diff options
author | Patrick J Volkerding <volkerdi@slackware.com> | 2018-05-28 19:12:29 +0000 |
---|---|---|
committer | Eric Hameleers <alien@slackware.com> | 2018-05-31 23:39:35 +0200 |
commit | 646a5c1cbfd95873950a87b5f75d52073a967023 (patch) | |
tree | b8b8d2ab3b0d432ea69ad1a64d1c789649d65020 /source/l/libwmf/libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch | |
parent | d31c50870d0bee042ce660e445c9294a59a3a65b (diff) | |
download | current-646a5c1cbfd95873950a87b5f75d52073a967023.tar.gz current-646a5c1cbfd95873950a87b5f75d52073a967023.tar.xz |
Mon May 28 19:12:29 UTC 201820180528191229
a/pkgtools-15.0-noarch-13.txz: Rebuilt.
installpkg: default line length for --terselength is the number of columns.
removepkg: added --terse mode.
upgradepkg: default line length for --terselength is the number of columns.
upgradepkg: accept -option in addition to --option.
ap/vim-8.1.0026-x86_64-1.txz: Upgraded.
d/bison-3.0.5-x86_64-1.txz: Upgraded.
e/emacs-26.1-x86_64-1.txz: Upgraded.
kde/kopete-4.14.3-x86_64-8.txz: Rebuilt.
Recompiled against libidn-1.35.
n/conntrack-tools-1.4.5-x86_64-1.txz: Upgraded.
n/libnetfilter_conntrack-1.0.7-x86_64-1.txz: Upgraded.
n/libnftnl-1.1.0-x86_64-1.txz: Upgraded.
n/links-2.16-x86_64-2.txz: Rebuilt.
Rebuilt to enable X driver for -g mode.
n/lynx-2.8.9dev.19-x86_64-1.txz: Upgraded.
n/nftables-0.8.5-x86_64-1.txz: Upgraded.
n/p11-kit-0.23.11-x86_64-1.txz: Upgraded.
n/ulogd-2.0.7-x86_64-1.txz: Upgraded.
n/whois-5.3.1-x86_64-1.txz: Upgraded.
xap/network-manager-applet-1.8.12-x86_64-1.txz: Upgraded.
xap/vim-gvim-8.1.0026-x86_64-1.txz: Upgraded.
Diffstat (limited to 'source/l/libwmf/libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch')
-rw-r--r-- | source/l/libwmf/libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch | 118 |
1 files changed, 118 insertions, 0 deletions
diff --git a/source/l/libwmf/libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch b/source/l/libwmf/libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch new file mode 100644 index 000000000..e8ba8db1e --- /dev/null +++ b/source/l/libwmf/libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch @@ -0,0 +1,118 @@ +--- libwmf-0.2.8.4/src/ipa/ipa/bmp.h 2015-06-08 14:46:24.591876404 +0100 ++++ libwmf-0.2.8.4/src/ipa/ipa/bmp.h 2015-06-08 14:46:35.345993247 +0100 +@@ -859,7 +859,7 @@ + % + % + */ +-static void DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels) ++static int DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels) + { int byte; + int count; + int i; +@@ -870,12 +870,14 @@ + U32 u; + + unsigned char* q; ++ unsigned char* end; + + for (u = 0; u < ((U32) bmp->width * (U32) bmp->height); u++) pixels[u] = 0; + + byte = 0; + x = 0; + q = pixels; ++ end = pixels + bmp->width * bmp->height; + + for (y = 0; y < bmp->height; ) + { count = ReadBlobByte (src); +@@ -884,7 +886,10 @@ + { /* Encoded mode. */ + byte = ReadBlobByte (src); + for (i = 0; i < count; i++) +- { if (compression == 1) ++ { ++ if (q == end) ++ return 0; ++ if (compression == 1) + { (*(q++)) = (unsigned char) byte; + } + else +@@ -896,13 +901,15 @@ + else + { /* Escape mode. */ + count = ReadBlobByte (src); +- if (count == 0x01) return; ++ if (count == 0x01) return 1; + switch (count) + { + case 0x00: + { /* End of line. */ + x = 0; + y++; ++ if (y >= bmp->height) ++ return 0; + q = pixels + y * bmp->width; + break; + } +@@ -910,13 +917,20 @@ + { /* Delta mode. */ + x += ReadBlobByte (src); + y += ReadBlobByte (src); ++ if (y >= bmp->height) ++ return 0; ++ if (x >= bmp->width) ++ return 0; + q = pixels + y * bmp->width + x; + break; + } + default: + { /* Absolute mode. */ + for (i = 0; i < count; i++) +- { if (compression == 1) ++ { ++ if (q == end) ++ return 0; ++ if (compression == 1) + { (*(q++)) = ReadBlobByte (src); + } + else +@@ -943,7 +957,7 @@ + byte = ReadBlobByte (src); /* end of line */ + byte = ReadBlobByte (src); + +- return; ++ return 1; + } + + /* +@@ -1143,8 +1157,18 @@ + } + } + else +- { /* Convert run-length encoded raster pixels. */ +- DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image); ++ { ++ if (bmp_info.bits_per_pixel == 8) /* Convert run-length encoded raster pixels. */ ++ { ++ if (!DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image)) ++ { WMF_ERROR (API,"corrupt bmp"); ++ API->err = wmf_E_BadFormat; ++ } ++ } ++ else ++ { WMF_ERROR (API,"Unexpected pixel depth"); ++ API->err = wmf_E_BadFormat; ++ } + } + + if (ERR (API)) +--- libwmf-0.2.8.4/src/ipa/ipa.h 2015-06-08 14:46:24.590876393 +0100 ++++ libwmf-0.2.8.4/src/ipa/ipa.h 2015-06-08 14:46:35.345993247 +0100 +@@ -48,7 +48,7 @@ + static unsigned short ReadBlobLSBShort (BMPSource*); + static unsigned long ReadBlobLSBLong (BMPSource*); + static long TellBlob (BMPSource*); +-static void DecodeImage (wmfAPI*,wmfBMP*,BMPSource*,unsigned int,unsigned char*); ++static int DecodeImage (wmfAPI*,wmfBMP*,BMPSource*,unsigned int,unsigned char*); + static void ReadBMPImage (wmfAPI*,wmfBMP*,BMPSource*); + static int ExtractColor (wmfAPI*,wmfBMP*,wmfRGB*,unsigned int,unsigned int); + static void SetColor (wmfAPI*,wmfBMP*,wmfRGB*,unsigned char,unsigned int,unsigned int); |