1 files changed, 31 insertions, 0 deletions
diff --git a/meta-oe/recipes-extended/libwmf/libwmf/libwmf-0.2.8.4-intoverflow.patch b/meta-oe/recipes-extended/libwmf/libwmf/libwmf-0.2.8.4-intoverflow.patch
new file mode 100644
index 000000000..50d915c01
--- /dev/null
+++ b/meta-oe/recipes-extended/libwmf/libwmf/libwmf-0.2.8.4-intoverflow.patch
@@ -0,0 +1,31 @@
+http://cvs.fedoraproject.org/viewvc/devel/libwmf/libwmf-0.2.8.4-intoverflow.patch?view=log
+CVE-2006-3376 libwmf integer overflow
+--- libwmf-0.2.8.4.orig/src/player.c    2002-12-10 19:30:26.000000000 +0000
+++ libwmf-0.2.8.4/src/player.c 2006-07-12 15:12:52.000000000 +0100
+@@ -42,6 +42,7 @@
+ #include "player/defaults.h" /* Provides: default settings               */
+ #include "player/record.h"   /* Provides: parameter mechanism            */
+ #include "player/meta.h"     /* Provides: record interpreters            */
+#include <stdint.h>
+ 
+ /**
+  * @internal
+@@ -132,8 +134,14 @@
+                }
+        }
+ 
+-/*     P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)-3) * 2 * sizeof (unsigned char));
+- */    P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)  ) * 2 * sizeof (unsigned char));
+       if (MAX_REC_SIZE(API) > UINT32_MAX / 2)
+       {
+               API->err = wmf_E_InsMem;
+               WMF_DEBUG (API,"bailing...");
+               return (API->err);
+       }
+       
+       P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)  ) * 2 * sizeof (unsigned char));
+ 
+        if (ERR (API))
+        {       WMF_DEBUG (API,"bailing...");

diff --git a/meta-oe/recipes-extended/libwmf/libwmf/libwmf-0.2.8.4-intoverflow.patch b/meta-oe/recipes-extended/libwmf/libwmf/libwmf-0.2.8.4-intoverflow.patch new file mode 100644 index 000000000..50d915c01 --- /dev/null +++ b/meta-oe/recipes-extended/libwmf/libwmf/libwmf-0.2.8.4-intoverflow.patch
@@ -0,0 +1,31 @@
	1	http://cvs.fedoraproject.org/viewvc/devel/libwmf/libwmf-0.2.8.4-intoverflow.patch?view=log
	2
	3	CVE-2006-3376 libwmf integer overflow
	4
	5	--- libwmf-0.2.8.4.orig/src/player.c 2002-12-10 19:30:26.000000000 +0000
	6	+++ libwmf-0.2.8.4/src/player.c 2006-07-12 15:12:52.000000000 +0100
	7	@@ -42,6 +42,7 @@
	8	#include "player/defaults.h" /* Provides: default settings */
	9	#include "player/record.h" /* Provides: parameter mechanism */
	10	#include "player/meta.h" /* Provides: record interpreters */
	11	+#include <stdint.h>
	12
	13	/**
	14	* @internal
	15	@@ -132,8 +134,14 @@
	16	}
	17	}
	18
	19	-/* P->Parameters = (unsigned char) wmf_malloc (API,(MAX_REC_SIZE(API)-3) 2 * sizeof (unsigned char));
	20	- / P->Parameters = (unsigned char) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char));
	21	+ if (MAX_REC_SIZE(API) > UINT32_MAX / 2)
	22	+ {
	23	+ API->err = wmf_E_InsMem;
	24	+ WMF_DEBUG (API,"bailing...");
	25	+ return (API->err);
	26	+ }
	27	+
	28	+ P->Parameters = (unsigned char) wmf_malloc (API,(MAX_REC_SIZE(API) ) 2 * sizeof (unsigned char));
	29
	30	if (ERR (API))
	31	{ WMF_DEBUG (API,"bailing...");