aboutsummaryrefslogtreecommitdiff
path: root/gnu/packages/patches/libwmf-CVE-2006-3376.patch
diff options
context:
space:
mode:
authorMark H Weaver <mhw@netris.org>2015-07-06 20:02:47 -0400
committerMark H Weaver <mhw@netris.org>2015-07-06 20:04:50 -0400
commit9ed548643918bb9415b16707f360f49fcab89627 (patch)
treea47ef9eafd123489f132ae71afbc1de94ec95ae3 /gnu/packages/patches/libwmf-CVE-2006-3376.patch
parent075d99f19599b2903490942d8c3717cdd5b5d31e (diff)
downloadguix-9ed548643918bb9415b16707f360f49fcab89627.tar
guix-9ed548643918bb9415b16707f360f49fcab89627.tar.gz
gnu: libwmf: Fix CVE-2006-3376, CVE-2009-1364, CVE-2015-{0848,4588,4695,4696}.
* gnu/packages/patches/libwmf-CVE-2006-3376.patch, gnu/packages/patches/libwmf-CVE-2009-1364.patch, gnu/packages/patches/libwmf-CVE-2015-0848+4588+4695+4696.patch: New files. * gnu-system.am (dist_patch_DATA): Add them. * gnu/packages/image.scm (libwmf)[source]: Add patches.
Diffstat (limited to 'gnu/packages/patches/libwmf-CVE-2006-3376.patch')
-rw-r--r--gnu/packages/patches/libwmf-CVE-2006-3376.patch30
1 files changed, 30 insertions, 0 deletions
diff --git a/gnu/packages/patches/libwmf-CVE-2006-3376.patch b/gnu/packages/patches/libwmf-CVE-2006-3376.patch
new file mode 100644
index 0000000000..1e0e1ecfa8
--- /dev/null
+++ b/gnu/packages/patches/libwmf-CVE-2006-3376.patch
@@ -0,0 +1,30 @@
+Copied from Debian.
+
+--- libwmf-0.2.8.4.orig/src/player.c
++++ libwmf-0.2.8.4/src/player.c
+@@ -23,6 +23,7 @@
+
+ #include <stdio.h>
+ #include <stdlib.h>
++#include <stdint.h>
+ #include <string.h>
+ #include <math.h>
+
+@@ -132,8 +133,14 @@
+ }
+ }
+
+-/* P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)-3) * 2 * sizeof (unsigned char));
+- */ P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char));
++ if (MAX_REC_SIZE(API) > UINT32_MAX / 2)
++ {
++ API->err = wmf_E_InsMem;
++ WMF_DEBUG (API,"bailing...");
++ return (API->err);
++ }
++
++ P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char));
+
+ if (ERR (API))
+ { WMF_DEBUG (API,"bailing...");
+