Contents of /trunk/libwmf/patches/libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch
Parent Directory | Revision Log
Revision 2938 -
(show annotations)
(download)
Tue May 30 10:46:40 2017 UTC (7 years, 3 months ago) by niro
File size: 3240 byte(s)
Tue May 30 10:46:40 2017 UTC (7 years, 3 months ago) by niro
File size: 3240 byte(s)
-added a bunch of security patches
1 | --- libwmf-0.2.8.4/src/ipa/ipa/bmp.h 2015-06-08 14:46:24.591876404 +0100 |
2 | +++ libwmf-0.2.8.4/src/ipa/ipa/bmp.h 2015-06-08 14:46:35.345993247 +0100 |
3 | @@ -859,7 +859,7 @@ |
4 | % |
5 | % |
6 | */ |
7 | -static void DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels) |
8 | +static int DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels) |
9 | { int byte; |
10 | int count; |
11 | int i; |
12 | @@ -870,12 +870,14 @@ |
13 | U32 u; |
14 | |
15 | unsigned char* q; |
16 | + unsigned char* end; |
17 | |
18 | for (u = 0; u < ((U32) bmp->width * (U32) bmp->height); u++) pixels[u] = 0; |
19 | |
20 | byte = 0; |
21 | x = 0; |
22 | q = pixels; |
23 | + end = pixels + bmp->width * bmp->height; |
24 | |
25 | for (y = 0; y < bmp->height; ) |
26 | { count = ReadBlobByte (src); |
27 | @@ -884,7 +886,10 @@ |
28 | { /* Encoded mode. */ |
29 | byte = ReadBlobByte (src); |
30 | for (i = 0; i < count; i++) |
31 | - { if (compression == 1) |
32 | + { |
33 | + if (q == end) |
34 | + return 0; |
35 | + if (compression == 1) |
36 | { (*(q++)) = (unsigned char) byte; |
37 | } |
38 | else |
39 | @@ -896,13 +901,15 @@ |
40 | else |
41 | { /* Escape mode. */ |
42 | count = ReadBlobByte (src); |
43 | - if (count == 0x01) return; |
44 | + if (count == 0x01) return 1; |
45 | switch (count) |
46 | { |
47 | case 0x00: |
48 | { /* End of line. */ |
49 | x = 0; |
50 | y++; |
51 | + if (y >= bmp->height) |
52 | + return 0; |
53 | q = pixels + y * bmp->width; |
54 | break; |
55 | } |
56 | @@ -910,13 +917,20 @@ |
57 | { /* Delta mode. */ |
58 | x += ReadBlobByte (src); |
59 | y += ReadBlobByte (src); |
60 | + if (y >= bmp->height) |
61 | + return 0; |
62 | + if (x >= bmp->width) |
63 | + return 0; |
64 | q = pixels + y * bmp->width + x; |
65 | break; |
66 | } |
67 | default: |
68 | { /* Absolute mode. */ |
69 | for (i = 0; i < count; i++) |
70 | - { if (compression == 1) |
71 | + { |
72 | + if (q == end) |
73 | + return 0; |
74 | + if (compression == 1) |
75 | { (*(q++)) = ReadBlobByte (src); |
76 | } |
77 | else |
78 | @@ -943,7 +957,7 @@ |
79 | byte = ReadBlobByte (src); /* end of line */ |
80 | byte = ReadBlobByte (src); |
81 | |
82 | - return; |
83 | + return 1; |
84 | } |
85 | |
86 | /* |
87 | @@ -1143,8 +1157,18 @@ |
88 | } |
89 | } |
90 | else |
91 | - { /* Convert run-length encoded raster pixels. */ |
92 | - DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image); |
93 | + { |
94 | + if (bmp_info.bits_per_pixel == 8) /* Convert run-length encoded raster pixels. */ |
95 | + { |
96 | + if (!DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image)) |
97 | + { WMF_ERROR (API,"corrupt bmp"); |
98 | + API->err = wmf_E_BadFormat; |
99 | + } |
100 | + } |
101 | + else |
102 | + { WMF_ERROR (API,"Unexpected pixel depth"); |
103 | + API->err = wmf_E_BadFormat; |
104 | + } |
105 | } |
106 | |
107 | if (ERR (API)) |
108 | --- libwmf-0.2.8.4/src/ipa/ipa.h 2015-06-08 14:46:24.590876393 +0100 |
109 | +++ libwmf-0.2.8.4/src/ipa/ipa.h 2015-06-08 14:46:35.345993247 +0100 |
110 | @@ -48,7 +48,7 @@ |
111 | static unsigned short ReadBlobLSBShort (BMPSource*); |
112 | static unsigned long ReadBlobLSBLong (BMPSource*); |
113 | static long TellBlob (BMPSource*); |
114 | -static void DecodeImage (wmfAPI*,wmfBMP*,BMPSource*,unsigned int,unsigned char*); |
115 | +static int DecodeImage (wmfAPI*,wmfBMP*,BMPSource*,unsigned int,unsigned char*); |
116 | static void ReadBMPImage (wmfAPI*,wmfBMP*,BMPSource*); |
117 | static int ExtractColor (wmfAPI*,wmfBMP*,wmfRGB*,unsigned int,unsigned int); |
118 | static void SetColor (wmfAPI*,wmfBMP*,wmfRGB*,unsigned char,unsigned int,unsigned int); |