summaryrefslogtreecommitdiffstats
path: root/patches/source/libwmf/libwmf-0.2.8.4-CVE-2016-9011.patch
diff options
context:
space:
mode:
Diffstat (limited to 'patches/source/libwmf/libwmf-0.2.8.4-CVE-2016-9011.patch')
-rw-r--r--patches/source/libwmf/libwmf-0.2.8.4-CVE-2016-9011.patch36
1 files changed, 36 insertions, 0 deletions
diff --git a/patches/source/libwmf/libwmf-0.2.8.4-CVE-2016-9011.patch b/patches/source/libwmf/libwmf-0.2.8.4-CVE-2016-9011.patch
new file mode 100644
index 000000000..c6bd017c2
--- /dev/null
+++ b/patches/source/libwmf/libwmf-0.2.8.4-CVE-2016-9011.patch
@@ -0,0 +1,36 @@
+--- libwmf-0.2.8.4/src/player.c
++++ libwmf-0.2.8.4/src/player.c
+@@ -139,8 +139,31 @@
+ WMF_DEBUG (API,"bailing...");
+ return (API->err);
+ }
+-
+- P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char));
++
++ U32 nMaxRecordSize = (MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char);
++ if (nMaxRecordSize)
++ {
++ //before allocating memory do a sanity check on size by seeking
++ //to claimed end to see if its possible. We're constrained here
++ //by the api and existing implementations to not simply seeking
++ //to SEEK_END. So use what we have to skip to the last byte and
++ //try and read it.
++ const long nPos = WMF_TELL (API);
++ WMF_SEEK (API, nPos + nMaxRecordSize - 1);
++ if (ERR (API))
++ { WMF_DEBUG (API,"bailing...");
++ return (API->err);
++ }
++ int byte = WMF_READ (API);
++ if (byte == (-1))
++ { WMF_ERROR (API,"Unexpected EOF!");
++ API->err = wmf_E_EOF;
++ return (API->err);
++ }
++ WMF_SEEK (API, nPos);
++ }
++
++ P->Parameters = (unsigned char*) wmf_malloc (API, nMaxRecordSize);
+
+ if (ERR (API))
+ { WMF_DEBUG (API,"bailing...");