aboutsummaryrefslogtreecommitdiff
path: root/gnu/packages/patches/libwmf-CVE-2007-3472.patch
diff options
context:
space:
mode:
authorMark H Weaver <mhw@netris.org>2015-10-08 10:43:40 -0400
committerMark H Weaver <mhw@netris.org>2015-10-08 10:46:30 -0400
commitf956d661add890acb41592482a8a0c3fd90afd76 (patch)
tree796d7838d9fd3b8dac7020988bb963e0c325f7a9 /gnu/packages/patches/libwmf-CVE-2007-3472.patch
parent48e4a9f32f93c404b6fb4472164d8e00d12b2937 (diff)
downloadguix-f956d661add890acb41592482a8a0c3fd90afd76.tar
guix-f956d661add890acb41592482a8a0c3fd90afd76.tar.gz
gnu: libwmf: Add fixes for several security flaws.
* gnu/packages/patches/libwmf-CAN-2004-0941.patch, gnu/packages/patches/libwmf-CVE-2007-0455.patch, gnu/packages/patches/libwmf-CVE-2007-2756.patch, gnu/packages/patches/libwmf-CVE-2007-3472.patch, gnu/packages/patches/libwmf-CVE-2007-3473.patch, gnu/packages/patches/libwmf-CVE-2007-3477.patch, gnu/packages/patches/libwmf-CVE-2009-3546.patch: New files. * gnu/packages/patches/libwmf-CVE-2015-0848+4588+4695+4696.patch: Delete file. Replace with ... * gnu/packages/patches/libwmf-CVE-2015-0848+CVE-2015-4588.patch, gnu/packages/patches/libwmf-CVE-2015-4695.patch, gnu/packages/patches/libwmf-CVE-2015-4696.patch: ... these new files. * gnu-system.am (dist_patch_DATA): Adjust accordingly. * gnu/packages/image.scm (libwmf)[source]: Adjust set of patches.
Diffstat (limited to 'gnu/packages/patches/libwmf-CVE-2007-3472.patch')
-rw-r--r--gnu/packages/patches/libwmf-CVE-2007-3472.patch63
1 files changed, 63 insertions, 0 deletions
diff --git a/gnu/packages/patches/libwmf-CVE-2007-3472.patch b/gnu/packages/patches/libwmf-CVE-2007-3472.patch
new file mode 100644
index 0000000000..180bdb5fc2
--- /dev/null
+++ b/gnu/packages/patches/libwmf-CVE-2007-3472.patch
@@ -0,0 +1,63 @@
+Based on a patch from Fedora.
+
+http://pkgs.fedoraproject.org/cgit/libwmf.git/tree/libwmf-0.2.8.4-CVE-2007-3472.patch
+
+--- libwmf-0.2.8.4/src/extra/gd/gd.c
++++ libwmf-0.2.8.4/src/extra/gd/gd.c
+@@ -106,6 +106,18 @@
+ gdImagePtr im;
+ unsigned long cpa_size;
+
++ if (overflow2(sx, sy)) {
++ return NULL;
++ }
++
++ if (overflow2(sizeof (int *), sy)) {
++ return NULL;
++ }
++
++ if (overflow2(sizeof(int), sx)) {
++ return NULL;
++ }
++
+ im = (gdImage *) gdMalloc (sizeof (gdImage));
+ if (im == 0) return 0;
+ memset (im, 0, sizeof (gdImage));
+--- libwmf-0.2.8.4/src/extra/gd/gdhelpers.c 2010-12-06 11:47:31.000000000 +0000
++++ libwmf-0.2.8.4/src/extra/gd/gdhelpers.c 2010-12-06 11:48:04.000000000 +0000
+@@ -2,6 +2,7 @@
+ #include "gdhelpers.h"
+ #include <stdlib.h>
+ #include <string.h>
++#include <limits.h>
+
+ /* TBB: gd_strtok_r is not portable; provide an implementation */
+
+@@ -94,3 +95,18 @@
+ {
+ free (ptr);
+ }
++
++int overflow2(int a, int b)
++{
++ if(a < 0 || b < 0) {
++ fprintf(stderr, "gd warning: one parameter to a memory allocation multiplication is negative, failing operation gracefully\n");
++ return 1;
++ }
++ if(b == 0)
++ return 0;
++ if(a > INT_MAX / b) {
++ fprintf(stderr, "gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully\n");
++ return 1;
++ }
++ return 0;
++}
+--- libwmf-0.2.8.4/src/extra/gd/gdhelpers.h 2010-12-06 11:47:17.000000000 +0000
++++ libwmf-0.2.8.4/src/extra/gd/gdhelpers.h 2010-12-06 11:48:36.000000000 +0000
+@@ -15,4 +15,6 @@
+ void *gdMalloc(size_t size);
+ void *gdRealloc(void *ptr, size_t size);
+
++int overflow2(int a, int b);
++
+ #endif /* GDHELPERS_H */