summaryrefslogtreecommitdiff
path: root/patches/source/libwmf/libwmf-0.2.8.4-CVE-2006-3376.patch
diff options
context:
space:
mode:
Diffstat (limited to 'patches/source/libwmf/libwmf-0.2.8.4-CVE-2006-3376.patch')
-rw-r--r--patches/source/libwmf/libwmf-0.2.8.4-CVE-2006-3376.patch27
1 files changed, 27 insertions, 0 deletions
diff --git a/patches/source/libwmf/libwmf-0.2.8.4-CVE-2006-3376.patch b/patches/source/libwmf/libwmf-0.2.8.4-CVE-2006-3376.patch
new file mode 100644
index 00000000..507fe662
--- /dev/null
+++ b/patches/source/libwmf/libwmf-0.2.8.4-CVE-2006-3376.patch
@@ -0,0 +1,27 @@
+--- libwmf-0.2.8.4.orig/src/player.c 2002-12-10 19:30:26.000000000 +0000
++++ libwmf-0.2.8.4/src/player.c 2006-07-12 15:12:52.000000000 +0100
+@@ -42,6 +42,7 @@
+ #include "player/defaults.h" /* Provides: default settings */
+ #include "player/record.h" /* Provides: parameter mechanism */
+ #include "player/meta.h" /* Provides: record interpreters */
++#include <stdint.h>
+
+ /**
+ * @internal
+@@ -132,8 +134,14 @@
+ }
+ }
+
+-/* P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)-3) * 2 * sizeof (unsigned char));
+- */ P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char));
++ if (MAX_REC_SIZE(API) > UINT32_MAX / 2)
++ {
++ API->err = wmf_E_InsMem;
++ WMF_DEBUG (API,"bailing...");
++ return (API->err);
++ }
++
++ P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char));
+
+ if (ERR (API))
+ { WMF_DEBUG (API,"bailing...");