guix/gnu/packages/patches/libwmf-CVE-2015-0848+CVE-2015-4588.patch
Mark H Weaver f956d661ad gnu: libwmf: Add fixes for several security flaws.
* gnu/packages/patches/libwmf-CAN-2004-0941.patch,
  gnu/packages/patches/libwmf-CVE-2007-0455.patch,
  gnu/packages/patches/libwmf-CVE-2007-2756.patch,
  gnu/packages/patches/libwmf-CVE-2007-3472.patch,
  gnu/packages/patches/libwmf-CVE-2007-3473.patch,
  gnu/packages/patches/libwmf-CVE-2007-3477.patch,
  gnu/packages/patches/libwmf-CVE-2009-3546.patch: New files.
* gnu/packages/patches/libwmf-CVE-2015-0848+4588+4695+4696.patch: Delete
  file.  Replace with ...
* gnu/packages/patches/libwmf-CVE-2015-0848+CVE-2015-4588.patch,
  gnu/packages/patches/libwmf-CVE-2015-4695.patch,
  gnu/packages/patches/libwmf-CVE-2015-4696.patch: ... these new files.
* gnu-system.am (dist_patch_DATA): Adjust accordingly.
* gnu/packages/image.scm (libwmf)[source]: Adjust set of patches.
2015-10-08 10:46:30 -04:00

123 lines
3.3 KiB
Diff

Copied from Fedora.
http://pkgs.fedoraproject.org/cgit/libwmf.git/tree/libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch
--- libwmf-0.2.8.4/src/ipa/ipa/bmp.h 2015-06-08 14:46:24.591876404 +0100
+++ libwmf-0.2.8.4/src/ipa/ipa/bmp.h 2015-06-08 14:46:35.345993247 +0100
@@ -859,7 +859,7 @@
%
%
*/
-static void DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels)
+static int DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels)
{ int byte;
int count;
int i;
@@ -870,12 +870,14 @@
U32 u;
unsigned char* q;
+ unsigned char* end;
for (u = 0; u < ((U32) bmp->width * (U32) bmp->height); u++) pixels[u] = 0;
byte = 0;
x = 0;
q = pixels;
+ end = pixels + bmp->width * bmp->height;
for (y = 0; y < bmp->height; )
{ count = ReadBlobByte (src);
@@ -884,7 +886,10 @@
{ /* Encoded mode. */
byte = ReadBlobByte (src);
for (i = 0; i < count; i++)
- { if (compression == 1)
+ {
+ if (q == end)
+ return 0;
+ if (compression == 1)
{ (*(q++)) = (unsigned char) byte;
}
else
@@ -896,13 +901,15 @@
else
{ /* Escape mode. */
count = ReadBlobByte (src);
- if (count == 0x01) return;
+ if (count == 0x01) return 1;
switch (count)
{
case 0x00:
{ /* End of line. */
x = 0;
y++;
+ if (y >= bmp->height)
+ return 0;
q = pixels + y * bmp->width;
break;
}
@@ -910,13 +917,20 @@
{ /* Delta mode. */
x += ReadBlobByte (src);
y += ReadBlobByte (src);
+ if (y >= bmp->height)
+ return 0;
+ if (x >= bmp->width)
+ return 0;
q = pixels + y * bmp->width + x;
break;
}
default:
{ /* Absolute mode. */
for (i = 0; i < count; i++)
- { if (compression == 1)
+ {
+ if (q == end)
+ return 0;
+ if (compression == 1)
{ (*(q++)) = ReadBlobByte (src);
}
else
@@ -943,7 +957,7 @@
byte = ReadBlobByte (src); /* end of line */
byte = ReadBlobByte (src);
- return;
+ return 1;
}
/*
@@ -1143,8 +1157,18 @@
}
}
else
- { /* Convert run-length encoded raster pixels. */
- DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image);
+ {
+ if (bmp_info.bits_per_pixel == 8) /* Convert run-length encoded raster pixels. */
+ {
+ if (!DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image))
+ { WMF_ERROR (API,"corrupt bmp");
+ API->err = wmf_E_BadFormat;
+ }
+ }
+ else
+ { WMF_ERROR (API,"Unexpected pixel depth");
+ API->err = wmf_E_BadFormat;
+ }
}
if (ERR (API))
--- libwmf-0.2.8.4/src/ipa/ipa.h 2015-06-08 14:46:24.590876393 +0100
+++ libwmf-0.2.8.4/src/ipa/ipa.h 2015-06-08 14:46:35.345993247 +0100
@@ -48,7 +48,7 @@
static unsigned short ReadBlobLSBShort (BMPSource*);
static unsigned long ReadBlobLSBLong (BMPSource*);
static long TellBlob (BMPSource*);
-static void DecodeImage (wmfAPI*,wmfBMP*,BMPSource*,unsigned int,unsigned char*);
+static int DecodeImage (wmfAPI*,wmfBMP*,BMPSource*,unsigned int,unsigned char*);
static void ReadBMPImage (wmfAPI*,wmfBMP*,BMPSource*);
static int ExtractColor (wmfAPI*,wmfBMP*,wmfRGB*,unsigned int,unsigned int);
static void SetColor (wmfAPI*,wmfBMP*,wmfRGB*,unsigned char,unsigned int,unsigned int);