Annotation of /trunk/libwmf/patches/libwmf-0.2.8.4-CVE-2007-3472.patch
Parent Directory | Revision Log
Revision 2938 -
(hide annotations)
(download)
Tue May 30 10:46:40 2017 UTC (7 years, 3 months ago) by niro
File size: 1537 byte(s)
Tue May 30 10:46:40 2017 UTC (7 years, 3 months ago) by niro
File size: 1537 byte(s)
-added a bunch of security patches
1 | niro | 2938 | --- libwmf-0.2.8.4/src/extra/gd/gd.c |
2 | +++ libwmf-0.2.8.4/src/extra/gd/gd.c | ||
3 | @@ -106,6 +106,18 @@ | ||
4 | gdImagePtr im; | ||
5 | unsigned long cpa_size; | ||
6 | |||
7 | + if (overflow2(sx, sy)) { | ||
8 | + return NULL; | ||
9 | + } | ||
10 | + | ||
11 | + if (overflow2(sizeof (int *), sy)) { | ||
12 | + return NULL; | ||
13 | + } | ||
14 | + | ||
15 | + if (overflow2(sizeof(int), sx)) { | ||
16 | + return NULL; | ||
17 | + } | ||
18 | + | ||
19 | im = (gdImage *) gdMalloc (sizeof (gdImage)); | ||
20 | if (im == 0) return 0; | ||
21 | memset (im, 0, sizeof (gdImage)); | ||
22 | --- libwmf-0.2.8.4/src/extra/gd/gdhelpers.c 2010-12-06 11:47:31.000000000 +0000 | ||
23 | +++ libwmf-0.2.8.4/src/extra/gd/gdhelpers.c 2010-12-06 11:48:04.000000000 +0000 | ||
24 | @@ -2,6 +2,7 @@ | ||
25 | #include "gdhelpers.h" | ||
26 | #include <stdlib.h> | ||
27 | #include <string.h> | ||
28 | +#include <limits.h> | ||
29 | |||
30 | /* TBB: gd_strtok_r is not portable; provide an implementation */ | ||
31 | |||
32 | @@ -94,3 +95,18 @@ | ||
33 | { | ||
34 | free (ptr); | ||
35 | } | ||
36 | + | ||
37 | +int overflow2(int a, int b) | ||
38 | +{ | ||
39 | + if(a < 0 || b < 0) { | ||
40 | + fprintf(stderr, "gd warning: one parameter to a memory allocation multiplication is negative, failing operation gracefully\n"); | ||
41 | + return 1; | ||
42 | + } | ||
43 | + if(b == 0) | ||
44 | + return 0; | ||
45 | + if(a > INT_MAX / b) { | ||
46 | + fprintf(stderr, "gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully\n"); | ||
47 | + return 1; | ||
48 | + } | ||
49 | + return 0; | ||
50 | +} | ||
51 | --- libwmf-0.2.8.4/src/extra/gd/gdhelpers.h 2010-12-06 11:47:17.000000000 +0000 | ||
52 | +++ libwmf-0.2.8.4/src/extra/gd/gdhelpers.h 2010-12-06 11:48:36.000000000 +0000 | ||
53 | @@ -15,4 +15,6 @@ | ||
54 | void *gdMalloc(size_t size); | ||
55 | void *gdRealloc(void *ptr, size_t size); | ||
56 | |||
57 | +int overflow2(int a, int b); | ||
58 | + | ||
59 | #endif /* GDHELPERS_H */ |