diff options
Diffstat (limited to 'meta-oe/recipes-extended/libwmf/libwmf/libwmf-0.2.8.4-intoverflow.patch')
-rw-r--r-- | meta-oe/recipes-extended/libwmf/libwmf/libwmf-0.2.8.4-intoverflow.patch | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/meta-oe/recipes-extended/libwmf/libwmf/libwmf-0.2.8.4-intoverflow.patch b/meta-oe/recipes-extended/libwmf/libwmf/libwmf-0.2.8.4-intoverflow.patch new file mode 100644 index 000000000..50d915c01 --- /dev/null +++ b/meta-oe/recipes-extended/libwmf/libwmf/libwmf-0.2.8.4-intoverflow.patch | |||
@@ -0,0 +1,31 @@ | |||
1 | http://cvs.fedoraproject.org/viewvc/devel/libwmf/libwmf-0.2.8.4-intoverflow.patch?view=log | ||
2 | |||
3 | CVE-2006-3376 libwmf integer overflow | ||
4 | |||
5 | --- libwmf-0.2.8.4.orig/src/player.c 2002-12-10 19:30:26.000000000 +0000 | ||
6 | +++ libwmf-0.2.8.4/src/player.c 2006-07-12 15:12:52.000000000 +0100 | ||
7 | @@ -42,6 +42,7 @@ | ||
8 | #include "player/defaults.h" /* Provides: default settings */ | ||
9 | #include "player/record.h" /* Provides: parameter mechanism */ | ||
10 | #include "player/meta.h" /* Provides: record interpreters */ | ||
11 | +#include <stdint.h> | ||
12 | |||
13 | /** | ||
14 | * @internal | ||
15 | @@ -132,8 +134,14 @@ | ||
16 | } | ||
17 | } | ||
18 | |||
19 | -/* P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)-3) * 2 * sizeof (unsigned char)); | ||
20 | - */ P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char)); | ||
21 | + if (MAX_REC_SIZE(API) > UINT32_MAX / 2) | ||
22 | + { | ||
23 | + API->err = wmf_E_InsMem; | ||
24 | + WMF_DEBUG (API,"bailing..."); | ||
25 | + return (API->err); | ||
26 | + } | ||
27 | + | ||
28 | + P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char)); | ||
29 | |||
30 | if (ERR (API)) | ||
31 | { WMF_DEBUG (API,"bailing..."); | ||