+ if (FR->region_clip) FR->region_clip (API,&polyrect);
|
|||
+
|
|||
wmf_free (API,polyrect.TL); |
|||
wmf_free (API,polyrect.BR); |
|||
} |
|||
@@ -2593,9 +2595,10 @@
|
|||
polyrect.BR = 0; |
|||
|
|||
polyrect.count = 0; |
|||
+
|
|||
+ if (FR->region_clip) FR->region_clip (API,&polyrect);
|
|||
} |
|||
|
|||
- if (FR->region_clip) FR->region_clip (API,&polyrect);
|
|||
|
|||
return (changed); |
|||
} |
|||
Loading…
Reference in new issue