Blame - import-layers/meta-openembedded/meta-oe/recipes-extended/libwmf/libwmf/libwmf-0.2.8.4-intoverflow.patch - openbmc/openbmc

blob: 50d915c01095c00d3a1fe52be95884ff6261a1dc [file] [log] [blame]

Patrick Williams	b48b7b4	2016-08-17 15:04:38 -0500	[diff] [blame^]	1	http://cvs.fedoraproject.org/viewvc/devel/libwmf/libwmf-0.2.8.4-intoverflow.patch?view=log
				2
				3	CVE-2006-3376 libwmf integer overflow
				4
				5	--- libwmf-0.2.8.4.orig/src/player.c 2002-12-10 19:30:26.000000000 +0000
				6	+++ libwmf-0.2.8.4/src/player.c 2006-07-12 15:12:52.000000000 +0100
				7	@@ -42,6 +42,7 @@
				8	#include "player/defaults.h" /* Provides: default settings */
				9	#include "player/record.h" /* Provides: parameter mechanism */
				10	#include "player/meta.h" /* Provides: record interpreters */
				11	+#include <stdint.h>
				12
				13	/**
				14	* @internal
				15	@@ -132,8 +134,14 @@
				16	}
				17	}
				18
				19	-/* P->Parameters = (unsigned char) wmf_malloc (API,(MAX_REC_SIZE(API)-3) 2 * sizeof (unsigned char));
				20	- / P->Parameters = (unsigned char) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char));
				21	+ if (MAX_REC_SIZE(API) > UINT32_MAX / 2)
				22	+ {
				23	+ API->err = wmf_E_InsMem;
				24	+ WMF_DEBUG (API,"bailing...");
				25	+ return (API->err);
				26	+ }
				27	+
				28	+ P->Parameters = (unsigned char) wmf_malloc (API,(MAX_REC_SIZE(API) ) 2 * sizeof (unsigned char));
				29
				30	if (ERR (API))
				31	{ WMF_DEBUG (API,"bailing...");