Attachment #158826 for bug #201513





PORTNAME=	libwmf
PORTVERSION=	0.2.8.4
PORTREVISION=	14
CATEGORIES=	graphics
MASTER_SITES=	SF/wvware/${PORTNAME}/${PORTVERSION}

MAINTAINER=	jason.unovitch@gmail.com
COMMENT=	Tools and library for converting Microsoft WMF (windows metafile)

LICENSE=	GPLv2 # or later

X11_USE=	XORG=x11
X11_CONFIGURE_OFF=--with-x=no

EXTRA_PATCHES=	${FILESDIR}/libwmf-0.2.8.4-CVE-2007-0455.patch:-p1 \
		${FILESDIR}/libwmf-0.2.8.4-CVE-2007-2756.patch:-p1 \
		${FILESDIR}/libwmf-0.2.8.4-CVE-2007-3472.patch:-p1 \
		${FILESDIR}/libwmf-0.2.8.4-CVE-2007-3473.patch:-p1 \
		${FILESDIR}/libwmf-0.2.8.4-CVE-2007-3477.patch:-p1 \
		${FILESDIR}/libwmf-0.2.8.4-CVE-2009-3546.patch:-p1 \
		${FILESDIR}/libwmf-0.2.8.4-CAN-2004-0941.patch:-p1 \
		${FILESDIR}/libwmf-0.2.8.4-rh1227243-CVE-2015-0848.patch:-p1 \
		${FILESDIR}/libwmf-0.2.8.4-deb784205-CVE-2015-4695.patch:-p1 \
		${FILESDIR}/libwmf-0.2.8.4-deb784192-CVE-2015-4696.patch:-p1 \
		${FILESDIR}/libwmf-0.2.8.4-rh1227243-CVE-2015-4588.patch:-p1

.include <bsd.port.options.mk>

post-patch:




--- libwmf-0.2.8.4/src/extra/gd/gd_png.c	2004-11-11 14:02:37.407589824 -0500
+++ libwmf-0.2.8.4/src/extra/gd/gd_png.c	2004-11-11 14:04:29.672522960 -0500
@@ -188,6 +188,14 @@
 
   png_get_IHDR (png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
 		&interlace_type, NULL, NULL);
+  if (overflow2(sizeof (int), width)) 
+    {
+      return NULL;
+    }
+  if (overflow2(sizeof (int) * width, height)) 
+    {
+      return NULL;
+    }  
   if ((color_type == PNG_COLOR_TYPE_RGB) ||
       (color_type == PNG_COLOR_TYPE_RGB_ALPHA))
     {

Line 0 Link Here

(-)files/libwmf-0.2.8.4-CVE-2007-0455.patch (+11 lines)
	1	--- libwmf-0.2.8.4/src/extra/gd/gdft.c 2010-12-06 11:18:26.000000000 +0000
	2	+++ libwmf-0.2.8.4/src/extra/gd/gdft.c 2010-12-06 11:21:09.000000000 +0000
	3	@@ -811,7 +811,7 @@
	4	{
	5	ch = c & 0xFF; /* don't extend sign */
	6	}
	7	- next++;
	8	+ if (*next) next++;
	9	}
	10	else
	11	{




--- libwmf-0.2.8.4/src/extra/gd/gd_png.c	1 Apr 2007 20:41:01 -0000	1.21.2.1
+++ libwmf-0.2.8.4/src/extra/gd/gd_png.c	16 May 2007 19:06:11 -0000
@@ -78,8 +78,11 @@
 gdPngReadData (png_structp png_ptr,
 	       png_bytep data, png_size_t length)
 {
-  gdGetBuf (data, length, (gdIOCtx *)
-	    png_get_io_ptr (png_ptr));
+  int check;
+  check = gdGetBuf (data, length, (gdIOCtx *) png_get_io_ptr (png_ptr));
+  if (check != length) {
+    png_error(png_ptr, "Read Error: truncated data");
+  }
 }
 
 static void




Patch modified slightly from upstream CentOS version

--- libwmf-0.2.8.4/src/extra/gd/gd.c
+++ libwmf-0.2.8.4/src/extra/gd/gd.c
@@ -106,6 +106,18 @@
   gdImagePtr im;
   unsigned long cpa_size;
 
+  if (overflow2(sx, sy)) {
+    return NULL;
+  }
+
+  if (overflow2(sizeof (int *), sy)) {
+    return NULL;
+  }
+
+  if (overflow2(sizeof(int), sx)) {
+    return NULL;
+  }
+
   im = (gdImage *) gdMalloc (sizeof (gdImage));
   if (im == 0) return 0;
   memset (im, 0, sizeof (gdImage));
--- libwmf-0.2.8.4/src/extra/gd/gdhelpers.c	2010-12-06 11:47:31.000000000 +0000
+++ libwmf-0.2.8.4/src/extra/gd/gdhelpers.c	2010-12-06 11:48:04.000000000 +0000
@@ -2,6 +2,7 @@
 #include "gdhelpers.h"
 #include <stdlib.h>
 #include <string.h>
+#include <limits.h>
 
 /* TBB: gd_strtok_r is not portable; provide an implementation */
 
@@ -94,3 +95,18 @@
 {
   free (ptr);
 }
+
+int overflow2(int a, int b)
+{
+	if(a < 0 || b < 0) {
+		fprintf(stderr, "gd warning: one parameter to a memory allocation multiplication is negative, failing operation gracefully\n");
+		return 1;
+	}
+	if(b == 0)
+		return 0;
+	if(a > INT_MAX / b) {
+		fprintf(stderr, "gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully\n");
+		return 1;
+	}
+	return 0;
+}
--- libwmf-0.2.8.4/src/extra/gd/gdhelpers.h	2010-12-06 11:47:17.000000000 +0000
+++ libwmf-0.2.8.4/src/extra/gd/gdhelpers.h	2010-12-06 11:48:36.000000000 +0000
@@ -15,4 +15,6 @@
 void *gdMalloc(size_t size);
 void *gdRealloc(void *ptr, size_t size);
 
+int overflow2(int a, int b);
+
 #endif /* GDHELPERS_H */




--- libwmf-0.2.8.4/src/extra/gd/gd.c
+++ libwmf-0.2.8.4/src/extra/gd/gd.c
@@ -2483,6 +2483,10 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromXbm (FILE * fd)
     }
   bytes = (w * h / 8) + 1;
   im = gdImageCreate (w, h);
+  if (!im) {
+    return 0;
+  }
+
   gdImageColorAllocate (im, 255, 255, 255);
   gdImageColorAllocate (im, 0, 0, 0);
   x = 0;

Line 0 Link Here

(-)files/libwmf-0.2.8.4-CVE-2007-3477.patch (+38 lines)
	1	--- libwmf-0.2.8.4/src/extra/gd/gd.c
	2	+++ libwmf-0.2.8.4/src/extra/gd/gd.c
	3	@@ -1335,10 +1335,31 @@
	4	int w2, h2;
	5	w2 = w / 2;
	6	h2 = h / 2;
	7	- while (e < s)
	8	- {
	9	- e += 360;
	10	- }
	11	+
	12	+ if ((s % 360) == (e % 360)) {
	13	+ s = 0; e = 360;
	14	+ } else {
	15	+ if (s > 360) {
	16	+ s = s % 360;
	17	+ }
	18	+
	19	+ if (e > 360) {
	20	+ e = e % 360;
	21	+ }
	22	+
	23	+ while (s < 0) {
	24	+ s += 360;
	25	+ }
	26	+
	27	+ while (e < s) {
	28	+ e += 360;
	29	+ }
	30	+
	31	+ if (s == e) {
	32	+ s = 0; e = 360;
	33	+ }
	34	+ }
	35	+
	36	for (i = s; (i <= e); i++)
	37	{
	38	int x, y;

Line 0 Link Here

(-)files/libwmf-0.2.8.4-CVE-2009-3546.patch (+13 lines)
	1	--- libwmf-0.2.8.4/src/extra/gd/gd_gd.c 2010-12-06 14:56:06.000000000 +0000
	2	+++ libwmf-0.2.8.4/src/extra/gd/gd_gd.c 2010-12-06 14:57:04.000000000 +0000
	3	@@ -42,6 +42,10 @@
	4	{
	5	goto fail1;
	6	}
	7	+ if (&im->colorsTotal > gdMaxColors)
	8	+ {
	9	+ goto fail1;
	10	+ }
	11	}
	12	/* Int to accommodate truecolor single-color transparency */
	13	if (!gdGetInt (&im->transparent, in))




--- libwmf-0.2.8.4/src/player/meta.h
+++ libwmf-0.2.8.4/src/player/meta.h
 
+		if (FR->region_clip) FR->region_clip (API,&polyrect);
+
 		wmf_free (API,polyrect.TL);
 		wmf_free (API,polyrect.BR);
 	}
@@ -2593,9 +2595,10 @@
 		polyrect.BR = 0;
 
 		polyrect.count = 0;
+	
+		if (FR->region_clip) FR->region_clip (API,&polyrect);
 	}
 
-	if (FR->region_clip) FR->region_clip (API,&polyrect);
 
 	return (changed);
 }




Index: libwmf-0.2.8.4/src/player/meta.h
===================================================================
--- libwmf-0.2.8.4.orig/src/player/meta.h
+++ libwmf-0.2.8.4/src/player/meta.h
@@ -1565,7 +1565,7 @@ static int meta_rgn_create (wmfAPI* API,
 	objects = P->objects;
 
 	i = 0;
-	while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
+	while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
 
 	if (i == NUM_OBJECTS (API))
 	{	WMF_ERROR (API,"Object out of range!");
@@ -2142,7 +2142,7 @@ static int meta_dib_brush (wmfAPI* API,w
 	objects = P->objects;
 
 	i = 0;
-	while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
+	while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
 
 	if (i == NUM_OBJECTS (API))
 	{	WMF_ERROR (API,"Object out of range!");
@@ -3067,7 +3067,7 @@ static int meta_pen_create (wmfAPI* API,
 	objects = P->objects;
 
 	i = 0;
-	while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
+	while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
 
 	if (i == NUM_OBJECTS (API))
 	{	WMF_ERROR (API,"Object out of range!");
@@ -3181,7 +3181,7 @@ static int meta_brush_create (wmfAPI* AP
 	objects = P->objects;
 
 	i = 0;
-	while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
+	while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
 
 	if (i == NUM_OBJECTS (API))
 	{	WMF_ERROR (API,"Object out of range!");
@@ -3288,7 +3288,7 @@ static int meta_font_create (wmfAPI* API
 	objects = P->objects;
 
 	i = 0;
-	while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
+	while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
 
 	if (i == NUM_OBJECTS (API))
 	{	WMF_ERROR (API,"Object out of range!");
@@ -3396,7 +3396,7 @@ static int meta_palette_create (wmfAPI*
 	objects = P->objects;
 
 	i = 0;
-	while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
+	while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
 
 	if (i == NUM_OBJECTS (API))
 	{	WMF_ERROR (API,"Object out of range!");




--- libwmf-0.2.8.4/src/ipa/ipa/bmp.h	2015-06-02 11:35:04.072201795 +0100
+++ libwmf-0.2.8.4/src/ipa/ipa/bmp.h	2015-06-02 11:35:20.647406414 +0100
@@ -1145,8 +1143,15 @@
 		}
 	}
 	else
-	{	/* Convert run-length encoded raster pixels. */
-		DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image);
+	{
+		if (bmp_info.bits_per_pixel == 8)	/* Convert run-length encoded raster pixels. */
+		{
+			DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image);
+		}
+		else
+		{	WMF_ERROR (API,"Unexpected pixel depth");
+			API->err = wmf_E_BadFormat;
+		}
 	}
 
 	if (ERR (API))




diff -ru libwmf-0.2.8.4/src/ipa/ipa/bmp.h libwmf-0.2.8.4/src/ipa/ipa/bmp.h
--- libwmf-0.2.8.4/src/ipa/ipa/bmp.h	2015-06-03 09:30:59.410501271 +0100
+++ libwmf-0.2.8.4/src/ipa/ipa/bmp.h	2015-06-03 09:31:05.775572630 +0100
@@ -859,7 +859,7 @@
 %
 %
 */
-static void DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels)
+static int DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels)
 {	int byte;
 	int count;
 	int i;
@@ -870,12 +870,14 @@
 	U32 u;
 
 	unsigned char* q;
+	unsigned char* end;
 
 	for (u = 0; u < ((U32) bmp->width * (U32) bmp->height); u++) pixels[u] = 0;
 
 	byte = 0;
 	x = 0;
 	q = pixels;
+	end = pixels + bmp->width * bmp->height;
 
 	for (y = 0; y < bmp->height; )
 	{	count = ReadBlobByte (src);
@@ -884,7 +886,10 @@
 		{	/* Encoded mode. */
 			byte = ReadBlobByte (src);
 			for (i = 0; i < count; i++)
-			{	if (compression == 1)
+			{	
+				if (q == end)
+					return 0;
+			 	if (compression == 1)
 				{	(*(q++)) = (unsigned char) byte;
 				}
 				else
@@ -896,13 +901,15 @@
 		else
 		{	/* Escape mode. */
 			count = ReadBlobByte (src);
-			if (count == 0x01) return;
+			if (count == 0x01) return 1;
 			switch (count)
 			{
 			case 0x00:
 			 {	/* End of line. */
 				x = 0;
 				y++;
+				if (y >= bmp->height)
+					return 0;
 				q = pixels + y * bmp->width;
 				break;
 			 }
@@ -910,13 +917,20 @@
 			 {	/* Delta mode. */
 				x += ReadBlobByte (src);
 				y += ReadBlobByte (src);
+				if (y >= bmp->height)
+					return 0;
+				if (x >= bmp->width)
+					return 0;
 				q = pixels + y * bmp->width + x;
 				break;
 			 }
 			default:
 			 {	/* Absolute mode. */
 				for (i = 0; i < count; i++)
-				{	if (compression == 1)
+				{
+					if (q == end)
+						return 0;
+					if (compression == 1)
 					{	(*(q++)) = ReadBlobByte (src);
 					}
 					else
@@ -943,7 +957,7 @@
 	byte = ReadBlobByte (src);  /* end of line */
 	byte = ReadBlobByte (src);
 
-	return;
+	return 1;
 }
 
 /*
@@ -1146,7 +1160,10 @@
 	{
 		if (bmp_info.bits_per_pixel == 8)	/* Convert run-length encoded raster pixels. */
 		{
-			DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image);
+			if (!DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image))
+			{	WMF_ERROR (API,"corrupt bmp");
+				API->err = wmf_E_BadFormat;
+			}
 		}
 		else
 		{	WMF_ERROR (API,"Unexpected pixel depth");
diff -ru libwmf-0.2.8.4/src/ipa/ipa.h libwmf-0.2.8.4/src/ipa/ipa.h
--- libwmf-0.2.8.4/src/ipa/ipa.h	2015-06-03 09:30:59.410501271 +0100
+++ libwmf-0.2.8.4/src/ipa/ipa.h	2015-06-03 09:31:08.687605277 +0100
@@ -48,7 +48,7 @@
 static unsigned short ReadBlobLSBShort (BMPSource*);
 static unsigned long  ReadBlobLSBLong (BMPSource*);
 static long           TellBlob (BMPSource*);
-static void           DecodeImage (wmfAPI*,wmfBMP*,BMPSource*,unsigned int,unsigned char*);
+static int            DecodeImage (wmfAPI*,wmfBMP*,BMPSource*,unsigned int,unsigned char*);
 static void           ReadBMPImage (wmfAPI*,wmfBMP*,BMPSource*);
 static int            ExtractColor (wmfAPI*,wmfBMP*,wmfRGB*,unsigned int,unsigned int);
 static void           SetColor (wmfAPI*,wmfBMP*,wmfRGB*,unsigned char,unsigned int,unsigned int);

Return to bug 201513

Lines 3-13 Link Here

(-)Makefile (-2 / +14 lines)
3		3
4	PORTNAME= libwmf	4	PORTNAME= libwmf
5	PORTVERSION= 0.2.8.4	5	PORTVERSION= 0.2.8.4
6	PORTREVISION= 13	6	PORTREVISION= 14
7	CATEGORIES= graphics	7	CATEGORIES= graphics
8	MASTER_SITES= SF/wvware/${PORTNAME}/${PORTVERSION}	8	MASTER_SITES= SF/wvware/${PORTNAME}/${PORTVERSION}
9		9
10	MAINTAINER= ports@FreeBSD.org	10	MAINTAINER= jason.unovitch@gmail.com
11	COMMENT= Tools and library for converting Microsoft WMF (windows metafile)	11	COMMENT= Tools and library for converting Microsoft WMF (windows metafile)
12		12
13	LICENSE= GPLv2 # or later	13	LICENSE= GPLv2 # or later
Lines 36-41 Link Here
36	X11_USE= XORG=x11	36	X11_USE= XORG=x11
37	X11_CONFIGURE_OFF=--with-x=no	37	X11_CONFIGURE_OFF=--with-x=no
38		38
		39	EXTRA_PATCHES= ${FILESDIR}/libwmf-0.2.8.4-CVE-2007-0455.patch:-p1 \
		40	${FILESDIR}/libwmf-0.2.8.4-CVE-2007-2756.patch:-p1 \
		41	${FILESDIR}/libwmf-0.2.8.4-CVE-2007-3472.patch:-p1 \
		42	${FILESDIR}/libwmf-0.2.8.4-CVE-2007-3473.patch:-p1 \
		43	${FILESDIR}/libwmf-0.2.8.4-CVE-2007-3477.patch:-p1 \
		44	${FILESDIR}/libwmf-0.2.8.4-CVE-2009-3546.patch:-p1 \
		45	${FILESDIR}/libwmf-0.2.8.4-CAN-2004-0941.patch:-p1 \
		46	${FILESDIR}/libwmf-0.2.8.4-rh1227243-CVE-2015-0848.patch:-p1 \
		47	${FILESDIR}/libwmf-0.2.8.4-deb784205-CVE-2015-4695.patch:-p1 \
		48	${FILESDIR}/libwmf-0.2.8.4-deb784192-CVE-2015-4696.patch:-p1 \
		49	${FILESDIR}/libwmf-0.2.8.4-rh1227243-CVE-2015-4588.patch:-p1
		50
39	.include <bsd.port.options.mk>	51	.include <bsd.port.options.mk>
40		52
41	post-patch:	53	post-patch:

Line 0 Link Here

(-)files/libwmf-0.2.8.4-CAN-2004-0941.patch (+17 lines)
	1	--- libwmf-0.2.8.4/src/extra/gd/gd_png.c 2004-11-11 14:02:37.407589824 -0500
	2	+++ libwmf-0.2.8.4/src/extra/gd/gd_png.c 2004-11-11 14:04:29.672522960 -0500
	3	@@ -188,6 +188,14 @@
	4
	5	png_get_IHDR (png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
	6	&interlace_type, NULL, NULL);
	7	+ if (overflow2(sizeof (int), width))
	8	+ {
	9	+ return NULL;
	10	+ }
	11	+ if (overflow2(sizeof (int) * width, height))
	12	+ {
	13	+ return NULL;
	14	+ }
	15	if ((color_type == PNG_COLOR_TYPE_RGB) \|\|
	16	(color_type == PNG_COLOR_TYPE_RGB_ALPHA))
	17	{

Line 0 Link Here

(-)files/libwmf-0.2.8.4-CVE-2007-2756.patch (+16 lines)
	1	--- libwmf-0.2.8.4/src/extra/gd/gd_png.c 1 Apr 2007 20:41:01 -0000 1.21.2.1
	2	+++ libwmf-0.2.8.4/src/extra/gd/gd_png.c 16 May 2007 19:06:11 -0000
	3	@@ -78,8 +78,11 @@
	4	gdPngReadData (png_structp png_ptr,
	5	png_bytep data, png_size_t length)
	6	{
	7	- gdGetBuf (data, length, (gdIOCtx *)
	8	- png_get_io_ptr (png_ptr));
	9	+ int check;
	10	+ check = gdGetBuf (data, length, (gdIOCtx *) png_get_io_ptr (png_ptr));
	11	+ if (check != length) {
	12	+ png_error(png_ptr, "Read Error: truncated data");
	13	+ }
	14	}
	15
	16	static void

Line 0 Link Here

(-)files/libwmf-0.2.8.4-CVE-2007-3472.patch (+61 lines)
	1	Patch modified slightly from upstream CentOS version
	2
	3	--- libwmf-0.2.8.4/src/extra/gd/gd.c
	4	+++ libwmf-0.2.8.4/src/extra/gd/gd.c
	5	@@ -106,6 +106,18 @@
	6	gdImagePtr im;
	7	unsigned long cpa_size;
	8
	9	+ if (overflow2(sx, sy)) {
	10	+ return NULL;
	11	+ }
	12	+
	13	+ if (overflow2(sizeof (int *), sy)) {
	14	+ return NULL;
	15	+ }
	16	+
	17	+ if (overflow2(sizeof(int), sx)) {
	18	+ return NULL;
	19	+ }
	20	+
	21	im = (gdImage *) gdMalloc (sizeof (gdImage));
	22	if (im == 0) return 0;
	23	memset (im, 0, sizeof (gdImage));
	24	--- libwmf-0.2.8.4/src/extra/gd/gdhelpers.c 2010-12-06 11:47:31.000000000 +0000
	25	+++ libwmf-0.2.8.4/src/extra/gd/gdhelpers.c 2010-12-06 11:48:04.000000000 +0000
	26	@@ -2,6 +2,7 @@
	27	#include "gdhelpers.h"
	28	#include <stdlib.h>
	29	#include <string.h>
	30	+#include <limits.h>
	31
	32	/* TBB: gd_strtok_r is not portable; provide an implementation */
	33
	34	@@ -94,3 +95,18 @@
	35	{
	36	free (ptr);
	37	}
	38	+
	39	+int overflow2(int a, int b)
	40	+{
	41	+ if(a < 0 \|\| b < 0) {
	42	+ fprintf(stderr, "gd warning: one parameter to a memory allocation multiplication is negative, failing operation gracefully\n");
	43	+ return 1;
	44	+ }
	45	+ if(b == 0)
	46	+ return 0;
	47	+ if(a > INT_MAX / b) {
	48	+ fprintf(stderr, "gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully\n");
	49	+ return 1;
	50	+ }
	51	+ return 0;
	52	+}
	53	--- libwmf-0.2.8.4/src/extra/gd/gdhelpers.h 2010-12-06 11:47:17.000000000 +0000
	54	+++ libwmf-0.2.8.4/src/extra/gd/gdhelpers.h 2010-12-06 11:48:36.000000000 +0000
	55	@@ -15,4 +15,6 @@
	56	void *gdMalloc(size_t size);
	57	void gdRealloc(void ptr, size_t size);
	58
	59	+int overflow2(int a, int b);
	60	+
	61	#endif /* GDHELPERS_H */

Line 0 Link Here

(-)files/libwmf-0.2.8.4-CVE-2007-3473.patch (+13 lines)
	1	--- libwmf-0.2.8.4/src/extra/gd/gd.c
	2	+++ libwmf-0.2.8.4/src/extra/gd/gd.c
	3	@@ -2483,6 +2483,10 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromXbm (FILE * fd)
	4	}
	5	bytes = (w * h / 8) + 1;
	6	im = gdImageCreate (w, h);
	7	+ if (!im) {
	8	+ return 0;
	9	+ }
	10	+
	11	gdImageColorAllocate (im, 255, 255, 255);
	12	gdImageColorAllocate (im, 0, 0, 0);
	13	x = 0;

Line 0 Link Here

(-)files/libwmf-0.2.8.4-deb784192-CVE-2015-4696.patch (+20 lines)
	1	--- libwmf-0.2.8.4/src/player/meta.h
	2	+++ libwmf-0.2.8.4/src/player/meta.h
	3
	4	+ if (FR->region_clip) FR->region_clip (API,&polyrect);
	5	+
	6	wmf_free (API,polyrect.TL);
	7	wmf_free (API,polyrect.BR);
	8	}
	9	@@ -2593,9 +2595,10 @@
	10	polyrect.BR = 0;
	11
	12	polyrect.count = 0;
	13	+
	14	+ if (FR->region_clip) FR->region_clip (API,&polyrect);
	15	}
	16
	17	- if (FR->region_clip) FR->region_clip (API,&polyrect);
	18
	19	return (changed);
	20	}

Line 0 Link Here

(-)files/libwmf-0.2.8.4-deb784205-CVE-2015-4695.patch (+58 lines)
	1	Index: libwmf-0.2.8.4/src/player/meta.h
	2	===================================================================
	3	--- libwmf-0.2.8.4.orig/src/player/meta.h
	4	+++ libwmf-0.2.8.4/src/player/meta.h
	5	@@ -1565,7 +1565,7 @@ static int meta_rgn_create (wmfAPI* API,
	6	objects = P->objects;
	7
	8	i = 0;
	9	- while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
	10	+ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
	11
	12	if (i == NUM_OBJECTS (API))
	13	{ WMF_ERROR (API,"Object out of range!");
	14	@@ -2142,7 +2142,7 @@ static int meta_dib_brush (wmfAPI* API,w
	15	objects = P->objects;
	16
	17	i = 0;
	18	- while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
	19	+ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
	20
	21	if (i == NUM_OBJECTS (API))
	22	{ WMF_ERROR (API,"Object out of range!");
	23	@@ -3067,7 +3067,7 @@ static int meta_pen_create (wmfAPI* API,
	24	objects = P->objects;
	25
	26	i = 0;
	27	- while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
	28	+ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
	29
	30	if (i == NUM_OBJECTS (API))
	31	{ WMF_ERROR (API,"Object out of range!");
	32	@@ -3181,7 +3181,7 @@ static int meta_brush_create (wmfAPI* AP
	33	objects = P->objects;
	34
	35	i = 0;
	36	- while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
	37	+ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
	38
	39	if (i == NUM_OBJECTS (API))
	40	{ WMF_ERROR (API,"Object out of range!");
	41	@@ -3288,7 +3288,7 @@ static int meta_font_create (wmfAPI* API
	42	objects = P->objects;
	43
	44	i = 0;
	45	- while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
	46	+ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
	47
	48	if (i == NUM_OBJECTS (API))
	49	{ WMF_ERROR (API,"Object out of range!");
	50	@@ -3396,7 +3396,7 @@ static int meta_palette_create (wmfAPI*
	51	objects = P->objects;
	52
	53	i = 0;
	54	- while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
	55	+ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
	56
	57	if (i == NUM_OBJECTS (API))
	58	{ WMF_ERROR (API,"Object out of range!");

Line 0 Link Here

(-)files/libwmf-0.2.8.4-rh1227243-CVE-2015-0848.patch (+20 lines)
	1	--- libwmf-0.2.8.4/src/ipa/ipa/bmp.h 2015-06-02 11:35:04.072201795 +0100
	2	+++ libwmf-0.2.8.4/src/ipa/ipa/bmp.h 2015-06-02 11:35:20.647406414 +0100
	3	@@ -1145,8 +1143,15 @@
	4	}
	5	}
	6	else
	7	- { /* Convert run-length encoded raster pixels. */
	8	- DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image);
	9	+ {
	10	+ if (bmp_info.bits_per_pixel == 8) /* Convert run-length encoded raster pixels. */
	11	+ {
	12	+ DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image);
	13	+ }
	14	+ else
	15	+ { WMF_ERROR (API,"Unexpected pixel depth");
	16	+ API->err = wmf_E_BadFormat;
	17	+ }
	18	}
	19
	20	if (ERR (API))

Line 0 Link Here

(-)files/libwmf-0.2.8.4-rh1227243-CVE-2015-4588.patch (+111 lines)
		1	diff -ru libwmf-0.2.8.4/src/ipa/ipa/bmp.h libwmf-0.2.8.4/src/ipa/ipa/bmp.h
		2	--- libwmf-0.2.8.4/src/ipa/ipa/bmp.h 2015-06-03 09:30:59.410501271 +0100
		3	+++ libwmf-0.2.8.4/src/ipa/ipa/bmp.h 2015-06-03 09:31:05.775572630 +0100
		4	@@ -859,7 +859,7 @@
		5	%
		6	%
		7	*/
		8	-static void DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels)
		9	+static int DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels)
		10	{ int byte;
		11	int count;
		12	int i;
		13	@@ -870,12 +870,14 @@
		14	U32 u;
		15
		16	unsigned char* q;
		17	+ unsigned char* end;
		18
		19	for (u = 0; u < ((U32) bmp->width * (U32) bmp->height); u++) pixels[u] = 0;
		20
		21	byte = 0;
		22	x = 0;
		23	q = pixels;
		24	+ end = pixels + bmp->width * bmp->height;
		25
		26	for (y = 0; y < bmp->height; )
		27	{ count = ReadBlobByte (src);
		28	@@ -884,7 +886,10 @@
		29	{ /* Encoded mode. */
		30	byte = ReadBlobByte (src);
		31	for (i = 0; i < count; i++)
		32	- { if (compression == 1)
		33	+ {
		34	+ if (q == end)
		35	+ return 0;
		36	+ if (compression == 1)
		37	{ (*(q++)) = (unsigned char) byte;
		38	}
		39	else
		40	@@ -896,13 +901,15 @@
		41	else
		42	{ /* Escape mode. */
		43	count = ReadBlobByte (src);
		44	- if (count == 0x01) return;
		45	+ if (count == 0x01) return 1;
		46	switch (count)
		47	{
		48	case 0x00:
		49	{ /* End of line. */
		50	x = 0;
		51	y++;
		52	+ if (y >= bmp->height)
		53	+ return 0;
		54	q = pixels + y * bmp->width;
		55	break;
		56	}
		57	@@ -910,13 +917,20 @@
		58	{ /* Delta mode. */
		59	x += ReadBlobByte (src);
		60	y += ReadBlobByte (src);
		61	+ if (y >= bmp->height)
		62	+ return 0;
		63	+ if (x >= bmp->width)
		64	+ return 0;
65	q = pixels + y * bmp->width + x;
66	break;
67	}
68	default:
69	{ /* Absolute mode. */
70	for (i = 0; i < count; i++)
71	- { if (compression == 1)
72	+ {
73	+ if (q == end)
74	+ return 0;
75	+ if (compression == 1)
76	{ (*(q++)) = ReadBlobByte (src);
77	}
78	else
79	@@ -943,7 +957,7 @@
80	byte = ReadBlobByte (src); /* end of line */
81	byte = ReadBlobByte (src);
82
83	- return;
84	+ return 1;
85	}
86
87	/*
88	@@ -1146,7 +1160,10 @@
89	{
90	if (bmp_info.bits_per_pixel == 8) /* Convert run-length encoded raster pixels. */
91	{
92	- DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image);
93	+ if (!DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image))
94	+ { WMF_ERROR (API,"corrupt bmp");
95	+ API->err = wmf_E_BadFormat;
96	+ }
97	}
98	else
99	{ WMF_ERROR (API,"Unexpected pixel depth");
100	diff -ru libwmf-0.2.8.4/src/ipa/ipa.h libwmf-0.2.8.4/src/ipa/ipa.h
101	--- libwmf-0.2.8.4/src/ipa/ipa.h 2015-06-03 09:30:59.410501271 +0100
102	+++ libwmf-0.2.8.4/src/ipa/ipa.h 2015-06-03 09:31:08.687605277 +0100
103	@@ -48,7 +48,7 @@
104	static unsigned short ReadBlobLSBShort (BMPSource*);
105	static unsigned long ReadBlobLSBLong (BMPSource*);
106	static long TellBlob (BMPSource*);
107	-static void DecodeImage (wmfAPI,wmfBMP,BMPSource,unsigned int,unsigned char);
108	+static int DecodeImage (wmfAPI,wmfBMP,BMPSource,unsigned int,unsigned char);
109	static void ReadBMPImage (wmfAPI,wmfBMP,BMPSource*);
110	static int ExtractColor (wmfAPI,wmfBMP,wmfRGB*,unsigned int,unsigned int);
111	static void SetColor (wmfAPI,wmfBMP,wmfRGB*,unsigned char,unsigned int,unsigned int);