Attachment #202091 for bug #235768




CATEGORIES=	graphics
MASTER_SITES=	SF/wvware/${PORTNAME}/${PORTVERSION}

MAINTAINER=	phascolarctos@protonmail.ch
COMMENT=	Tools and library for converting Microsoft WMF (windows metafile)

LICENSE=	GPLv2+

LIB_DEPENDS=	libpng.so:graphics/png \
		libfreetype.so:print/freetype2

USES=		gnome jpeg libtool
USE_GNOME=	libxml2
USE_LDCONFIG=	yes

GNU_CONFIGURE=	yes
CONFIGURE_ARGS=	--with-sys-gd=no \
		--with-png=${LOCALBASE} --with-jpeg=${LOCALBASE} \
		--with-gsfontdir=${LOCALBASE}/share/ghostscript/fonts
INSTALL_TARGET=	install-strip
USES=		jpeg libtool
USE_GNOME=	libxml2
USE_LDCONFIG=	yes

PORTDOCS=	*

CONFLICTS?=	libwmf-nox11-[0-9]*

OPTIONS_DEFINE=	X11 DOCS
OPTIONS_DEFAULT=X11




--- src/extra/gd/gd_png.c	2004-11-11 14:02:37.407589824 -0500
+++ src/extra/gd/gd_png.c	2004-11-11 14:04:29.672522960 -0500
@@ -188,6 +188,14 @@
 
   png_get_IHDR (png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
 		&interlace_type, NULL, NULL);
+  if (overflow2(sizeof (int), width)) 
+    {
+      return NULL;
+    }
+  if (overflow2(sizeof (int) * width, height)) 
+    {
+      return NULL;
+    }  
   if ((color_type == PNG_COLOR_TYPE_RGB) ||
       (color_type == PNG_COLOR_TYPE_RGB_ALPHA))
     {

Lines 1-11 Link Here

(-)/usr/local/poudriere/ports/experimental/graphics/libwmf/files/patch-CVE-2007-0455 (-11 lines)
1	--- src/extra/gd/gdft.c 2010-12-06 11:18:26.000000000 +0000
2	+++ src/extra/gd/gdft.c 2010-12-06 11:21:09.000000000 +0000
3	@@ -811,7 +811,7 @@
4	{
5	ch = c & 0xFF; /* don't extend sign */
6	}
7	- next++;
8	+ if (*next) next++;
9	}
10	else
11	{




--- src/extra/gd/gd_png.c	1 Apr 2007 20:41:01 -0000	1.21.2.1
+++ src/extra/gd/gd_png.c	16 May 2007 19:06:11 -0000
@@ -78,8 +78,11 @@
 gdPngReadData (png_structp png_ptr,
 	       png_bytep data, png_size_t length)
 {
-  gdGetBuf (data, length, (gdIOCtx *)
-	    png_get_io_ptr (png_ptr));
+  int check;
+  check = gdGetBuf (data, length, (gdIOCtx *) png_get_io_ptr (png_ptr));
+  if (check != length) {
+    png_error(png_ptr, "Read Error: truncated data");
+  }
 }
 
 static void




Patch modified slightly from upstream CentOS version

--- src/extra/gd/gd.c
+++ src/extra/gd/gd.c
@@ -106,6 +106,18 @@
   gdImagePtr im;
   unsigned long cpa_size;
 
+  if (overflow2(sx, sy)) {
+    return NULL;
+  }
+
+  if (overflow2(sizeof (int *), sy)) {
+    return NULL;
+  }
+
+  if (overflow2(sizeof(int), sx)) {
+    return NULL;
+  }
+
   im = (gdImage *) gdMalloc (sizeof (gdImage));
   if (im == 0) return 0;
   memset (im, 0, sizeof (gdImage));
--- src/extra/gd/gdhelpers.c	2010-12-06 11:47:31.000000000 +0000
+++ src/extra/gd/gdhelpers.c	2010-12-06 11:48:04.000000000 +0000
@@ -2,6 +2,7 @@
 #include "gdhelpers.h"
 #include <stdlib.h>
 #include <string.h>
+#include <limits.h>
 
 /* TBB: gd_strtok_r is not portable; provide an implementation */
 
@@ -94,3 +95,18 @@
 {
   free (ptr);
 }
+
+int overflow2(int a, int b)
+{
+	if(a < 0 || b < 0) {
+		fprintf(stderr, "gd warning: one parameter to a memory allocation multiplication is negative, failing operation gracefully\n");
+		return 1;
+	}
+	if(b == 0)
+		return 0;
+	if(a > INT_MAX / b) {
+		fprintf(stderr, "gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully\n");
+		return 1;
+	}
+	return 0;
+}
--- src/extra/gd/gdhelpers.h	2010-12-06 11:47:17.000000000 +0000
+++ src/extra/gd/gdhelpers.h	2010-12-06 11:48:36.000000000 +0000
@@ -15,4 +15,6 @@
 void *gdMalloc(size_t size);
 void *gdRealloc(void *ptr, size_t size);
 
+int overflow2(int a, int b);
+
 #endif /* GDHELPERS_H */




--- src/extra/gd/gd.c
+++ src/extra/gd/gd.c
@@ -2483,6 +2483,10 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromXbm (FILE * fd)
     }
   bytes = (w * h / 8) + 1;
   im = gdImageCreate (w, h);
+  if (!im) {
+    return 0;
+  }
+
   gdImageColorAllocate (im, 255, 255, 255);
   gdImageColorAllocate (im, 0, 0, 0);
   x = 0;

Lines 1-38 Link Here

(-)/usr/local/poudriere/ports/experimental/graphics/libwmf/files/patch-CVE-2007-3477 (-38 lines)
1	--- src/extra/gd/gd.c
2	+++ src/extra/gd/gd.c
3	@@ -1335,10 +1335,31 @@
4	int w2, h2;
5	w2 = w / 2;
6	h2 = h / 2;
7	- while (e < s)
8	- {
9	- e += 360;
10	- }
11	+
12	+ if ((s % 360) == (e % 360)) {
13	+ s = 0; e = 360;
14	+ } else {
15	+ if (s > 360) {
16	+ s = s % 360;
17	+ }
18	+
19	+ if (e > 360) {
20	+ e = e % 360;
21	+ }
22	+
23	+ while (s < 0) {
24	+ s += 360;
25	+ }
26	+
27	+ while (e < s) {
28	+ e += 360;
29	+ }
30	+
31	+ if (s == e) {
32	+ s = 0; e = 360;
33	+ }
34	+ }
35	+
36	for (i = s; (i <= e); i++)
37	{
38	int x, y;

Lines 1-13 Link Here

(-)/usr/local/poudriere/ports/experimental/graphics/libwmf/files/patch-CVE-2009-3546 (-13 lines)
1	--- src/extra/gd/gd_gd.c 2010-12-06 14:56:06.000000000 +0000
2	+++ src/extra/gd/gd_gd.c 2010-12-06 14:57:04.000000000 +0000
3	@@ -42,6 +42,10 @@
4	{
5	goto fail1;
6	}
7	+ if (&im->colorsTotal > gdMaxColors)
8	+ {
9	+ goto fail1;
10	+ }
11	}
12	/* Int to accommodate truecolor single-color transparency */
13	if (!gdGetInt (&im->transparent, in))




--- src/player.c
+++ src/player.c
@@ -23,6 +23,7 @@
 
 #include <stdio.h>
 #include <stdlib.h>
+#include <stdint.h>
 #include <string.h>
 #include <math.h>
 
@@ -132,8 +133,14 @@
 		}
 	}
 
-/*	P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)-3) * 2 * sizeof (unsigned char));
- */	P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)  ) * 2 * sizeof (unsigned char));
+	if (MAX_REC_SIZE(API) > UINT32_MAX / 2)
+	{
+		API->err = wmf_E_InsMem;
+		WMF_DEBUG (API,"bailing...");
+		return (API->err);
+	}
+
+ 	P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)  ) * 2 * sizeof (unsigned char));
 
 	if (ERR (API))
 	{	WMF_DEBUG (API,"bailing...");

Lines 1-10 Link Here

(-)/usr/local/poudriere/ports/experimental/graphics/libwmf/files/patch-cve-2009-1364 (-10 lines)
1	--- src/extra/gd/gd_clip.c
2	+++ src/extra/gd/gd_clip.c
3	@@ -70,6 +70,7 @@
4	{ more = gdRealloc (im->clip->list,(im->clip->max + 8) * sizeof (gdClipRectangle));
5	if (more == 0) return;
6	im->clip->max += 8;
7	+ im->clip->list = more;
8	}
9	im->clip->list[im->clip->count] = (*rect);
10	im->clip->count++;




--- src/player/meta.h
+++ src/player/meta.h
@@ -2585,6 +2585,8 @@
 			polyrect.BR[i] = clip->rects[i].BR;
 		}
 
+		if (FR->region_clip) FR->region_clip (API,&polyrect);
+
 		wmf_free (API,polyrect.TL);
 		wmf_free (API,polyrect.BR);
 	}
@@ -2593,9 +2595,10 @@
 		polyrect.BR = 0;
 
 		polyrect.count = 0;
+	
+		if (FR->region_clip) FR->region_clip (API,&polyrect);
 	}
 
-	if (FR->region_clip) FR->region_clip (API,&polyrect);
 
 	return (changed);
 }




Index: src/player/meta.h
===================================================================
--- libwmf-0.2.8.4.orig/src/player/meta.h
+++ src/player/meta.h
@@ -1565,7 +1565,7 @@ static int meta_rgn_create (wmfAPI* API,
 	objects = P->objects;
 
 	i = 0;
-	while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
+	while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
 
 	if (i == NUM_OBJECTS (API))
 	{	WMF_ERROR (API,"Object out of range!");
@@ -2142,7 +2142,7 @@ static int meta_dib_brush (wmfAPI* API,w
 	objects = P->objects;
 
 	i = 0;
-	while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
+	while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
 
 	if (i == NUM_OBJECTS (API))
 	{	WMF_ERROR (API,"Object out of range!");
@@ -3067,7 +3067,7 @@ static int meta_pen_create (wmfAPI* API,
 	objects = P->objects;
 
 	i = 0;
-	while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
+	while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
 
 	if (i == NUM_OBJECTS (API))
 	{	WMF_ERROR (API,"Object out of range!");
@@ -3181,7 +3181,7 @@ static int meta_brush_create (wmfAPI* AP
 	objects = P->objects;
 
 	i = 0;
-	while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
+	while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
 
 	if (i == NUM_OBJECTS (API))
 	{	WMF_ERROR (API,"Object out of range!");
@@ -3288,7 +3288,7 @@ static int meta_font_create (wmfAPI* API
 	objects = P->objects;
 
 	i = 0;
-	while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
+	while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
 
 	if (i == NUM_OBJECTS (API))
 	{	WMF_ERROR (API,"Object out of range!");
@@ -3396,7 +3396,7 @@ static int meta_palette_create (wmfAPI*
 	objects = P->objects;
 
 	i = 0;
-	while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
+	while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
 
 	if (i == NUM_OBJECTS (API))
 	{	WMF_ERROR (API,"Object out of range!");

Lines 1-11 Link Here

(-)/usr/local/poudriere/ports/experimental/graphics/libwmf/files/patch-gd_png.c (-11 lines)
1	--- src/extra/gd/gd_png.c.orig 2010-03-28 12:44:53.000000000 +0200
2	+++ src/extra/gd/gd_png.c 2010-03-28 12:45:16.000000000 +0200
3	@@ -136,7 +136,7 @@
4	/* first do a quick check that the file really is a PNG image; could
5	* have used slightly more general png_sig_cmp() function instead */
6	gdGetBuf (sig, 8, infile);
7	- if (!png_check_sig (sig, 8))
8	+ if (png_sig_cmp (sig, 0, 8))
9	return NULL; /* bad signature */
10
11	#ifndef PNG_SETJMP_NOT_SUPPORTED




--- src/ipa/ipa/bmp.h	2015-06-02 11:35:04.072201795 +0100
+++ src/ipa/ipa/bmp.h	2015-06-02 11:35:20.647406414 +0100
@@ -1145,8 +1143,15 @@
 		}
 	}
 	else
-	{	/* Convert run-length encoded raster pixels. */
-		DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image);
+	{
+		if (bmp_info.bits_per_pixel == 8)	/* Convert run-length encoded raster pixels. */
+		{
+			DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image);
+		}
+		else
+		{	WMF_ERROR (API,"Unexpected pixel depth");
+			API->err = wmf_E_BadFormat;
+		}
 	}
 
 	if (ERR (API))




diff -ru src/ipa/ipa/bmp.h src/ipa/ipa/bmp.h
--- src/ipa/ipa/bmp.h	2015-06-03 09:30:59.410501271 +0100
+++ src/ipa/ipa/bmp.h	2015-06-03 09:31:05.775572630 +0100
@@ -859,7 +859,7 @@
 %
 %
 */
-static void DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels)
+static int DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels)
 {	int byte;
 	int count;
 	int i;
@@ -870,12 +870,14 @@
 	U32 u;
 
 	unsigned char* q;
+	unsigned char* end;
 
 	for (u = 0; u < ((U32) bmp->width * (U32) bmp->height); u++) pixels[u] = 0;
 
 	byte = 0;
 	x = 0;
 	q = pixels;
+	end = pixels + bmp->width * bmp->height;
 
 	for (y = 0; y < bmp->height; )
 	{	count = ReadBlobByte (src);
@@ -884,7 +886,10 @@
 		{	/* Encoded mode. */
 			byte = ReadBlobByte (src);
 			for (i = 0; i < count; i++)
-			{	if (compression == 1)
+			{	
+				if (q == end)
+					return 0;
+			 	if (compression == 1)
 				{	(*(q++)) = (unsigned char) byte;
 				}
 				else
@@ -896,13 +901,15 @@
 		else
 		{	/* Escape mode. */
 			count = ReadBlobByte (src);
-			if (count == 0x01) return;
+			if (count == 0x01) return 1;
 			switch (count)
 			{
 			case 0x00:
 			 {	/* End of line. */
 				x = 0;
 				y++;
+				if (y >= bmp->height)
+					return 0;
 				q = pixels + y * bmp->width;
 				break;
 			 }
@@ -910,13 +917,20 @@
 			 {	/* Delta mode. */
 				x += ReadBlobByte (src);
 				y += ReadBlobByte (src);
+				if (y >= bmp->height)
+					return 0;
+				if (x >= bmp->width)
+					return 0;
 				q = pixels + y * bmp->width + x;
 				break;
 			 }
 			default:
 			 {	/* Absolute mode. */
 				for (i = 0; i < count; i++)
-				{	if (compression == 1)
+				{
+					if (q == end)
+						return 0;
+					if (compression == 1)
 					{	(*(q++)) = ReadBlobByte (src);
 					}
 					else
@@ -943,7 +957,7 @@
 	byte = ReadBlobByte (src);  /* end of line */
 	byte = ReadBlobByte (src);
 
-	return;
+	return 1;
 }
 
 /*
@@ -1146,7 +1160,10 @@
 	{
 		if (bmp_info.bits_per_pixel == 8)	/* Convert run-length encoded raster pixels. */
 		{
-			DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image);
+			if (!DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image))
+			{	WMF_ERROR (API,"corrupt bmp");
+				API->err = wmf_E_BadFormat;
+			}
 		}
 		else
 		{	WMF_ERROR (API,"Unexpected pixel depth");
diff -ru src/ipa/ipa.h src/ipa/ipa.h
--- src/ipa/ipa.h	2015-06-03 09:30:59.410501271 +0100
+++ src/ipa/ipa.h	2015-06-03 09:31:08.687605277 +0100
@@ -48,7 +48,7 @@
 static unsigned short ReadBlobLSBShort (BMPSource*);
 static unsigned long  ReadBlobLSBLong (BMPSource*);
 static long           TellBlob (BMPSource*);
-static void           DecodeImage (wmfAPI*,wmfBMP*,BMPSource*,unsigned int,unsigned char*);
+static int            DecodeImage (wmfAPI*,wmfBMP*,BMPSource*,unsigned int,unsigned char*);
 static void           ReadBMPImage (wmfAPI*,wmfBMP*,BMPSource*);
 static int            ExtractColor (wmfAPI*,wmfBMP*,wmfRGB*,unsigned int,unsigned int);
 static void           SetColor (wmfAPI*,wmfBMP*,wmfRGB*,unsigned char,unsigned int,unsigned int);

Line 0 Link Here

(-)/usr/local/poudriere/ports/experimental/graphics/libwmf/files/patch-src_extra_gd_gd.c (+38 lines)
	1	--- src/extra/gd/gd.c.orig 2019-02-17 10:47:58 UTC
	2	+++ src/extra/gd/gd.c
	3	@@ -1333,10 +1333,31 @@ gdImageFilledArc (gdImagePtr im, int cx, int cy, int w
	4	int w2, h2;
	5	w2 = w / 2;
	6	h2 = h / 2;
	7	- while (e < s)
	8	- {
	9	- e += 360;
	10	- }
	11	+
	12	+ if ((s % 360) == (e % 360)) {
	13	+ s = 0; e = 360;
	14	+ } else {
	15	+ if (s > 360) {
	16	+ s = s % 360;
	17	+ }
	18	+
	19	+ if (e > 360) {
	20	+ e = e % 360;
	21	+ }
	22	+
	23	+ while (s < 0) {
	24	+ s += 360;
	25	+ }
	26	+
	27	+ while (e < s) {
	28	+ e += 360;
	29	+ }
	30	+
	31	+ if (s == e) {
	32	+ s = 0; e = 360;
	33	+ }
	34	+ }
	35	+
	36	for (i = s; (i <= e); i++)
	37	{
	38	int x, y;

Line 0 Link Here

(-)/usr/local/poudriere/ports/experimental/graphics/libwmf/files/patch-src_extra_gd_gd__clip.c (+10 lines)
	1	--- src/extra/gd/gd_clip.c.orig 2001-03-28 09:37:29 UTC
	2	+++ src/extra/gd/gd_clip.c
	3	@@ -70,6 +70,7 @@ void gdClipSetAdd(gdImagePtr im,gdClipRectanglePtr rec
	4	{ more = gdRealloc (im->clip->list,(im->clip->max + 8) * sizeof (gdClipRectangle));
	5	if (more == 0) return;
	6	im->clip->max += 8;
	7	+ im->clip->list = more;
	8	}
	9	im->clip->list[im->clip->count] = (*rect);
	10	im->clip->count++;




--- src/extra/gd/gd_gd.c.orig	2005-07-27 20:35:05 UTC
+++ src/extra/gd/gd_gd.c
@@ -37,6 +37,10 @@ _gdGetColors (gdIOCtx * in, gdImagePtr im, int gd2xFla
 	    {
 	      goto fail1;
 	    }
+	  if (&im->colorsTotal > gdMaxColors)
+	    {
+	      goto fail1;
+	    }
 	}
       /* Int to accommodate truecolor single-color transparency */
       if (!gdGetInt (&im->transparent, in))

Line 0 Link Here

(-)/usr/local/poudriere/ports/experimental/graphics/libwmf/files/patch-src_extra_gd_gd__png.c (+11 lines)
	1	--- src/extra/gd/gd_png.c.orig 2019-02-17 10:47:58 UTC
	2	+++ src/extra/gd/gd_png.c
	3	@@ -139,7 +139,7 @@ gdImageCreateFromPngCtx (gdIOCtx * infile)
	4	/* first do a quick check that the file really is a PNG image; could
	5	* have used slightly more general png_sig_cmp() function instead */
	6	gdGetBuf (sig, 8, infile);
	7	- if (!png_check_sig (sig, 8))
	8	+ if (png_sig_cmp (sig, 0, 8))
	9	return NULL; /* bad signature */
	10
	11	#ifndef PNG_SETJMP_NOT_SUPPORTED

Line 0 Link Here

(-)/usr/local/poudriere/ports/experimental/graphics/libwmf/files/patch-src_extra_gd_gdft.c (+11 lines)
	1	--- src/extra/gd/gdft.c.orig 2005-07-27 20:35:05 UTC
	2	+++ src/extra/gd/gdft.c
	3	@@ -809,7 +809,7 @@ gdImageStringFT (gdImage * im, int *brect, int fg, cha
	4	{
	5	ch = c & 0xFF; /* don't extend sign */
	6	}
	7	- next++;
	8	+ if (*next) next++;
	9	}
	10	else
	11	{




--- src/extra/gd/gdhelpers.c.orig	2005-07-27 20:35:05 UTC
+++ src/extra/gd/gdhelpers.c
@@ -2,6 +2,7 @@
 #include "gdhelpers.h"
 #include <stdlib.h>
 #include <string.h>
+#include <limits.h>
 
 /* TBB: gd_strtok_r is not portable; provide an implementation */
 
@@ -93,4 +94,19 @@ void
 gdFree (void *ptr)
 {
   free (ptr);
+}
+
+int overflow2(int a, int b)
+{
+	if(a < 0 || b < 0) {
+		fprintf(stderr, "gd warning: one parameter to a memory allocation multiplication is negative, failing operation gracefully\n");
+		return 1;
+	}
+	if(b == 0)
+		return 0;
+	if(a > INT_MAX / b) {
+		fprintf(stderr, "gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully\n");
+		return 1;
+	}
+	return 0;
 }

Line 0 Link Here

(-)/usr/local/poudriere/ports/experimental/graphics/libwmf/files/patch-src_extra_gd_gdhelpers.h (+10 lines)
	1	--- src/extra/gd/gdhelpers.h.orig 2001-03-28 09:37:31 UTC
	2	+++ src/extra/gd/gdhelpers.h
	3	@@ -13,5 +13,7 @@ void *gdCalloc(size_t nmemb, size_t size);
	4	void *gdMalloc(size_t size);
	5	void gdRealloc(void ptr, size_t size);
	6
	7	+int overflow2(int a, int b);
	8	+
	9	#endif /* GDHELPERS_H */
	10

Line 0 Link Here

(-)/usr/local/poudriere/ports/experimental/graphics/libwmf/files/patch-src_ipa_ipa.h (+11 lines)
	1	--- src/ipa/ipa.h.orig 2001-10-28 14:07:20 UTC
	2	+++ src/ipa/ipa.h
	3	@@ -48,7 +48,7 @@ static int ReadBlobByte (BMPSource*);
	4	static unsigned short ReadBlobLSBShort (BMPSource*);
	5	static unsigned long ReadBlobLSBLong (BMPSource*);
	6	static long TellBlob (BMPSource*);
	7	-static void DecodeImage (wmfAPI,wmfBMP,BMPSource,unsigned int,unsigned char);
	8	+static int DecodeImage (wmfAPI,wmfBMP,BMPSource,unsigned int,unsigned char);
	9	static void ReadBMPImage (wmfAPI,wmfBMP,BMPSource*);
	10	static int ExtractColor (wmfAPI,wmfBMP,wmfRGB*,unsigned int,unsigned int);
	11	static void SetColor (wmfAPI,wmfBMP,wmfRGB*,unsigned char,unsigned int,unsigned int);




--- src/ipa/ipa/bmp.h.orig	2019-02-17 10:48:16 UTC
+++ src/ipa/ipa/bmp.h
@@ -859,7 +859,7 @@ static long TellBlob (BMPSource* src)
 %
 %
 */
-static void DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels)
+static int DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels)
 {	int byte;
 	int count;
 	int i;
@@ -870,12 +870,14 @@ static void DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSo
 	U32 u;
 
 	unsigned char* q;
+	unsigned char* end;
 
 	for (u = 0; u < ((U32) bmp->width * (U32) bmp->height); u++) pixels[u] = 0;
 
 	byte = 0;
 	x = 0;
 	q = pixels;
+	end = pixels + bmp->width * bmp->height;
 
 	for (y = 0; y < bmp->height; )
 	{	count = ReadBlobByte (src);
@@ -884,7 +886,10 @@ static void DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSo
 		{	/* Encoded mode. */
 			byte = ReadBlobByte (src);
 			for (i = 0; i < count; i++)
-			{	if (compression == 1)
+			{	
+				if (q == end)
+					return 0;
+			 	if (compression == 1)
 				{	(*(q++)) = (unsigned char) byte;
 				}
 				else
@@ -896,13 +901,15 @@ static void DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSo
 		else
 		{	/* Escape mode. */
 			count = ReadBlobByte (src);
-			if (count == 0x01) return;
+			if (count == 0x01) return 1;
 			switch (count)
 			{
 			case 0x00:
 			 {	/* End of line. */
 				x = 0;
 				y++;
+				if (y >= bmp->height)
+					return 0;
 				q = pixels + y * bmp->width;
 				break;
 			 }
@@ -910,13 +917,20 @@ static void DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSo
 			 {	/* Delta mode. */
 				x += ReadBlobByte (src);
 				y += ReadBlobByte (src);
+				if (y >= bmp->height)
+					return 0;
+				if (x >= bmp->width)
+					return 0;
 				q = pixels + y * bmp->width + x;
 				break;
 			 }
 			default:
 			 {	/* Absolute mode. */
 				for (i = 0; i < count; i++)
-				{	if (compression == 1)
+				{
+					if (q == end)
+						return 0;
+					if (compression == 1)
 					{	(*(q++)) = ReadBlobByte (src);
 					}
 					else
@@ -943,7 +957,7 @@ static void DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSo
 	byte = ReadBlobByte (src);  /* end of line */
 	byte = ReadBlobByte (src);
 
-	return;
+	return 1;
 }
 
 /*
@@ -1143,8 +1157,18 @@ static void ReadBMPImage (wmfAPI* API,wmfBMP* bmp,BMPS
 		}
 	}
 	else
-	{	/* Convert run-length encoded raster pixels. */
-		DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image);
+	{
+		if (bmp_info.bits_per_pixel == 8)	/* Convert run-length encoded raster pixels. */
+		{
+			if (!DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image))
+			{	WMF_ERROR (API,"corrupt bmp");
+				API->err = wmf_E_BadFormat;
+			}
+		}
+		else
+		{	WMF_ERROR (API,"Unexpected pixel depth");
+			API->err = wmf_E_BadFormat;
+		}
 	}
 
 	if (ERR (API))




--- src/player.c.orig	2002-12-10 19:30:26 UTC
+++ src/player.c
@@ -23,6 +23,7 @@
 
 #include <stdio.h>
 #include <stdlib.h>
+#include <stdint.h>
 #include <string.h>
 #include <math.h>
 
@@ -132,8 +133,14 @@ wmf_error_t wmf_scan (wmfAPI* API,unsigned long flags,
 		}
 	}
 
-/*	P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)-3) * 2 * sizeof (unsigned char));
- */	P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)  ) * 2 * sizeof (unsigned char));
+	if (MAX_REC_SIZE(API) > UINT32_MAX / 2)
+	{
+		API->err = wmf_E_InsMem;
+		WMF_DEBUG (API,"bailing...");
+		return (API->err);
+	}
+
+ 	P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)  ) * 2 * sizeof (unsigned char));
 
 	if (ERR (API))
 	{	WMF_DEBUG (API,"bailing...");




--- src/player/meta.h.orig	2019-02-17 10:47:58 UTC
+++ src/player/meta.h
@@ -1565,7 +1565,7 @@ static int meta_rgn_create (wmfAPI* API,wmfRecord* Rec
 	objects = P->objects;
 
 	i = 0;
-	while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
+	while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
 
 	if (i == NUM_OBJECTS (API))
 	{	WMF_ERROR (API,"Object out of range!");
@@ -2142,7 +2142,7 @@ static int meta_dib_brush (wmfAPI* API,wmfRecord* Reco
 	objects = P->objects;
 
 	i = 0;
-	while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
+	while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
 
 	if (i == NUM_OBJECTS (API))
 	{	WMF_ERROR (API,"Object out of range!");
@@ -3070,7 +3070,7 @@ static int meta_pen_create (wmfAPI* API,wmfRecord* Rec
 	objects = P->objects;
 
 	i = 0;
-	while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
+	while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
 
 	if (i == NUM_OBJECTS (API))
 	{	WMF_ERROR (API,"Object out of range!");
@@ -3184,7 +3184,7 @@ static int meta_brush_create (wmfAPI* API,wmfRecord* R
 	objects = P->objects;
 
 	i = 0;
-	while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
+	while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
 
 	if (i == NUM_OBJECTS (API))
 	{	WMF_ERROR (API,"Object out of range!");
@@ -3291,7 +3291,7 @@ static int meta_font_create (wmfAPI* API,wmfRecord* Re
 	objects = P->objects;
 
 	i = 0;
-	while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
+	while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
 
 	if (i == NUM_OBJECTS (API))
 	{	WMF_ERROR (API,"Object out of range!");
@@ -3399,7 +3399,7 @@ static int meta_palette_create (wmfAPI* API,wmfRecord*
 	objects = P->objects;
 
 	i = 0;
-	while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
+	while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
 
 	if (i == NUM_OBJECTS (API))
 	{	WMF_ERROR (API,"Object out of range!");

Return to bug 235768

Lines 7-13 Link Here

(-)/usr/local/poudriere/ports/experimental/graphics/libwmf/Makefile (-5 / +6 lines)
7	CATEGORIES= graphics	7	CATEGORIES= graphics
8	MASTER_SITES= SF/wvware/${PORTNAME}/${PORTVERSION}	8	MASTER_SITES= SF/wvware/${PORTNAME}/${PORTVERSION}
9		9
10	MAINTAINER= ports@FreeBSD.org	10	MAINTAINER= phascolarctos@protonmail.ch
11	COMMENT= Tools and library for converting Microsoft WMF (windows metafile)	11	COMMENT= Tools and library for converting Microsoft WMF (windows metafile)
12		12
13	LICENSE= GPLv2+	13	LICENSE= GPLv2+
Lines 16-33 Link Here
16	LIB_DEPENDS= libpng.so:graphics/png \	16	LIB_DEPENDS= libpng.so:graphics/png \
17	libfreetype.so:print/freetype2	17	libfreetype.so:print/freetype2
18		18
19	CONFLICTS?= libwmf-nox11-[0-9]*	19	USES= gnome jpeg libtool
		20	USE_GNOME= libxml2
		21	USE_LDCONFIG= yes
20		22
21	GNU_CONFIGURE= yes	23	GNU_CONFIGURE= yes
22	CONFIGURE_ARGS= --with-sys-gd=no \	24	CONFIGURE_ARGS= --with-sys-gd=no \
23	--with-png=${LOCALBASE} --with-jpeg=${LOCALBASE} \	25	--with-png=${LOCALBASE} --with-jpeg=${LOCALBASE} \
24	--with-gsfontdir=${LOCALBASE}/share/ghostscript/fonts	26	--with-gsfontdir=${LOCALBASE}/share/ghostscript/fonts
25	INSTALL_TARGET= install-strip	27	INSTALL_TARGET= install-strip
26	USES= jpeg libtool
27	USE_GNOME= libxml2
28	USE_LDCONFIG= yes
29		28
30	PORTDOCS= *	29	PORTDOCS= *
		30
		31	CONFLICTS?= libwmf-nox11-[0-9]*
31		32
32	OPTIONS_DEFINE= X11 DOCS	33	OPTIONS_DEFINE= X11 DOCS
33	OPTIONS_DEFAULT=X11	34	OPTIONS_DEFAULT=X11

Lines 1-17 Link Here

(-)/usr/local/poudriere/ports/experimental/graphics/libwmf/files/patch-CAN-2004-0941 (-17 lines)
1	--- src/extra/gd/gd_png.c 2004-11-11 14:02:37.407589824 -0500
2	+++ src/extra/gd/gd_png.c 2004-11-11 14:04:29.672522960 -0500
3	@@ -188,6 +188,14 @@
4
5	png_get_IHDR (png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
6	&interlace_type, NULL, NULL);
7	+ if (overflow2(sizeof (int), width))
8	+ {
9	+ return NULL;
10	+ }
11	+ if (overflow2(sizeof (int) * width, height))
12	+ {
13	+ return NULL;
14	+ }
15	if ((color_type == PNG_COLOR_TYPE_RGB) \|\|
16	(color_type == PNG_COLOR_TYPE_RGB_ALPHA))
17	{

Lines 1-16 Link Here

(-)/usr/local/poudriere/ports/experimental/graphics/libwmf/files/patch-CVE-2007-2756 (-16 lines)
1	--- src/extra/gd/gd_png.c 1 Apr 2007 20:41:01 -0000 1.21.2.1
2	+++ src/extra/gd/gd_png.c 16 May 2007 19:06:11 -0000
3	@@ -78,8 +78,11 @@
4	gdPngReadData (png_structp png_ptr,
5	png_bytep data, png_size_t length)
6	{
7	- gdGetBuf (data, length, (gdIOCtx *)
8	- png_get_io_ptr (png_ptr));
9	+ int check;
10	+ check = gdGetBuf (data, length, (gdIOCtx *) png_get_io_ptr (png_ptr));
11	+ if (check != length) {
12	+ png_error(png_ptr, "Read Error: truncated data");
13	+ }
14	}
15
16	static void

Lines 1-61 Link Here

(-)/usr/local/poudriere/ports/experimental/graphics/libwmf/files/patch-CVE-2007-3472 (-61 lines)
1	Patch modified slightly from upstream CentOS version
2
3	--- src/extra/gd/gd.c
4	+++ src/extra/gd/gd.c
5	@@ -106,6 +106,18 @@
6	gdImagePtr im;
7	unsigned long cpa_size;
8
9	+ if (overflow2(sx, sy)) {
10	+ return NULL;
11	+ }
12	+
13	+ if (overflow2(sizeof (int *), sy)) {
14	+ return NULL;
15	+ }
16	+
17	+ if (overflow2(sizeof(int), sx)) {
18	+ return NULL;
19	+ }
20	+
21	im = (gdImage *) gdMalloc (sizeof (gdImage));
22	if (im == 0) return 0;
23	memset (im, 0, sizeof (gdImage));
24	--- src/extra/gd/gdhelpers.c 2010-12-06 11:47:31.000000000 +0000
25	+++ src/extra/gd/gdhelpers.c 2010-12-06 11:48:04.000000000 +0000
26	@@ -2,6 +2,7 @@
27	#include "gdhelpers.h"
28	#include <stdlib.h>
29	#include <string.h>
30	+#include <limits.h>
31
32	/* TBB: gd_strtok_r is not portable; provide an implementation */
33
34	@@ -94,3 +95,18 @@
35	{
36	free (ptr);
37	}
38	+
39	+int overflow2(int a, int b)
40	+{
41	+ if(a < 0 \|\| b < 0) {
42	+ fprintf(stderr, "gd warning: one parameter to a memory allocation multiplication is negative, failing operation gracefully\n");
43	+ return 1;
44	+ }
45	+ if(b == 0)
46	+ return 0;
47	+ if(a > INT_MAX / b) {
48	+ fprintf(stderr, "gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully\n");
49	+ return 1;
50	+ }
51	+ return 0;
52	+}
53	--- src/extra/gd/gdhelpers.h 2010-12-06 11:47:17.000000000 +0000
54	+++ src/extra/gd/gdhelpers.h 2010-12-06 11:48:36.000000000 +0000
55	@@ -15,4 +15,6 @@
56	void *gdMalloc(size_t size);
57	void gdRealloc(void ptr, size_t size);
58
59	+int overflow2(int a, int b);
60	+
61	#endif /* GDHELPERS_H */

Lines 1-27 Link Here

(-)/usr/local/poudriere/ports/experimental/graphics/libwmf/files/patch-cve-2006-3376 (-27 lines)
1	--- src/player.c
2	+++ src/player.c
3	@@ -23,6 +23,7 @@
4
5	#include <stdio.h>
6	#include <stdlib.h>
7	+#include <stdint.h>
8	#include <string.h>
9	#include <math.h>
10
11	@@ -132,8 +133,14 @@
12	}
13	}
14
15	-/* P->Parameters = (unsigned char) wmf_malloc (API,(MAX_REC_SIZE(API)-3) 2 * sizeof (unsigned char));
16	- / P->Parameters = (unsigned char) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char));
17	+ if (MAX_REC_SIZE(API) > UINT32_MAX / 2)
18	+ {
19	+ API->err = wmf_E_InsMem;
20	+ WMF_DEBUG (API,"bailing...");
21	+ return (API->err);
22	+ }
23	+
24	+ P->Parameters = (unsigned char) wmf_malloc (API,(MAX_REC_SIZE(API) ) 2 * sizeof (unsigned char));
25
26	if (ERR (API))
27	{ WMF_DEBUG (API,"bailing...");

Lines 1-23 Link Here

(-)/usr/local/poudriere/ports/experimental/graphics/libwmf/files/patch-deb784192-CVE-2015-4696 (-23 lines)
1	--- src/player/meta.h
2	+++ src/player/meta.h
3	@@ -2585,6 +2585,8 @@
4	polyrect.BR[i] = clip->rects[i].BR;
5	}
6
7	+ if (FR->region_clip) FR->region_clip (API,&polyrect);
8	+
9	wmf_free (API,polyrect.TL);
10	wmf_free (API,polyrect.BR);
11	}
12	@@ -2593,9 +2595,10 @@
13	polyrect.BR = 0;
14
15	polyrect.count = 0;
16	+
17	+ if (FR->region_clip) FR->region_clip (API,&polyrect);
18	}
19
20	- if (FR->region_clip) FR->region_clip (API,&polyrect);
21
22	return (changed);
23	}

Lines 1-58 Link Here

(-)/usr/local/poudriere/ports/experimental/graphics/libwmf/files/patch-deb784205-CVE-2015-4695 (-58 lines)
1	Index: src/player/meta.h
2	===================================================================
3	--- libwmf-0.2.8.4.orig/src/player/meta.h
4	+++ src/player/meta.h
5	@@ -1565,7 +1565,7 @@ static int meta_rgn_create (wmfAPI* API,
6	objects = P->objects;
7
8	i = 0;
9	- while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
10	+ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
11
12	if (i == NUM_OBJECTS (API))
13	{ WMF_ERROR (API,"Object out of range!");
14	@@ -2142,7 +2142,7 @@ static int meta_dib_brush (wmfAPI* API,w
15	objects = P->objects;
16
17	i = 0;
18	- while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
19	+ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
20
21	if (i == NUM_OBJECTS (API))
22	{ WMF_ERROR (API,"Object out of range!");
23	@@ -3067,7 +3067,7 @@ static int meta_pen_create (wmfAPI* API,
24	objects = P->objects;
25
26	i = 0;
27	- while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
28	+ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
29
30	if (i == NUM_OBJECTS (API))
31	{ WMF_ERROR (API,"Object out of range!");
32	@@ -3181,7 +3181,7 @@ static int meta_brush_create (wmfAPI* AP
33	objects = P->objects;
34
35	i = 0;
36	- while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
37	+ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
38
39	if (i == NUM_OBJECTS (API))
40	{ WMF_ERROR (API,"Object out of range!");
41	@@ -3288,7 +3288,7 @@ static int meta_font_create (wmfAPI* API
42	objects = P->objects;
43
44	i = 0;
45	- while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
46	+ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
47
48	if (i == NUM_OBJECTS (API))
49	{ WMF_ERROR (API,"Object out of range!");
50	@@ -3396,7 +3396,7 @@ static int meta_palette_create (wmfAPI*
51	objects = P->objects;
52
53	i = 0;
54	- while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
55	+ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
56
57	if (i == NUM_OBJECTS (API))
58	{ WMF_ERROR (API,"Object out of range!");

Lines 1-20 Link Here

(-)/usr/local/poudriere/ports/experimental/graphics/libwmf/files/patch-rh1227243-CVE-2015-0848 (-20 lines)
1	--- src/ipa/ipa/bmp.h 2015-06-02 11:35:04.072201795 +0100
2	+++ src/ipa/ipa/bmp.h 2015-06-02 11:35:20.647406414 +0100
3	@@ -1145,8 +1143,15 @@
4	}
5	}
6	else
7	- { /* Convert run-length encoded raster pixels. */
8	- DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image);
9	+ {
10	+ if (bmp_info.bits_per_pixel == 8) /* Convert run-length encoded raster pixels. */
11	+ {
12	+ DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image);
13	+ }
14	+ else
15	+ { WMF_ERROR (API,"Unexpected pixel depth");
16	+ API->err = wmf_E_BadFormat;
17	+ }
18	}
19
20	if (ERR (API))

Lines 1-111 Link Here

(-)/usr/local/poudriere/ports/experimental/graphics/libwmf/files/patch-rh1227243-CVE-2015-4588 (-111 lines)
1	diff -ru src/ipa/ipa/bmp.h src/ipa/ipa/bmp.h
2	--- src/ipa/ipa/bmp.h 2015-06-03 09:30:59.410501271 +0100
3	+++ src/ipa/ipa/bmp.h 2015-06-03 09:31:05.775572630 +0100
4	@@ -859,7 +859,7 @@
5	%
6	%
7	*/
8	-static void DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels)
9	+static int DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels)
10	{ int byte;
11	int count;
12	int i;
13	@@ -870,12 +870,14 @@
14	U32 u;
15
16	unsigned char* q;
17	+ unsigned char* end;
18
19	for (u = 0; u < ((U32) bmp->width * (U32) bmp->height); u++) pixels[u] = 0;
20
21	byte = 0;
22	x = 0;
23	q = pixels;
24	+ end = pixels + bmp->width * bmp->height;
25
26	for (y = 0; y < bmp->height; )
27	{ count = ReadBlobByte (src);
28	@@ -884,7 +886,10 @@
29	{ /* Encoded mode. */
30	byte = ReadBlobByte (src);
31	for (i = 0; i < count; i++)
32	- { if (compression == 1)
33	+ {
34	+ if (q == end)
35	+ return 0;
36	+ if (compression == 1)
37	{ (*(q++)) = (unsigned char) byte;
38	}
39	else
40	@@ -896,13 +901,15 @@
41	else
42	{ /* Escape mode. */
43	count = ReadBlobByte (src);
44	- if (count == 0x01) return;
45	+ if (count == 0x01) return 1;
46	switch (count)
47	{
48	case 0x00:
49	{ /* End of line. */
50	x = 0;
51	y++;
52	+ if (y >= bmp->height)
53	+ return 0;
54	q = pixels + y * bmp->width;
55	break;
56	}
57	@@ -910,13 +917,20 @@
58	{ /* Delta mode. */
59	x += ReadBlobByte (src);
60	y += ReadBlobByte (src);
61	+ if (y >= bmp->height)
62	+ return 0;
63	+ if (x >= bmp->width)
64	+ return 0;
65	q = pixels + y * bmp->width + x;
66	break;
67	}
68	default:
69	{ /* Absolute mode. */
70	for (i = 0; i < count; i++)
71	- { if (compression == 1)
72	+ {
73	+ if (q == end)
74	+ return 0;
75	+ if (compression == 1)
76	{ (*(q++)) = ReadBlobByte (src);
77	}
78	else
79	@@ -943,7 +957,7 @@
80	byte = ReadBlobByte (src); /* end of line */
81	byte = ReadBlobByte (src);
82
83	- return;
84	+ return 1;
85	}
86
87	/*
88	@@ -1146,7 +1160,10 @@
89	{
90	if (bmp_info.bits_per_pixel == 8) /* Convert run-length encoded raster pixels. */
91	{
92	- DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image);
93	+ if (!DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image))
94	+ { WMF_ERROR (API,"corrupt bmp");
95	+ API->err = wmf_E_BadFormat;
96	+ }
97	}
98	else
99	{ WMF_ERROR (API,"Unexpected pixel depth");
100	diff -ru src/ipa/ipa.h src/ipa/ipa.h
101	--- src/ipa/ipa.h 2015-06-03 09:30:59.410501271 +0100
102	+++ src/ipa/ipa.h 2015-06-03 09:31:08.687605277 +0100
103	@@ -48,7 +48,7 @@
104	static unsigned short ReadBlobLSBShort (BMPSource*);
105	static unsigned long ReadBlobLSBLong (BMPSource*);
106	static long TellBlob (BMPSource*);
107	-static void DecodeImage (wmfAPI,wmfBMP,BMPSource,unsigned int,unsigned char);
108	+static int DecodeImage (wmfAPI,wmfBMP,BMPSource,unsigned int,unsigned char);
109	static void ReadBMPImage (wmfAPI,wmfBMP,BMPSource*);
110	static int ExtractColor (wmfAPI,wmfBMP,wmfRGB*,unsigned int,unsigned int);
111	static void SetColor (wmfAPI,wmfBMP,wmfRGB*,unsigned char,unsigned int,unsigned int);

Line 0 Link Here

(-)/usr/local/poudriere/ports/experimental/graphics/libwmf/files/patch-src_extra_gd_gd__gd.c (+13 lines)
	1	--- src/extra/gd/gd_gd.c.orig 2005-07-27 20:35:05 UTC
	2	+++ src/extra/gd/gd_gd.c
	3	@@ -37,6 +37,10 @@ _gdGetColors (gdIOCtx * in, gdImagePtr im, int gd2xFla
	4	{
	5	goto fail1;
	6	}
	7	+ if (&im->colorsTotal > gdMaxColors)
	8	+ {
	9	+ goto fail1;
	10	+ }
	11	}
	12	/* Int to accommodate truecolor single-color transparency */
	13	if (!gdGetInt (&im->transparent, in))

Line 0 Link Here

(-)/usr/local/poudriere/ports/experimental/graphics/libwmf/files/patch-src_extra_gd_gdhelpers.c (+30 lines)
	1	--- src/extra/gd/gdhelpers.c.orig 2005-07-27 20:35:05 UTC
	2	+++ src/extra/gd/gdhelpers.c
	3	@@ -2,6 +2,7 @@
	4	#include "gdhelpers.h"
	5	#include <stdlib.h>
	6	#include <string.h>
	7	+#include <limits.h>
	8
	9	/* TBB: gd_strtok_r is not portable; provide an implementation */
	10
	11	@@ -93,4 +94,19 @@ void
	12	gdFree (void *ptr)
	13	{
	14	free (ptr);
	15	+}
	16	+
	17	+int overflow2(int a, int b)
	18	+{
	19	+ if(a < 0 \|\| b < 0) {
	20	+ fprintf(stderr, "gd warning: one parameter to a memory allocation multiplication is negative, failing operation gracefully\n");
	21	+ return 1;
	22	+ }
	23	+ if(b == 0)
	24	+ return 0;
	25	+ if(a > INT_MAX / b) {
	26	+ fprintf(stderr, "gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully\n");
	27	+ return 1;
	28	+ }
	29	+ return 0;
	30	}

Line 0 Link Here

(-)/usr/local/poudriere/ports/experimental/graphics/libwmf/files/patch-src_ipa_ipa_bmp.h (+107 lines)
		1	--- src/ipa/ipa/bmp.h.orig 2019-02-17 10:48:16 UTC
		2	+++ src/ipa/ipa/bmp.h
		3	@@ -859,7 +859,7 @@ static long TellBlob (BMPSource* src)
		4	%
		5	%
		6	*/
		7	-static void DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels)
		8	+static int DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels)
		9	{ int byte;
		10	int count;
		11	int i;
		12	@@ -870,12 +870,14 @@ static void DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSo
		13	U32 u;
		14
		15	unsigned char* q;
		16	+ unsigned char* end;
		17
		18	for (u = 0; u < ((U32) bmp->width * (U32) bmp->height); u++) pixels[u] = 0;
		19
		20	byte = 0;
		21	x = 0;
		22	q = pixels;
		23	+ end = pixels + bmp->width * bmp->height;
		24
		25	for (y = 0; y < bmp->height; )
		26	{ count = ReadBlobByte (src);
		27	@@ -884,7 +886,10 @@ static void DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSo
		28	{ /* Encoded mode. */
		29	byte = ReadBlobByte (src);
		30	for (i = 0; i < count; i++)
		31	- { if (compression == 1)
		32	+ {
		33	+ if (q == end)
		34	+ return 0;
		35	+ if (compression == 1)
		36	{ (*(q++)) = (unsigned char) byte;
		37	}
		38	else
		39	@@ -896,13 +901,15 @@ static void DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSo
		40	else
		41	{ /* Escape mode. */
		42	count = ReadBlobByte (src);
		43	- if (count == 0x01) return;
		44	+ if (count == 0x01) return 1;
		45	switch (count)
		46	{
		47	case 0x00:
		48	{ /* End of line. */
		49	x = 0;
		50	y++;
		51	+ if (y >= bmp->height)
		52	+ return 0;
		53	q = pixels + y * bmp->width;
		54	break;
		55	}
		56	@@ -910,13 +917,20 @@ static void DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSo
		57	{ /* Delta mode. */
		58	x += ReadBlobByte (src);
		59	y += ReadBlobByte (src);
		60	+ if (y >= bmp->height)
		61	+ return 0;
		62	+ if (x >= bmp->width)
		63	+ return 0;
		64	q = pixels + y * bmp->width + x;
65	break;
66	}
67	default:
68	{ /* Absolute mode. */
69	for (i = 0; i < count; i++)
70	- { if (compression == 1)
71	+ {
72	+ if (q == end)
73	+ return 0;
74	+ if (compression == 1)
75	{ (*(q++)) = ReadBlobByte (src);
76	}
77	else
78	@@ -943,7 +957,7 @@ static void DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSo
79	byte = ReadBlobByte (src); /* end of line */
80	byte = ReadBlobByte (src);
81
82	- return;
83	+ return 1;
84	}
85
86	/*
87	@@ -1143,8 +1157,18 @@ static void ReadBMPImage (wmfAPI* API,wmfBMP* bmp,BMPS
88	}
89	}
90	else
91	- { /* Convert run-length encoded raster pixels. */
92	- DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image);
93	+ {
94	+ if (bmp_info.bits_per_pixel == 8) /* Convert run-length encoded raster pixels. */
95	+ {
96	+ if (!DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image))
97	+ { WMF_ERROR (API,"corrupt bmp");
98	+ API->err = wmf_E_BadFormat;
99	+ }
100	+ }
101	+ else
102	+ { WMF_ERROR (API,"Unexpected pixel depth");
103	+ API->err = wmf_E_BadFormat;
104	+ }
105	}
106
107	if (ERR (API))

Line 0 Link Here

(-)/usr/local/poudriere/ports/experimental/graphics/libwmf/files/patch-src_player.c (+27 lines)
	1	--- src/player.c.orig 2002-12-10 19:30:26 UTC
	2	+++ src/player.c
	3	@@ -23,6 +23,7 @@
	4
	5	#include <stdio.h>
	6	#include <stdlib.h>
	7	+#include <stdint.h>
	8	#include <string.h>
	9	#include <math.h>
	10
	11	@@ -132,8 +133,14 @@ wmf_error_t wmf_scan (wmfAPI* API,unsigned long flags,
	12	}
	13	}
	14
	15	-/* P->Parameters = (unsigned char) wmf_malloc (API,(MAX_REC_SIZE(API)-3) 2 * sizeof (unsigned char));
	16	- / P->Parameters = (unsigned char) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char));
	17	+ if (MAX_REC_SIZE(API) > UINT32_MAX / 2)
	18	+ {
	19	+ API->err = wmf_E_InsMem;
	20	+ WMF_DEBUG (API,"bailing...");
	21	+ return (API->err);
	22	+ }
	23	+
	24	+ P->Parameters = (unsigned char) wmf_malloc (API,(MAX_REC_SIZE(API) ) 2 * sizeof (unsigned char));
	25
	26	if (ERR (API))
	27	{ WMF_DEBUG (API,"bailing...");

Line 0 Link Here

(-)/usr/local/poudriere/ports/experimental/graphics/libwmf/files/patch-src_player_meta.h (+56 lines)
	1	--- src/player/meta.h.orig 2019-02-17 10:47:58 UTC
	2	+++ src/player/meta.h
	3	@@ -1565,7 +1565,7 @@ static int meta_rgn_create (wmfAPI* API,wmfRecord* Rec
	4	objects = P->objects;
	5
	6	i = 0;
	7	- while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
	8	+ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
	9
	10	if (i == NUM_OBJECTS (API))
	11	{ WMF_ERROR (API,"Object out of range!");
	12	@@ -2142,7 +2142,7 @@ static int meta_dib_brush (wmfAPI* API,wmfRecord* Reco
	13	objects = P->objects;
	14
	15	i = 0;
	16	- while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
	17	+ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
	18
	19	if (i == NUM_OBJECTS (API))
	20	{ WMF_ERROR (API,"Object out of range!");
	21	@@ -3070,7 +3070,7 @@ static int meta_pen_create (wmfAPI* API,wmfRecord* Rec
	22	objects = P->objects;
	23
	24	i = 0;
	25	- while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
	26	+ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
	27
	28	if (i == NUM_OBJECTS (API))
	29	{ WMF_ERROR (API,"Object out of range!");
	30	@@ -3184,7 +3184,7 @@ static int meta_brush_create (wmfAPI* API,wmfRecord* R
	31	objects = P->objects;
	32
	33	i = 0;
	34	- while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
	35	+ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
	36
	37	if (i == NUM_OBJECTS (API))
	38	{ WMF_ERROR (API,"Object out of range!");
	39	@@ -3291,7 +3291,7 @@ static int meta_font_create (wmfAPI* API,wmfRecord* Re
	40	objects = P->objects;
	41
	42	i = 0;
	43	- while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
	44	+ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
	45
	46	if (i == NUM_OBJECTS (API))
	47	{ WMF_ERROR (API,"Object out of range!");
	48	@@ -3399,7 +3399,7 @@ static int meta_palette_create (wmfAPI* API,wmfRecord*
	49	objects = P->objects;
	50
	51	i = 0;
	52	- while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
	53	+ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
	54
	55	if (i == NUM_OBJECTS (API))
	56	{ WMF_ERROR (API,"Object out of range!");