Attachment #95781 for bug #134246

View | Details | Raw Unified | Return to bug 134246
Collapse All | Expand All

Lines 7-13 Link Here

(-)b/graphics/libwmf/Makefile (-1 / +1 lines)
7		7
8	PORTNAME= libwmf	8	PORTNAME= libwmf
9	PORTVERSION= 0.2.8.4	9	PORTVERSION= 0.2.8.4
10	PORTREVISION= 2	10	PORTREVISION= 3
11	CATEGORIES= graphics	11	CATEGORIES= graphics
12	MASTER_SITES= ${MASTER_SITE_SOURCEFORGE}	12	MASTER_SITES= ${MASTER_SITE_SOURCEFORGE}
13	MASTER_SITE_SUBDIR= wvware	13	MASTER_SITE_SUBDIR= wvware




Fix for CVE-2006-3376.

Obtained from: Ubuntu
--- src/player.c
+++ src/player.c
@@ -23,6 +23,7 @@
 
 #include <stdio.h>
 #include <stdlib.h>
+#include <stdint.h>
 #include <string.h>
 #include <math.h>
 
@@ -132,8 +133,14 @@
 		}
 	}
 
-/*	P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)-3) * 2 * sizeof (unsigned char));
- */	P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)  ) * 2 * sizeof (unsigned char));
+	if (MAX_REC_SIZE(API) > UINT32_MAX / 2)
+	{
+		API->err = wmf_E_InsMem;
+		WMF_DEBUG (API,"bailing...");
+		return (API->err);
+	}
+
+ 	P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)  ) * 2 * sizeof (unsigned char));
 
 	if (ERR (API))
 	{	WMF_DEBUG (API,"bailing...");




Patch for CVE-2009-1364

Obtained from: Ubuntu

--- src/extra/gd/gd_clip.c
+++ src/extra/gd/gd_clip.c
@@ -70,6 +70,7 @@
 	{	more = gdRealloc (im->clip->list,(im->clip->max + 8) * sizeof (gdClipRectangle));
 		if (more == 0) return;
 		im->clip->max += 8;
+		im->clip->list = more;
 	}
 	im->clip->list[im->clip->count] = (*rect);
 	im->clip->count++;

Return to bug 134246

Added Link Here

(-)b/graphics/libwmf/files/patch-cve-2006-3376 (+30 lines)
1	Fix for CVE-2006-3376.
2
3	Obtained from: Ubuntu
4	--- src/player.c
5	+++ src/player.c
6	@@ -23,6 +23,7 @@
7
8	#include <stdio.h>
9	#include <stdlib.h>
10	+#include <stdint.h>
11	#include <string.h>
12	#include <math.h>
13
14	@@ -132,8 +133,14 @@
15	}
16	}
17
18	-/* P->Parameters = (unsigned char) wmf_malloc (API,(MAX_REC_SIZE(API)-3) 2 * sizeof (unsigned char));
19	- / P->Parameters = (unsigned char) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char));
20	+ if (MAX_REC_SIZE(API) > UINT32_MAX / 2)
21	+ {
22	+ API->err = wmf_E_InsMem;
23	+ WMF_DEBUG (API,"bailing...");
24	+ return (API->err);
25	+ }
26	+
27	+ P->Parameters = (unsigned char) wmf_malloc (API,(MAX_REC_SIZE(API) ) 2 * sizeof (unsigned char));
28
29	if (ERR (API))
30	{ WMF_DEBUG (API,"bailing...");

Added Link Here

(-)b/graphics/libwmf/files/patch-cve-2009-1364 (-1 / +14 lines)
0	-	1	Patch for CVE-2009-1364
		2
		3	Obtained from: Ubuntu
		4
		5	--- src/extra/gd/gd_clip.c
		6	+++ src/extra/gd/gd_clip.c
		7	@@ -70,6 +70,7 @@
		8	{ more = gdRealloc (im->clip->list,(im->clip->max + 8) * sizeof (gdClipRectangle));
		9	if (more == 0) return;
		10	im->clip->max += 8;
		11	+ im->clip->list = more;
		12	}
		13	im->clip->list[im->clip->count] = (*rect);
		14	im->clip->count++;