summaryrefslogtreecommitdiffstats
path: root/source/l/libwmf/libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch
diff options
context:
space:
mode:
author Patrick J Volkerding <volkerdi@slackware.com>2018-05-28 19:12:29 +0000
committer Eric Hameleers <alien@slackware.com>2018-05-31 23:39:35 +0200
commit646a5c1cbfd95873950a87b5f75d52073a967023 (patch)
treeb8b8d2ab3b0d432ea69ad1a64d1c789649d65020 /source/l/libwmf/libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch
parentd31c50870d0bee042ce660e445c9294a59a3a65b (diff)
downloadcurrent-646a5c1cbfd95873950a87b5f75d52073a967023.tar.gz
current-646a5c1cbfd95873950a87b5f75d52073a967023.tar.xz
Mon May 28 19:12:29 UTC 201820180528191229
a/pkgtools-15.0-noarch-13.txz: Rebuilt. installpkg: default line length for --terselength is the number of columns. removepkg: added --terse mode. upgradepkg: default line length for --terselength is the number of columns. upgradepkg: accept -option in addition to --option. ap/vim-8.1.0026-x86_64-1.txz: Upgraded. d/bison-3.0.5-x86_64-1.txz: Upgraded. e/emacs-26.1-x86_64-1.txz: Upgraded. kde/kopete-4.14.3-x86_64-8.txz: Rebuilt. Recompiled against libidn-1.35. n/conntrack-tools-1.4.5-x86_64-1.txz: Upgraded. n/libnetfilter_conntrack-1.0.7-x86_64-1.txz: Upgraded. n/libnftnl-1.1.0-x86_64-1.txz: Upgraded. n/links-2.16-x86_64-2.txz: Rebuilt. Rebuilt to enable X driver for -g mode. n/lynx-2.8.9dev.19-x86_64-1.txz: Upgraded. n/nftables-0.8.5-x86_64-1.txz: Upgraded. n/p11-kit-0.23.11-x86_64-1.txz: Upgraded. n/ulogd-2.0.7-x86_64-1.txz: Upgraded. n/whois-5.3.1-x86_64-1.txz: Upgraded. xap/network-manager-applet-1.8.12-x86_64-1.txz: Upgraded. xap/vim-gvim-8.1.0026-x86_64-1.txz: Upgraded.
Diffstat (limited to 'source/l/libwmf/libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch')
-rw-r--r--source/l/libwmf/libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch118
1 files changed, 118 insertions, 0 deletions
diff --git a/source/l/libwmf/libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch b/source/l/libwmf/libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch
new file mode 100644
index 000000000..e8ba8db1e
--- /dev/null
+++ b/source/l/libwmf/libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch
@@ -0,0 +1,118 @@
+--- libwmf-0.2.8.4/src/ipa/ipa/bmp.h 2015-06-08 14:46:24.591876404 +0100
++++ libwmf-0.2.8.4/src/ipa/ipa/bmp.h 2015-06-08 14:46:35.345993247 +0100
+@@ -859,7 +859,7 @@
+ %
+ %
+ */
+-static void DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels)
++static int DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels)
+ { int byte;
+ int count;
+ int i;
+@@ -870,12 +870,14 @@
+ U32 u;
+
+ unsigned char* q;
++ unsigned char* end;
+
+ for (u = 0; u < ((U32) bmp->width * (U32) bmp->height); u++) pixels[u] = 0;
+
+ byte = 0;
+ x = 0;
+ q = pixels;
++ end = pixels + bmp->width * bmp->height;
+
+ for (y = 0; y < bmp->height; )
+ { count = ReadBlobByte (src);
+@@ -884,7 +886,10 @@
+ { /* Encoded mode. */
+ byte = ReadBlobByte (src);
+ for (i = 0; i < count; i++)
+- { if (compression == 1)
++ {
++ if (q == end)
++ return 0;
++ if (compression == 1)
+ { (*(q++)) = (unsigned char) byte;
+ }
+ else
+@@ -896,13 +901,15 @@
+ else
+ { /* Escape mode. */
+ count = ReadBlobByte (src);
+- if (count == 0x01) return;
++ if (count == 0x01) return 1;
+ switch (count)
+ {
+ case 0x00:
+ { /* End of line. */
+ x = 0;
+ y++;
++ if (y >= bmp->height)
++ return 0;
+ q = pixels + y * bmp->width;
+ break;
+ }
+@@ -910,13 +917,20 @@
+ { /* Delta mode. */
+ x += ReadBlobByte (src);
+ y += ReadBlobByte (src);
++ if (y >= bmp->height)
++ return 0;
++ if (x >= bmp->width)
++ return 0;
+ q = pixels + y * bmp->width + x;
+ break;
+ }
+ default:
+ { /* Absolute mode. */
+ for (i = 0; i < count; i++)
+- { if (compression == 1)
++ {
++ if (q == end)
++ return 0;
++ if (compression == 1)
+ { (*(q++)) = ReadBlobByte (src);
+ }
+ else
+@@ -943,7 +957,7 @@
+ byte = ReadBlobByte (src); /* end of line */
+ byte = ReadBlobByte (src);
+
+- return;
++ return 1;
+ }
+
+ /*
+@@ -1143,8 +1157,18 @@
+ }
+ }
+ else
+- { /* Convert run-length encoded raster pixels. */
+- DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image);
++ {
++ if (bmp_info.bits_per_pixel == 8) /* Convert run-length encoded raster pixels. */
++ {
++ if (!DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image))
++ { WMF_ERROR (API,"corrupt bmp");
++ API->err = wmf_E_BadFormat;
++ }
++ }
++ else
++ { WMF_ERROR (API,"Unexpected pixel depth");
++ API->err = wmf_E_BadFormat;
++ }
+ }
+
+ if (ERR (API))
+--- libwmf-0.2.8.4/src/ipa/ipa.h 2015-06-08 14:46:24.590876393 +0100
++++ libwmf-0.2.8.4/src/ipa/ipa.h 2015-06-08 14:46:35.345993247 +0100
+@@ -48,7 +48,7 @@
+ static unsigned short ReadBlobLSBShort (BMPSource*);
+ static unsigned long ReadBlobLSBLong (BMPSource*);
+ static long TellBlob (BMPSource*);
+-static void DecodeImage (wmfAPI*,wmfBMP*,BMPSource*,unsigned int,unsigned char*);
++static int DecodeImage (wmfAPI*,wmfBMP*,BMPSource*,unsigned int,unsigned char*);
+ static void ReadBMPImage (wmfAPI*,wmfBMP*,BMPSource*);
+ static int ExtractColor (wmfAPI*,wmfBMP*,wmfRGB*,unsigned int,unsigned int);
+ static void SetColor (wmfAPI*,wmfBMP*,wmfRGB*,unsigned char,unsigned int,unsigned int);