| http://cvs.fedoraproject.org/viewvc/devel/libwmf/libwmf-0.2.8.4-intoverflow.patch?view=log |
| |
| CVE-2006-3376 libwmf integer overflow |
| |
| --- libwmf-0.2.8.4.orig/src/player.c 2002-12-10 19:30:26.000000000 +0000 |
| +++ libwmf-0.2.8.4/src/player.c 2006-07-12 15:12:52.000000000 +0100 |
| @@ -42,6 +42,7 @@ |
| #include "player/defaults.h" /* Provides: default settings */ |
| #include "player/record.h" /* Provides: parameter mechanism */ |
| #include "player/meta.h" /* Provides: record interpreters */ |
| +#include <stdint.h> |
| |
| /** |
| * @internal |
| @@ -132,8 +134,14 @@ |
| } |
| } |
| |
| -/* P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)-3) * 2 * sizeof (unsigned char)); |
| - */ P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char)); |
| + if (MAX_REC_SIZE(API) > UINT32_MAX / 2) |
| + { |
| + API->err = wmf_E_InsMem; |
| + WMF_DEBUG (API,"bailing..."); |
| + return (API->err); |
| + } |
| + |
| + P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char)); |
| |
| if (ERR (API)) |
| { WMF_DEBUG (API,"bailing..."); |