diff options
author | orumin | 2017-07-08 16:04:01 +0900 |
---|---|---|
committer | orumin | 2017-07-08 16:04:01 +0900 |
commit | f05c0f8cd81c6ab066d9292bb58362a098da96de (patch) | |
tree | becab5c5219b0d28512cc7b0ea0142ff8cdf4cb1 | |
download | aur-f05c0f8cd81c6ab066d9292bb58362a098da96de.tar.gz |
initial commit
-rw-r--r-- | .SRCINFO | 49 | ||||
-rw-r--r-- | PKGBUILD | 86 | ||||
-rw-r--r-- | libwmf-0.2.8.4-CAN-2004-0941.patch | 17 | ||||
-rw-r--r-- | libwmf-0.2.8.4-CVE-2007-0455.patch | 11 | ||||
-rw-r--r-- | libwmf-0.2.8.4-CVE-2007-2756.patch | 16 | ||||
-rw-r--r-- | libwmf-0.2.8.4-CVE-2007-3472.patch | 59 | ||||
-rw-r--r-- | libwmf-0.2.8.4-CVE-2007-3473.patch | 13 | ||||
-rw-r--r-- | libwmf-0.2.8.4-CVE-2007-3477.patch | 38 | ||||
-rw-r--r-- | libwmf-0.2.8.4-CVE-2009-3546.patch | 13 | ||||
-rw-r--r-- | libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch | 118 | ||||
-rw-r--r-- | libwmf-0.2.8.4-CVE-2015-4695.patch | 56 | ||||
-rw-r--r-- | libwmf-0.2.8.4-CVE-2015-4696.patch | 23 | ||||
-rw-r--r-- | libwmf-0.2.8.4-CVE-2016-9011.patch | 36 | ||||
-rw-r--r-- | libwmf-0.2.8.4-intoverflow-CVE-2006-3376.patch | 27 | ||||
-rw-r--r-- | libwmf-0.2.8.4-libpng-1.5.patch | 12 | ||||
-rw-r--r-- | libwmf-0.2.8.4-useafterfree-CVE-2009-1364.patch | 10 |
16 files changed, 584 insertions, 0 deletions
diff --git a/.SRCINFO b/.SRCINFO new file mode 100644 index 000000000000..9a0f17c718e7 --- /dev/null +++ b/.SRCINFO @@ -0,0 +1,49 @@ +pkgbase = lib32-libwmf + pkgdesc = A library for reading vector images in Microsoft's native Windows Metafile Format (WMF) (32-bit) + pkgver = 0.2.8.4 + pkgrel = 1 + url = http://wvware.sourceforge.net/libwmf.html + arch = x86_64 + license = LGPL + makedepends = lib32-gtk2 + makedepends = lib32-libxt + depends = lib32-libx11 + depends = lib32-libjpeg + depends = gsfonts + depends = libwmf + optdepends = gdk-pixbuf2: for pixbuf loader + options = !docs + options = !emptydirs + source = http://downloads.sourceforge.net/sourceforge/wvware/libwmf-0.2.8.4.tar.gz + source = libwmf-0.2.8.4-libpng-1.5.patch + source = libwmf-0.2.8.4-useafterfree-CVE-2009-1364.patch + source = libwmf-0.2.8.4-intoverflow-CVE-2006-3376.patch + source = libwmf-0.2.8.4-CAN-2004-0941.patch + source = libwmf-0.2.8.4-CVE-2007-0455.patch + source = libwmf-0.2.8.4-CVE-2007-2756.patch + source = libwmf-0.2.8.4-CVE-2007-3472.patch + source = libwmf-0.2.8.4-CVE-2007-3473.patch + source = libwmf-0.2.8.4-CVE-2007-3477.patch + source = libwmf-0.2.8.4-CVE-2009-3546.patch + source = libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch + source = libwmf-0.2.8.4-CVE-2015-4695.patch + source = libwmf-0.2.8.4-CVE-2015-4696.patch + source = libwmf-0.2.8.4-CVE-2016-9011.patch + sha1sums = 822ab3bd0f5e8f39ad732f2774a8e9f18fc91e89 + sha1sums = 42aa4c2a82e4e14044c875a7f439baea732a355a + sha1sums = ea6d28880840e86c96f9079bfd591da54dcffa5c + sha1sums = 6f130ea9f639ccf88fef0fda74cf9fa3956f81b5 + sha1sums = 2f8a46698dac6d5f5c3109cb56ad675ff1efaee0 + sha1sums = 380d59744f174e12d4ba4f5cb63f14b6092850fa + sha1sums = 45ae37f79b351fe738212caa3a3c61c9b6fa2d5b + sha1sums = 1836f07750d3a8b4dd6354660875436b0e5c3b07 + sha1sums = c778b89445f621fd5e44b0bbf9d441cceea90d6c + sha1sums = d0a6fefedd327f99c3ca1c2f7f19adddc2cef50a + sha1sums = 83f32dac05c1492eef1e652c553a5ffc80a3e656 + sha1sums = 5608d0565890f2f89435bc13ad57279900ed83b4 + sha1sums = 408cfff29160b037b8baa26b4647e02f373b8b85 + sha1sums = e250f5ecefde4bf5c06f7fbc562566ce64204f2a + sha1sums = 9f8670ef0b4862bb84aecc582bfbec45573a8831 + +pkgname = lib32-libwmf + diff --git a/PKGBUILD b/PKGBUILD new file mode 100644 index 000000000000..f751021f7156 --- /dev/null +++ b/PKGBUILD @@ -0,0 +1,86 @@ +# Maintainer: orumin <dev at orum.in> + +pkgname=lib32-libwmf +_basename=libwmf +pkgver=0.2.8.4 +pkgrel=1 +pkgdesc="A library for reading vector images in Microsoft's native Windows Metafile Format (WMF) (32-bit)" +arch=('x86_64') +url="http://wvware.sourceforge.net/libwmf.html" +license=('LGPL') +depends=('lib32-libx11' 'lib32-libjpeg' 'gsfonts' 'libwmf') +makedepends=('lib32-gtk2' 'lib32-libxt') +optdepends=('gdk-pixbuf2: for pixbuf loader') +options=('!docs' '!emptydirs') +source=(http://downloads.sourceforge.net/sourceforge/wvware/${_basename}-${pkgver}.tar.gz + libwmf-0.2.8.4-libpng-1.5.patch + libwmf-0.2.8.4-useafterfree-CVE-2009-1364.patch + libwmf-0.2.8.4-intoverflow-CVE-2006-3376.patch + libwmf-0.2.8.4-CAN-2004-0941.patch + libwmf-0.2.8.4-CVE-2007-0455.patch + libwmf-0.2.8.4-CVE-2007-2756.patch + libwmf-0.2.8.4-CVE-2007-3472.patch + libwmf-0.2.8.4-CVE-2007-3473.patch + libwmf-0.2.8.4-CVE-2007-3477.patch + libwmf-0.2.8.4-CVE-2009-3546.patch + libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch + libwmf-0.2.8.4-CVE-2015-4695.patch + libwmf-0.2.8.4-CVE-2015-4696.patch + libwmf-0.2.8.4-CVE-2016-9011.patch) +sha1sums=('822ab3bd0f5e8f39ad732f2774a8e9f18fc91e89' + '42aa4c2a82e4e14044c875a7f439baea732a355a' + 'ea6d28880840e86c96f9079bfd591da54dcffa5c' + '6f130ea9f639ccf88fef0fda74cf9fa3956f81b5' + '2f8a46698dac6d5f5c3109cb56ad675ff1efaee0' + '380d59744f174e12d4ba4f5cb63f14b6092850fa' + '45ae37f79b351fe738212caa3a3c61c9b6fa2d5b' + '1836f07750d3a8b4dd6354660875436b0e5c3b07' + 'c778b89445f621fd5e44b0bbf9d441cceea90d6c' + 'd0a6fefedd327f99c3ca1c2f7f19adddc2cef50a' + '83f32dac05c1492eef1e652c553a5ffc80a3e656' + '5608d0565890f2f89435bc13ad57279900ed83b4' + '408cfff29160b037b8baa26b4647e02f373b8b85' + 'e250f5ecefde4bf5c06f7fbc562566ce64204f2a' + '9f8670ef0b4862bb84aecc582bfbec45573a8831') + +prepare() { + cd ${_basename}-${pkgver} + patch -p1 -i "${srcdir}/libwmf-0.2.8.4-libpng-1.5.patch" + patch -p1 -i "${srcdir}/libwmf-0.2.8.4-useafterfree-CVE-2009-1364.patch" + patch -p1 -i "${srcdir}/libwmf-0.2.8.4-intoverflow-CVE-2006-3376.patch" + patch -p1 -i "${srcdir}/libwmf-0.2.8.4-CAN-2004-0941.patch" + patch -p1 -i "${srcdir}/libwmf-0.2.8.4-CVE-2007-0455.patch" + patch -p1 -i "${srcdir}/libwmf-0.2.8.4-CVE-2007-2756.patch" + patch -p1 -i "${srcdir}/libwmf-0.2.8.4-CVE-2007-3472.patch" + patch -p1 -i "${srcdir}/libwmf-0.2.8.4-CVE-2007-3473.patch" + patch -p1 -i "${srcdir}/libwmf-0.2.8.4-CVE-2007-3477.patch" + patch -p1 -i "${srcdir}/libwmf-0.2.8.4-CVE-2009-3546.patch" + patch -p1 -i "${srcdir}/libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch" + patch -p1 -i "${srcdir}/libwmf-0.2.8.4-CVE-2015-4695.patch" + patch -p1 -i "${srcdir}/libwmf-0.2.8.4-CVE-2015-4696.patch" + patch -p1 -i "${srcdir}/libwmf-0.2.8.4-CVE-2016-9011.patch" +} + +build() { + cd ${_basename}-${pkgver} + + export CC='gcc -m32' + export CXX='g++ -m32' + export PKG_CONFIG_PATH='/usr/lib32/pkgconfig' + + ./configure --prefix=/usr \ + --build=i686-pc-linux-gnu --libdir=/usr/lib32 \ + --with-gsfontdir=/usr/share/fonts/Type1 \ + --with-fontdir=/usr/share/fonts/Type1 \ + --with-gsfontmap=/usr/share/ghostscript/9.10/Resource/Init/Fontmap.GS + make +} + +package() { + cd ${_basename}-${pkgver} + make DESTDIR="${pkgdir}" install + rm -r "${pkgdir}/usr/bin" + rm -r "${pkgdir}/usr/include" + #Remove fonts, these are in gsfonts + rm -rf "${pkgdir}/usr/share/fonts" +} diff --git a/libwmf-0.2.8.4-CAN-2004-0941.patch b/libwmf-0.2.8.4-CAN-2004-0941.patch new file mode 100644 index 000000000000..581e4e09197e --- /dev/null +++ b/libwmf-0.2.8.4-CAN-2004-0941.patch @@ -0,0 +1,17 @@ +--- libwmf-0.2.8.4/src/extra/gd/gd_png.c 2004-11-11 14:02:37.407589824 -0500 ++++ libwmf-0.2.8.4/src/extra/gd/gd_png.c 2004-11-11 14:04:29.672522960 -0500 +@@ -188,6 +188,14 @@ + + png_get_IHDR (png_ptr, info_ptr, &width, &height, &bit_depth, &color_type, + &interlace_type, NULL, NULL); ++ if (overflow2(sizeof (int), width)) ++ { ++ return NULL; ++ } ++ if (overflow2(sizeof (int) * width, height)) ++ { ++ return NULL; ++ } + if ((color_type == PNG_COLOR_TYPE_RGB) || + (color_type == PNG_COLOR_TYPE_RGB_ALPHA)) + { diff --git a/libwmf-0.2.8.4-CVE-2007-0455.patch b/libwmf-0.2.8.4-CVE-2007-0455.patch new file mode 100644 index 000000000000..0cc5abc71488 --- /dev/null +++ b/libwmf-0.2.8.4-CVE-2007-0455.patch @@ -0,0 +1,11 @@ +--- libwmf-0.2.8.4/src/extra/gd/gdft.c 2010-12-06 11:18:26.000000000 +0000 ++++ libwmf-0.2.8.4/src/extra/gd/gdft.c 2010-12-06 11:21:09.000000000 +0000 +@@ -811,7 +811,7 @@ + { + ch = c & 0xFF; /* don't extend sign */ + } +- next++; ++ if (*next) next++; + } + else + { diff --git a/libwmf-0.2.8.4-CVE-2007-2756.patch b/libwmf-0.2.8.4-CVE-2007-2756.patch new file mode 100644 index 000000000000..eba8fac25abe --- /dev/null +++ b/libwmf-0.2.8.4-CVE-2007-2756.patch @@ -0,0 +1,16 @@ +--- libwmf-0.2.8.4/src/extra/gd/gd_png.c 1 Apr 2007 20:41:01 -0000 1.21.2.1 ++++ libwmf-0.2.8.4/src/extra/gd/gd_png.c 16 May 2007 19:06:11 -0000 +@@ -78,8 +78,11 @@ + gdPngReadData (png_structp png_ptr, + png_bytep data, png_size_t length) + { +- gdGetBuf (data, length, (gdIOCtx *) +- png_get_io_ptr (png_ptr)); ++ int check; ++ check = gdGetBuf (data, length, (gdIOCtx *) png_get_io_ptr (png_ptr)); ++ if (check != length) { ++ png_error(png_ptr, "Read Error: truncated data"); ++ } + } + + static void diff --git a/libwmf-0.2.8.4-CVE-2007-3472.patch b/libwmf-0.2.8.4-CVE-2007-3472.patch new file mode 100644 index 000000000000..01b56de5d76c --- /dev/null +++ b/libwmf-0.2.8.4-CVE-2007-3472.patch @@ -0,0 +1,59 @@ +--- libwmf-0.2.8.4/src/extra/gd/gd.c ++++ libwmf-0.2.8.4/src/extra/gd/gd.c +@@ -106,6 +106,18 @@ + gdImagePtr im; + unsigned long cpa_size; + ++ if (overflow2(sx, sy)) { ++ return NULL; ++ } ++ ++ if (overflow2(sizeof (int *), sy)) { ++ return NULL; ++ } ++ ++ if (overflow2(sizeof(int), sx)) { ++ return NULL; ++ } ++ + im = (gdImage *) gdMalloc (sizeof (gdImage)); + if (im == 0) return 0; + memset (im, 0, sizeof (gdImage)); +--- libwmf-0.2.8.4/src/extra/gd/gdhelpers.c 2010-12-06 11:47:31.000000000 +0000 ++++ libwmf-0.2.8.4/src/extra/gd/gdhelpers.c 2010-12-06 11:48:04.000000000 +0000 +@@ -2,6 +2,7 @@ + #include "gdhelpers.h" + #include <stdlib.h> + #include <string.h> ++#include <limits.h> + + /* TBB: gd_strtok_r is not portable; provide an implementation */ + +@@ -94,3 +95,18 @@ + { + free (ptr); + } ++ ++int overflow2(int a, int b) ++{ ++ if(a < 0 || b < 0) { ++ fprintf(stderr, "gd warning: one parameter to a memory allocation multiplication is negative, failing operation gracefully\n"); ++ return 1; ++ } ++ if(b == 0) ++ return 0; ++ if(a > INT_MAX / b) { ++ fprintf(stderr, "gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully\n"); ++ return 1; ++ } ++ return 0; ++} +--- libwmf-0.2.8.4/src/extra/gd/gdhelpers.h 2010-12-06 11:47:17.000000000 +0000 ++++ libwmf-0.2.8.4/src/extra/gd/gdhelpers.h 2010-12-06 11:48:36.000000000 +0000 +@@ -15,4 +15,6 @@ + void *gdMalloc(size_t size); + void *gdRealloc(void *ptr, size_t size); + ++int overflow2(int a, int b); ++ + #endif /* GDHELPERS_H */ diff --git a/libwmf-0.2.8.4-CVE-2007-3473.patch b/libwmf-0.2.8.4-CVE-2007-3473.patch new file mode 100644 index 000000000000..59018996932e --- /dev/null +++ b/libwmf-0.2.8.4-CVE-2007-3473.patch @@ -0,0 +1,13 @@ +--- libwmf-0.2.8.4/src/extra/gd/gd.c ++++ libwmf-0.2.8.4/src/extra/gd/gd.c +@@ -2483,6 +2483,10 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromXbm (FILE * fd) + } + bytes = (w * h / 8) + 1; + im = gdImageCreate (w, h); ++ if (!im) { ++ return 0; ++ } ++ + gdImageColorAllocate (im, 255, 255, 255); + gdImageColorAllocate (im, 0, 0, 0); + x = 0; diff --git a/libwmf-0.2.8.4-CVE-2007-3477.patch b/libwmf-0.2.8.4-CVE-2007-3477.patch new file mode 100644 index 000000000000..81ac0385399a --- /dev/null +++ b/libwmf-0.2.8.4-CVE-2007-3477.patch @@ -0,0 +1,38 @@ +--- libwmf-0.2.8.4/src/extra/gd/gd.c ++++ libwmf-0.2.8.4/src/extra/gd/gd.c +@@ -1335,10 +1335,31 @@ + int w2, h2; + w2 = w / 2; + h2 = h / 2; +- while (e < s) +- { +- e += 360; +- } ++ ++ if ((s % 360) == (e % 360)) { ++ s = 0; e = 360; ++ } else { ++ if (s > 360) { ++ s = s % 360; ++ } ++ ++ if (e > 360) { ++ e = e % 360; ++ } ++ ++ while (s < 0) { ++ s += 360; ++ } ++ ++ while (e < s) { ++ e += 360; ++ } ++ ++ if (s == e) { ++ s = 0; e = 360; ++ } ++ } ++ + for (i = s; (i <= e); i++) + { + int x, y; diff --git a/libwmf-0.2.8.4-CVE-2009-3546.patch b/libwmf-0.2.8.4-CVE-2009-3546.patch new file mode 100644 index 000000000000..d718976adb42 --- /dev/null +++ b/libwmf-0.2.8.4-CVE-2009-3546.patch @@ -0,0 +1,13 @@ +--- libwmf-0.2.8.4/src/extra/gd/gd_gd.c 2010-12-06 14:56:06.000000000 +0000 ++++ libwmf-0.2.8.4/src/extra/gd/gd_gd.c 2010-12-06 14:57:04.000000000 +0000 +@@ -42,6 +42,10 @@ + { + goto fail1; + } ++ if (&im->colorsTotal > gdMaxColors) ++ { ++ goto fail1; ++ } + } + /* Int to accommodate truecolor single-color transparency */ + if (!gdGetInt (&im->transparent, in)) diff --git a/libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch b/libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch new file mode 100644 index 000000000000..e8ba8db1e843 --- /dev/null +++ b/libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch @@ -0,0 +1,118 @@ +--- libwmf-0.2.8.4/src/ipa/ipa/bmp.h 2015-06-08 14:46:24.591876404 +0100 ++++ libwmf-0.2.8.4/src/ipa/ipa/bmp.h 2015-06-08 14:46:35.345993247 +0100 +@@ -859,7 +859,7 @@ + % + % + */ +-static void DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels) ++static int DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels) + { int byte; + int count; + int i; +@@ -870,12 +870,14 @@ + U32 u; + + unsigned char* q; ++ unsigned char* end; + + for (u = 0; u < ((U32) bmp->width * (U32) bmp->height); u++) pixels[u] = 0; + + byte = 0; + x = 0; + q = pixels; ++ end = pixels + bmp->width * bmp->height; + + for (y = 0; y < bmp->height; ) + { count = ReadBlobByte (src); +@@ -884,7 +886,10 @@ + { /* Encoded mode. */ + byte = ReadBlobByte (src); + for (i = 0; i < count; i++) +- { if (compression == 1) ++ { ++ if (q == end) ++ return 0; ++ if (compression == 1) + { (*(q++)) = (unsigned char) byte; + } + else +@@ -896,13 +901,15 @@ + else + { /* Escape mode. */ + count = ReadBlobByte (src); +- if (count == 0x01) return; ++ if (count == 0x01) return 1; + switch (count) + { + case 0x00: + { /* End of line. */ + x = 0; + y++; ++ if (y >= bmp->height) ++ return 0; + q = pixels + y * bmp->width; + break; + } +@@ -910,13 +917,20 @@ + { /* Delta mode. */ + x += ReadBlobByte (src); + y += ReadBlobByte (src); ++ if (y >= bmp->height) ++ return 0; ++ if (x >= bmp->width) ++ return 0; + q = pixels + y * bmp->width + x; + break; + } + default: + { /* Absolute mode. */ + for (i = 0; i < count; i++) +- { if (compression == 1) ++ { ++ if (q == end) ++ return 0; ++ if (compression == 1) + { (*(q++)) = ReadBlobByte (src); + } + else +@@ -943,7 +957,7 @@ + byte = ReadBlobByte (src); /* end of line */ + byte = ReadBlobByte (src); + +- return; ++ return 1; + } + + /* +@@ -1143,8 +1157,18 @@ + } + } + else +- { /* Convert run-length encoded raster pixels. */ +- DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image); ++ { ++ if (bmp_info.bits_per_pixel == 8) /* Convert run-length encoded raster pixels. */ ++ { ++ if (!DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image)) ++ { WMF_ERROR (API,"corrupt bmp"); ++ API->err = wmf_E_BadFormat; ++ } ++ } ++ else ++ { WMF_ERROR (API,"Unexpected pixel depth"); ++ API->err = wmf_E_BadFormat; ++ } + } + + if (ERR (API)) +--- libwmf-0.2.8.4/src/ipa/ipa.h 2015-06-08 14:46:24.590876393 +0100 ++++ libwmf-0.2.8.4/src/ipa/ipa.h 2015-06-08 14:46:35.345993247 +0100 +@@ -48,7 +48,7 @@ + static unsigned short ReadBlobLSBShort (BMPSource*); + static unsigned long ReadBlobLSBLong (BMPSource*); + static long TellBlob (BMPSource*); +-static void DecodeImage (wmfAPI*,wmfBMP*,BMPSource*,unsigned int,unsigned char*); ++static int DecodeImage (wmfAPI*,wmfBMP*,BMPSource*,unsigned int,unsigned char*); + static void ReadBMPImage (wmfAPI*,wmfBMP*,BMPSource*); + static int ExtractColor (wmfAPI*,wmfBMP*,wmfRGB*,unsigned int,unsigned int); + static void SetColor (wmfAPI*,wmfBMP*,wmfRGB*,unsigned char,unsigned int,unsigned int); diff --git a/libwmf-0.2.8.4-CVE-2015-4695.patch b/libwmf-0.2.8.4-CVE-2015-4695.patch new file mode 100644 index 000000000000..b6d499da98e1 --- /dev/null +++ b/libwmf-0.2.8.4-CVE-2015-4695.patch @@ -0,0 +1,56 @@ +--- libwmf-0.2.8.4/src/player/meta.h ++++ libwmf-0.2.8.4/src/player/meta.h +@@ -1565,7 +1565,7 @@ static int meta_rgn_create (wmfAPI* API, + objects = P->objects; + + i = 0; +- while (objects[i].type && (i < NUM_OBJECTS (API))) i++; ++ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++; + + if (i == NUM_OBJECTS (API)) + { WMF_ERROR (API,"Object out of range!"); +@@ -2142,7 +2142,7 @@ static int meta_dib_brush (wmfAPI* API,w + objects = P->objects; + + i = 0; +- while (objects[i].type && (i < NUM_OBJECTS (API))) i++; ++ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++; + + if (i == NUM_OBJECTS (API)) + { WMF_ERROR (API,"Object out of range!"); +@@ -3067,7 +3067,7 @@ static int meta_pen_create (wmfAPI* API, + objects = P->objects; + + i = 0; +- while (objects[i].type && (i < NUM_OBJECTS (API))) i++; ++ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++; + + if (i == NUM_OBJECTS (API)) + { WMF_ERROR (API,"Object out of range!"); +@@ -3181,7 +3181,7 @@ static int meta_brush_create (wmfAPI* AP + objects = P->objects; + + i = 0; +- while (objects[i].type && (i < NUM_OBJECTS (API))) i++; ++ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++; + + if (i == NUM_OBJECTS (API)) + { WMF_ERROR (API,"Object out of range!"); +@@ -3288,7 +3288,7 @@ static int meta_font_create (wmfAPI* API + objects = P->objects; + + i = 0; +- while (objects[i].type && (i < NUM_OBJECTS (API))) i++; ++ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++; + + if (i == NUM_OBJECTS (API)) + { WMF_ERROR (API,"Object out of range!"); +@@ -3396,7 +3396,7 @@ static int meta_palette_create (wmfAPI* + objects = P->objects; + + i = 0; +- while (objects[i].type && (i < NUM_OBJECTS (API))) i++; ++ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++; + + if (i == NUM_OBJECTS (API)) + { WMF_ERROR (API,"Object out of range!"); diff --git a/libwmf-0.2.8.4-CVE-2015-4696.patch b/libwmf-0.2.8.4-CVE-2015-4696.patch new file mode 100644 index 000000000000..3312841258b0 --- /dev/null +++ b/libwmf-0.2.8.4-CVE-2015-4696.patch @@ -0,0 +1,23 @@ +--- libwmf-0.2.8.4/src/player/meta.h ++++ libwmf-0.2.8.4/src/player/meta.h +@@ -2585,6 +2585,8 @@ + polyrect.BR[i] = clip->rects[i].BR; + } + ++ if (FR->region_clip) FR->region_clip (API,&polyrect); ++ + wmf_free (API,polyrect.TL); + wmf_free (API,polyrect.BR); + } +@@ -2593,9 +2595,10 @@ + polyrect.BR = 0; + + polyrect.count = 0; ++ ++ if (FR->region_clip) FR->region_clip (API,&polyrect); + } + +- if (FR->region_clip) FR->region_clip (API,&polyrect); + + return (changed); + } diff --git a/libwmf-0.2.8.4-CVE-2016-9011.patch b/libwmf-0.2.8.4-CVE-2016-9011.patch new file mode 100644 index 000000000000..c6bd017c2f8f --- /dev/null +++ b/libwmf-0.2.8.4-CVE-2016-9011.patch @@ -0,0 +1,36 @@ +--- libwmf-0.2.8.4/src/player.c ++++ libwmf-0.2.8.4/src/player.c +@@ -139,8 +139,31 @@ + WMF_DEBUG (API,"bailing..."); + return (API->err); + } +- +- P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char)); ++ ++ U32 nMaxRecordSize = (MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char); ++ if (nMaxRecordSize) ++ { ++ //before allocating memory do a sanity check on size by seeking ++ //to claimed end to see if its possible. We're constrained here ++ //by the api and existing implementations to not simply seeking ++ //to SEEK_END. So use what we have to skip to the last byte and ++ //try and read it. ++ const long nPos = WMF_TELL (API); ++ WMF_SEEK (API, nPos + nMaxRecordSize - 1); ++ if (ERR (API)) ++ { WMF_DEBUG (API,"bailing..."); ++ return (API->err); ++ } ++ int byte = WMF_READ (API); ++ if (byte == (-1)) ++ { WMF_ERROR (API,"Unexpected EOF!"); ++ API->err = wmf_E_EOF; ++ return (API->err); ++ } ++ WMF_SEEK (API, nPos); ++ } ++ ++ P->Parameters = (unsigned char*) wmf_malloc (API, nMaxRecordSize); + + if (ERR (API)) + { WMF_DEBUG (API,"bailing..."); diff --git a/libwmf-0.2.8.4-intoverflow-CVE-2006-3376.patch b/libwmf-0.2.8.4-intoverflow-CVE-2006-3376.patch new file mode 100644 index 000000000000..507fe66223ce --- /dev/null +++ b/libwmf-0.2.8.4-intoverflow-CVE-2006-3376.patch @@ -0,0 +1,27 @@ +--- libwmf-0.2.8.4.orig/src/player.c 2002-12-10 19:30:26.000000000 +0000 ++++ libwmf-0.2.8.4/src/player.c 2006-07-12 15:12:52.000000000 +0100 +@@ -42,6 +42,7 @@ + #include "player/defaults.h" /* Provides: default settings */ + #include "player/record.h" /* Provides: parameter mechanism */ + #include "player/meta.h" /* Provides: record interpreters */ ++#include <stdint.h> + + /** + * @internal +@@ -132,8 +134,14 @@ + } + } + +-/* P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)-3) * 2 * sizeof (unsigned char)); +- */ P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char)); ++ if (MAX_REC_SIZE(API) > UINT32_MAX / 2) ++ { ++ API->err = wmf_E_InsMem; ++ WMF_DEBUG (API,"bailing..."); ++ return (API->err); ++ } ++ ++ P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char)); + + if (ERR (API)) + { WMF_DEBUG (API,"bailing..."); diff --git a/libwmf-0.2.8.4-libpng-1.5.patch b/libwmf-0.2.8.4-libpng-1.5.patch new file mode 100644 index 000000000000..3528c74ebd8d --- /dev/null +++ b/libwmf-0.2.8.4-libpng-1.5.patch @@ -0,0 +1,12 @@ +diff -urN libwmf-0.2.8.4.old/src/ipa/ipa/bmp.h libwmf-0.2.8.4/src/ipa/ipa/bmp.h +--- libwmf-0.2.8.4.old/src/ipa/ipa/bmp.h 2011-05-23 19:14:23.000000000 +0200 ++++ libwmf-0.2.8.4/src/ipa/ipa/bmp.h 2011-05-23 19:15:11.000000000 +0200 +@@ -66,7 +66,7 @@ + return; + } + +- if (setjmp (png_ptr->jmpbuf)) ++ if (setjmp(png_jmpbuf(png_ptr))) + { WMF_DEBUG (API,"Failed to write bitmap as PNG! (setjmp failed)"); + png_destroy_write_struct (&png_ptr,&info_ptr); + wmf_free (API,buffer); diff --git a/libwmf-0.2.8.4-useafterfree-CVE-2009-1364.patch b/libwmf-0.2.8.4-useafterfree-CVE-2009-1364.patch new file mode 100644 index 000000000000..328c5411fbbd --- /dev/null +++ b/libwmf-0.2.8.4-useafterfree-CVE-2009-1364.patch @@ -0,0 +1,10 @@ +--- libwmf-0.2.8.4/src/extra/gd/gd_clip.c.CVE-2009-1364-im-clip-list 2009-04-24 04:06:44.000000000 -0400 ++++ libwmf-0.2.8.4/src/extra/gd/gd_clip.c 2009-04-24 04:08:30.000000000 -0400 +@@ -70,6 +70,7 @@ void gdClipSetAdd(gdImagePtr im,gdClipRe + { more = gdRealloc (im->clip->list,(im->clip->max + 8) * sizeof (gdClipRectangle)); + if (more == 0) return; + im->clip->max += 8; ++ im->clip->list = more; + } + im->clip->list[im->clip->count] = (*rect); + im->clip->count++; |