Patrick Williams | b48b7b4 | 2016-08-17 15:04:38 -0500 | [diff] [blame^] | 1 | http://cvs.fedoraproject.org/viewvc/devel/libwmf/libwmf-0.2.8.4-intoverflow.patch?view=log |
| 2 | |
| 3 | CVE-2006-3376 libwmf integer overflow |
| 4 | |
| 5 | --- libwmf-0.2.8.4.orig/src/player.c 2002-12-10 19:30:26.000000000 +0000 |
| 6 | +++ libwmf-0.2.8.4/src/player.c 2006-07-12 15:12:52.000000000 +0100 |
| 7 | @@ -42,6 +42,7 @@ |
| 8 | #include "player/defaults.h" /* Provides: default settings */ |
| 9 | #include "player/record.h" /* Provides: parameter mechanism */ |
| 10 | #include "player/meta.h" /* Provides: record interpreters */ |
| 11 | +#include <stdint.h> |
| 12 | |
| 13 | /** |
| 14 | * @internal |
| 15 | @@ -132,8 +134,14 @@ |
| 16 | } |
| 17 | } |
| 18 | |
| 19 | -/* P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)-3) * 2 * sizeof (unsigned char)); |
| 20 | - */ P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char)); |
| 21 | + if (MAX_REC_SIZE(API) > UINT32_MAX / 2) |
| 22 | + { |
| 23 | + API->err = wmf_E_InsMem; |
| 24 | + WMF_DEBUG (API,"bailing..."); |
| 25 | + return (API->err); |
| 26 | + } |
| 27 | + |
| 28 | + P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char)); |
| 29 | |
| 30 | if (ERR (API)) |
| 31 | { WMF_DEBUG (API,"bailing..."); |