diff options
Diffstat (limited to 'pkgs/development/libraries/libwmf/CVE-2006-3376.patch')
-rw-r--r-- | pkgs/development/libraries/libwmf/CVE-2006-3376.patch | 28 |
1 files changed, 28 insertions, 0 deletions
diff --git a/pkgs/development/libraries/libwmf/CVE-2006-3376.patch b/pkgs/development/libraries/libwmf/CVE-2006-3376.patch new file mode 100644 index 00000000000..4c7519d9c10 --- /dev/null +++ b/pkgs/development/libraries/libwmf/CVE-2006-3376.patch @@ -0,0 +1,28 @@ +--- libwmf-0.2.8.4.orig/src/player.c ++++ libwmf-0.2.8.4/src/player.c +@@ -23,6 +23,7 @@ + + #include <stdio.h> + #include <stdlib.h> ++#include <stdint.h> + #include <string.h> + #include <math.h> + +@@ -132,8 +133,14 @@ + } + } + +-/* P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)-3) * 2 * sizeof (unsigned char)); +- */ P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char)); ++ if (MAX_REC_SIZE(API) > UINT32_MAX / 2) ++ { ++ API->err = wmf_E_InsMem; ++ WMF_DEBUG (API,"bailing..."); ++ return (API->err); ++ } ++ ++ P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char)); + + if (ERR (API)) + { WMF_DEBUG (API,"bailing..."); + |