kpriv/pkgsrc
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
pkgsrc/graphics/libwmf/patches/patch-aa
sevan 22ead36c3c Patch the following CVEs 
CVE-2004-0941
CVE-2007-0455
CVE-2007-2756
CVE-2007-3472
CVE-2007-3473
CVE-2007-3477
CVE-2009-3546
CVE-2015-0848
CVE-2015-4588
CVE-2015-4695
CVE-2015-4696

Obtained from:
CentOS libwmf RPM git
Debian Bug 784205
Debian Bug 784192
Red Hat Bug 1227243
via Jason Unovitch in FreeBSD bug 201513

Reviewed by bsiegert@
2015-07-17 12:33:47 +00:00

131 lines
3.5 KiB
Text
Raw Blame History

$NetBSD: patch-aa,v 1.8 2015/07/17 12:33:47 sevan Exp $
Fix build with png-1.5.
https://sourceforge.net/tracker/?func=detail&aid=3164737&group_id=10501&atid=110501
CVE-2015-4588 - Heap-based buffer overflow in the DecodeImage function in libwmf
0.2.8.4 allows remote attackers to cause a denial of service (crash) or possibly
execute arbitrary code via a crafted "run-length count" in an image in a WMF
file.
CVE-2015-0848 - Heap-based buffer overflow in libwmf 0.2.8.4 allows remote
attackers to cause a denial of service (crash) or possibly execute arbitrary
code via a crafted BMP image.
--- src/ipa/ipa/bmp.h.orig 2015-07-17 11:09:09.000000000 +0000
+++ src/ipa/ipa/bmp.h
@@ -66,7 +66,7 @@ static void ldr_bmp_png (wmfAPI* API,wmf
return;
}
- if (setjmp (png_ptr->jmpbuf))
+ if (setjmp (png_jmpbuf(png_ptr)))
{ WMF_DEBUG (API,"Failed to write bitmap as PNG! (setjmp failed)");
png_destroy_write_struct (&png_ptr,&info_ptr);
wmf_free (API,buffer);
@@ -859,7 +859,7 @@ static long TellBlob (BMPSource* src)
%
%
*/
-static void DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels)
+static int DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels)
{ int byte;
int count;
int i;
@@ -870,12 +870,14 @@ static void DecodeImage (wmfAPI* API,wmf
U32 u;
unsigned char* q;
+ unsigned char* end;
for (u = 0; u < ((U32) bmp->width * (U32) bmp->height); u++) pixels[u] = 0;
byte = 0;
x = 0;
q = pixels;
+ end = pixels + bmp->width * bmp->height;
for (y = 0; y < bmp->height; )
{ count = ReadBlobByte (src);
@@ -884,7 +886,10 @@ static void DecodeImage (wmfAPI* API,wmf
{ /* Encoded mode. */
byte = ReadBlobByte (src);
for (i = 0; i < count; i++)
- { if (compression == 1)
+ {
+ if (q == end)
+ return 0;
+ if (compression == 1)
{ (*(q++)) = (unsigned char) byte;
}
else
@@ -896,13 +901,15 @@ static void DecodeImage (wmfAPI* API,wmf
else
{ /* Escape mode. */
count = ReadBlobByte (src);
- if (count == 0x01) return;
+ if (count == 0x01) return 1;
switch (count)
{
case 0x00:
{ /* End of line. */
x = 0;
y++;
+ if (y >= bmp->height)
+ return 0;
q = pixels + y * bmp->width;
break;
}
@@ -910,13 +917,20 @@ static void DecodeImage (wmfAPI* API,wmf
{ /* Delta mode. */
x += ReadBlobByte (src);
y += ReadBlobByte (src);
+ if (y >= bmp->height)
+ return 0;
+ if (x >= bmp->width)
+ return 0;
q = pixels + y * bmp->width + x;
break;
}
default:
{ /* Absolute mode. */
for (i = 0; i < count; i++)
- { if (compression == 1)
+ {
+ if (q == end)
+ return 0;
+ if (compression == 1)
{ (*(q++)) = ReadBlobByte (src);
}
else
@@ -943,7 +957,7 @@ static void DecodeImage (wmfAPI* API,wmf
byte = ReadBlobByte (src); /* end of line */
byte = ReadBlobByte (src);
- return;
+ return 1;
}
/*
@@ -1143,8 +1157,20 @@ static void ReadBMPImage (wmfAPI* API,wm
}
}
else
- { /* Convert run-length encoded raster pixels. */
- DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image);
+ {
+ if (bmp_info.bits_per_pixel == 8) /* Convert run-length encoded raster pixels. */
+ {
+ if (!DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image))
+ {
+ WMF_ERROR (API,"corrupt bmp");
+ API->err = wmf_E_BadFormat;
+ }
+ }
+ else
+ {
+ WMF_ERROR (API,"Unexpected pixel depth");
+ API->err = wmf_E_BadFormat;
+ }
}
if (ERR (API))
Reference in a new issue View git blame Copy permalink