aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMark H Weaver <mhw@netris.org>2015-07-06 20:02:47 -0400
committerMark H Weaver <mhw@netris.org>2015-07-06 20:04:50 -0400
commit9ed548643918bb9415b16707f360f49fcab89627 (patch)
treea47ef9eafd123489f132ae71afbc1de94ec95ae3
parent075d99f19599b2903490942d8c3717cdd5b5d31e (diff)
downloadguix-9ed548643918bb9415b16707f360f49fcab89627.tar
guix-9ed548643918bb9415b16707f360f49fcab89627.tar.gz
gnu: libwmf: Fix CVE-2006-3376, CVE-2009-1364, CVE-2015-{0848,4588,4695,4696}.
* gnu/packages/patches/libwmf-CVE-2006-3376.patch, gnu/packages/patches/libwmf-CVE-2009-1364.patch, gnu/packages/patches/libwmf-CVE-2015-0848+4588+4695+4696.patch: New files. * gnu-system.am (dist_patch_DATA): Add them. * gnu/packages/image.scm (libwmf)[source]: Add patches.
-rw-r--r--gnu-system.am3
-rw-r--r--gnu/packages/image.scm6
-rw-r--r--gnu/packages/patches/libwmf-CVE-2006-3376.patch30
-rw-r--r--gnu/packages/patches/libwmf-CVE-2009-1364.patch13
-rw-r--r--gnu/packages/patches/libwmf-CVE-2015-0848+4588+4695+4696.patch189
5 files changed, 240 insertions, 1 deletions
diff --git a/gnu-system.am b/gnu-system.am
index 7e25f6f518..ef061e8429 100644
--- a/gnu-system.am
+++ b/gnu-system.am
@@ -518,6 +518,9 @@ dist_patch_DATA = \
gnu/packages/patches/libvpx-fix-armhf-link.patch \
gnu/packages/patches/libvpx-fix-ssse3-quantize.patch \
gnu/packages/patches/libvpx-vp9-out-of-bounds-access.patch \
+ gnu/packages/patches/libwmf-CVE-2006-3376.patch \
+ gnu/packages/patches/libwmf-CVE-2009-1364.patch \
+ gnu/packages/patches/libwmf-CVE-2015-0848+4588+4695+4696.patch \
gnu/packages/patches/lirc-localstatedir.patch \
gnu/packages/patches/lm-sensors-hwmon-attrs.patch \
gnu/packages/patches/lua51-liblua-so.patch \
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index ad4acb787e..30f380038b 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -162,7 +162,11 @@ collection of tools for doing simple manipulations of TIFF images.")
name "/" version
"/" name "-" version ".tar.gz"))
(sha256
- (base32 "1y3wba4q8pl7kr51212jwrsz1x6nslsx1gsjml1x0i8549lmqd2v"))))
+ (base32 "1y3wba4q8pl7kr51212jwrsz1x6nslsx1gsjml1x0i8549lmqd2v"))
+ (patches
+ (map search-patch '("libwmf-CVE-2006-3376.patch"
+ "libwmf-CVE-2009-1364.patch"
+ "libwmf-CVE-2015-0848+4588+4695+4696.patch")))))
(build-system gnu-build-system)
(inputs
diff --git a/gnu/packages/patches/libwmf-CVE-2006-3376.patch b/gnu/packages/patches/libwmf-CVE-2006-3376.patch
new file mode 100644
index 0000000000..1e0e1ecfa8
--- /dev/null
+++ b/gnu/packages/patches/libwmf-CVE-2006-3376.patch
@@ -0,0 +1,30 @@
+Copied from Debian.
+
+--- libwmf-0.2.8.4.orig/src/player.c
++++ libwmf-0.2.8.4/src/player.c
+@@ -23,6 +23,7 @@
+
+ #include <stdio.h>
+ #include <stdlib.h>
++#include <stdint.h>
+ #include <string.h>
+ #include <math.h>
+
+@@ -132,8 +133,14 @@
+ }
+ }
+
+-/* P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)-3) * 2 * sizeof (unsigned char));
+- */ P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char));
++ if (MAX_REC_SIZE(API) > UINT32_MAX / 2)
++ {
++ API->err = wmf_E_InsMem;
++ WMF_DEBUG (API,"bailing...");
++ return (API->err);
++ }
++
++ P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char));
+
+ if (ERR (API))
+ { WMF_DEBUG (API,"bailing...");
+
diff --git a/gnu/packages/patches/libwmf-CVE-2009-1364.patch b/gnu/packages/patches/libwmf-CVE-2009-1364.patch
new file mode 100644
index 0000000000..254b821596
--- /dev/null
+++ b/gnu/packages/patches/libwmf-CVE-2009-1364.patch
@@ -0,0 +1,13 @@
+Copied from Debian.
+
+--- libwmf-0.2.8.4.orig/src/extra/gd/gd_clip.c
++++ libwmf-0.2.8.4/src/extra/gd/gd_clip.c
+@@ -70,6 +70,7 @@
+ { more = gdRealloc (im->clip->list,(im->clip->max + 8) * sizeof (gdClipRectangle));
+ if (more == 0) return;
+ im->clip->max += 8;
++ im->clip->list = more;
+ }
+ im->clip->list[im->clip->count] = (*rect);
+ im->clip->count++;
+
diff --git a/gnu/packages/patches/libwmf-CVE-2015-0848+4588+4695+4696.patch b/gnu/packages/patches/libwmf-CVE-2015-0848+4588+4695+4696.patch
new file mode 100644
index 0000000000..091fc8bb41
--- /dev/null
+++ b/gnu/packages/patches/libwmf-CVE-2015-0848+4588+4695+4696.patch
@@ -0,0 +1,189 @@
+Fix CVE-2015-0848, CVE-2015-4588, CVE-2015-4695, and CVE-2015-4696.
+Copied from Debian.
+
+--- libwmf-0.2.8.4.orig/src/player/meta.h
++++ libwmf-0.2.8.4/src/player/meta.h
+@@ -1565,7 +1565,7 @@ static int meta_rgn_create (wmfAPI* API,
+ objects = P->objects;
+
+ i = 0;
+- while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
++ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
+
+ if (i == NUM_OBJECTS (API))
+ { WMF_ERROR (API,"Object out of range!");
+@@ -2142,7 +2142,7 @@ static int meta_dib_brush (wmfAPI* API,w
+ objects = P->objects;
+
+ i = 0;
+- while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
++ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
+
+ if (i == NUM_OBJECTS (API))
+ { WMF_ERROR (API,"Object out of range!");
+@@ -2593,9 +2593,10 @@ static int meta_dc_restore (wmfAPI* API,
+ polyrect.BR = 0;
+
+ polyrect.count = 0;
++
++ if (FR->region_clip) FR->region_clip (API,&polyrect);
+ }
+
+- if (FR->region_clip) FR->region_clip (API,&polyrect);
+
+ return (changed);
+ }
+@@ -3067,7 +3068,7 @@ static int meta_pen_create (wmfAPI* API,
+ objects = P->objects;
+
+ i = 0;
+- while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
++ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
+
+ if (i == NUM_OBJECTS (API))
+ { WMF_ERROR (API,"Object out of range!");
+@@ -3181,7 +3182,7 @@ static int meta_brush_create (wmfAPI* AP
+ objects = P->objects;
+
+ i = 0;
+- while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
++ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
+
+ if (i == NUM_OBJECTS (API))
+ { WMF_ERROR (API,"Object out of range!");
+@@ -3288,7 +3289,7 @@ static int meta_font_create (wmfAPI* API
+ objects = P->objects;
+
+ i = 0;
+- while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
++ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
+
+ if (i == NUM_OBJECTS (API))
+ { WMF_ERROR (API,"Object out of range!");
+@@ -3396,7 +3397,7 @@ static int meta_palette_create (wmfAPI*
+ objects = P->objects;
+
+ i = 0;
+- while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
++ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
+
+ if (i == NUM_OBJECTS (API))
+ { WMF_ERROR (API,"Object out of range!");
+--- libwmf-0.2.8.4.orig/src/ipa/ipa.h
++++ libwmf-0.2.8.4/src/ipa/ipa.h
+@@ -48,7 +48,7 @@ static int ReadBlobByte (BMPS
+ static unsigned short ReadBlobLSBShort (BMPSource*);
+ static unsigned long ReadBlobLSBLong (BMPSource*);
+ static long TellBlob (BMPSource*);
+-static void DecodeImage (wmfAPI*,wmfBMP*,BMPSource*,unsigned int,unsigned char*);
++static int DecodeImage (wmfAPI*,wmfBMP*,BMPSource*,unsigned int,unsigned char*);
+ static void ReadBMPImage (wmfAPI*,wmfBMP*,BMPSource*);
+ static int ExtractColor (wmfAPI*,wmfBMP*,wmfRGB*,unsigned int,unsigned int);
+ static void SetColor (wmfAPI*,wmfBMP*,wmfRGB*,unsigned char,unsigned int,unsigned int);
+--- libwmf-0.2.8.4.orig/src/ipa/ipa/bmp.h
++++ libwmf-0.2.8.4/src/ipa/ipa/bmp.h
+@@ -859,7 +859,7 @@ static long TellBlob (BMPSource* src)
+ %
+ %
+ */
+-static void DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels)
++static int DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels)
+ { int byte;
+ int count;
+ int i;
+@@ -870,12 +870,14 @@ static void DecodeImage (wmfAPI* API,wmf
+ U32 u;
+
+ unsigned char* q;
++ unsigned char* end;
+
+ for (u = 0; u < ((U32) bmp->width * (U32) bmp->height); u++) pixels[u] = 0;
+
+ byte = 0;
+ x = 0;
+ q = pixels;
++ end = pixels + bmp->width * bmp->height;
+
+ for (y = 0; y < bmp->height; )
+ { count = ReadBlobByte (src);
+@@ -884,7 +886,10 @@ static void DecodeImage (wmfAPI* API,wmf
+ { /* Encoded mode. */
+ byte = ReadBlobByte (src);
+ for (i = 0; i < count; i++)
+- { if (compression == 1)
++ {
++ if (q == end)
++ return 0;
++ if (compression == 1)
+ { (*(q++)) = (unsigned char) byte;
+ }
+ else
+@@ -896,13 +901,15 @@ static void DecodeImage (wmfAPI* API,wmf
+ else
+ { /* Escape mode. */
+ count = ReadBlobByte (src);
+- if (count == 0x01) return;
++ if (count == 0x01) return 1;
+ switch (count)
+ {
+ case 0x00:
+ { /* End of line. */
+ x = 0;
+ y++;
++ if (y >= bmp->height)
++ return 0;
+ q = pixels + y * bmp->width;
+ break;
+ }
+@@ -910,13 +917,20 @@ static void DecodeImage (wmfAPI* API,wmf
+ { /* Delta mode. */
+ x += ReadBlobByte (src);
+ y += ReadBlobByte (src);
++ if (y >= bmp->height)
++ return 0;
++ if (x >= bmp->width)
++ return 0;
+ q = pixels + y * bmp->width + x;
+ break;
+ }
+ default:
+ { /* Absolute mode. */
+ for (i = 0; i < count; i++)
+- { if (compression == 1)
++ {
++ if (q == end)
++ return 0;
++ if (compression == 1)
+ { (*(q++)) = ReadBlobByte (src);
+ }
+ else
+@@ -943,7 +957,7 @@ static void DecodeImage (wmfAPI* API,wmf
+ byte = ReadBlobByte (src); /* end of line */
+ byte = ReadBlobByte (src);
+
+- return;
++ return 1;
+ }
+
+ /*
+@@ -1143,8 +1157,18 @@ static void ReadBMPImage (wmfAPI* API,wm
+ }
+ }
+ else
+- { /* Convert run-length encoded raster pixels. */
+- DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image);
++ {
++ if (bmp_info.bits_per_pixel == 8) /* Convert run-length encoded raster pixels. */
++ {
++ if (!DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image))
++ { WMF_ERROR (API,"corrupt bmp");
++ API->err = wmf_E_BadFormat;
++ }
++ }
++ else
++ { WMF_ERROR (API,"Unexpected pixel depth");
++ API->err = wmf_E_BadFormat;
++ }
+ }
+
+ if (ERR (API))