9ed5486439
* gnu/packages/patches/libwmf-CVE-2006-3376.patch, gnu/packages/patches/libwmf-CVE-2009-1364.patch, gnu/packages/patches/libwmf-CVE-2015-0848+4588+4695+4696.patch: New files. * gnu-system.am (dist_patch_DATA): Add them. * gnu/packages/image.scm (libwmf)[source]: Add patches.
30 lines
753 B
Diff
30 lines
753 B
Diff
Copied from Debian.
|
|
|
|
--- libwmf-0.2.8.4.orig/src/player.c
|
|
+++ libwmf-0.2.8.4/src/player.c
|
|
@@ -23,6 +23,7 @@
|
|
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
+#include <stdint.h>
|
|
#include <string.h>
|
|
#include <math.h>
|
|
|
|
@@ -132,8 +133,14 @@
|
|
}
|
|
}
|
|
|
|
-/* P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)-3) * 2 * sizeof (unsigned char));
|
|
- */ P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char));
|
|
+ if (MAX_REC_SIZE(API) > UINT32_MAX / 2)
|
|
+ {
|
|
+ API->err = wmf_E_InsMem;
|
|
+ WMF_DEBUG (API,"bailing...");
|
|
+ return (API->err);
|
|
+ }
|
|
+
|
|
+ P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char));
|
|
|
|
if (ERR (API))
|
|
{ WMF_DEBUG (API,"bailing...");
|
|
|