gnu: libwmf: Fix CVE-2006-3376, CVE-2009-1364, CVE-2015-{0848,4588,4695,4696}.

* gnu/packages/patches/libwmf-CVE-2006-3376.patch,
  gnu/packages/patches/libwmf-CVE-2009-1364.patch,
  gnu/packages/patches/libwmf-CVE-2015-0848+4588+4695+4696.patch: New files.
* gnu-system.am (dist_patch_DATA): Add them.
* gnu/packages/image.scm (libwmf)[source]: Add patches.

1 files changed, 30 insertions, 0 deletions

diff --git a/gnu/packages/patches/libwmf-CVE-2006-3376.patch b/gnu/packages/patches/libwmf-CVE-2006-3376.patch
new file mode 100644
index 0000000000..1e0e1ecfa8
--- /dev/null
+++ b/gnu/packages/patches/libwmf-CVE-2006-3376.patch
@@ -0,0 +1,30 @@
+Copied from Debian.
+
+--- libwmf-0.2.8.4.orig/src/player.c
++++ libwmf-0.2.8.4/src/player.c
+@@ -23,6 +23,7 @@
+ 
+ #include <stdio.h>
+ #include <stdlib.h>
++#include <stdint.h>
+ #include <string.h>
+ #include <math.h>
+ 
+@@ -132,8 +133,14 @@
+ 		}
+ 	}
+ 
+-/*	P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)-3) * 2 * sizeof (unsigned char));
+- */	P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)  ) * 2 * sizeof (unsigned char));
++	if (MAX_REC_SIZE(API) > UINT32_MAX / 2)
++	{
++		API->err = wmf_E_InsMem;
++		WMF_DEBUG (API,"bailing...");
++		return (API->err);
++	}
++
++ 	P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)  ) * 2 * sizeof (unsigned char));
+ 
+ 	if (ERR (API))
+ 	{	WMF_DEBUG (API,"bailing...");
+