summary refs log tree commit diff
path: root/pkgs/development/libraries/libwmf/CVE-2006-3376.patch
diff options
context:
space:
mode:
Diffstat (limited to 'pkgs/development/libraries/libwmf/CVE-2006-3376.patch')
-rw-r--r--pkgs/development/libraries/libwmf/CVE-2006-3376.patch28
1 files changed, 28 insertions, 0 deletions
diff --git a/pkgs/development/libraries/libwmf/CVE-2006-3376.patch b/pkgs/development/libraries/libwmf/CVE-2006-3376.patch
new file mode 100644
index 00000000000..4c7519d9c10
--- /dev/null
+++ b/pkgs/development/libraries/libwmf/CVE-2006-3376.patch
@@ -0,0 +1,28 @@
+--- libwmf-0.2.8.4.orig/src/player.c
++++ libwmf-0.2.8.4/src/player.c
+@@ -23,6 +23,7 @@
+ 
+ #include <stdio.h>
+ #include <stdlib.h>
++#include <stdint.h>
+ #include <string.h>
+ #include <math.h>
+ 
+@@ -132,8 +133,14 @@
+ 		}
+ 	}
+ 
+-/*	P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)-3) * 2 * sizeof (unsigned char));
+- */	P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)  ) * 2 * sizeof (unsigned char));
++	if (MAX_REC_SIZE(API) > UINT32_MAX / 2)
++	{
++		API->err = wmf_E_InsMem;
++		WMF_DEBUG (API,"bailing...");
++		return (API->err);
++	}
++
++ 	P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)  ) * 2 * sizeof (unsigned char));
+ 
+ 	if (ERR (API))
+ 	{	WMF_DEBUG (API,"bailing...");
+
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-05-27 21:39:04 +0000