Annotation of /trunk/libwmf/patches/libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch
Parent Directory | Revision Log
Revision 2938 -
(hide annotations)
(download)
Tue May 30 10:46:40 2017 UTC (7 years, 3 months ago) by niro
File size: 3240 byte(s)
Tue May 30 10:46:40 2017 UTC (7 years, 3 months ago) by niro
File size: 3240 byte(s)
-added a bunch of security patches
1 | niro | 2938 | --- libwmf-0.2.8.4/src/ipa/ipa/bmp.h 2015-06-08 14:46:24.591876404 +0100 |
2 | +++ libwmf-0.2.8.4/src/ipa/ipa/bmp.h 2015-06-08 14:46:35.345993247 +0100 | ||
3 | @@ -859,7 +859,7 @@ | ||
4 | % | ||
5 | % | ||
6 | */ | ||
7 | -static void DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels) | ||
8 | +static int DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels) | ||
9 | { int byte; | ||
10 | int count; | ||
11 | int i; | ||
12 | @@ -870,12 +870,14 @@ | ||
13 | U32 u; | ||
14 | |||
15 | unsigned char* q; | ||
16 | + unsigned char* end; | ||
17 | |||
18 | for (u = 0; u < ((U32) bmp->width * (U32) bmp->height); u++) pixels[u] = 0; | ||
19 | |||
20 | byte = 0; | ||
21 | x = 0; | ||
22 | q = pixels; | ||
23 | + end = pixels + bmp->width * bmp->height; | ||
24 | |||
25 | for (y = 0; y < bmp->height; ) | ||
26 | { count = ReadBlobByte (src); | ||
27 | @@ -884,7 +886,10 @@ | ||
28 | { /* Encoded mode. */ | ||
29 | byte = ReadBlobByte (src); | ||
30 | for (i = 0; i < count; i++) | ||
31 | - { if (compression == 1) | ||
32 | + { | ||
33 | + if (q == end) | ||
34 | + return 0; | ||
35 | + if (compression == 1) | ||
36 | { (*(q++)) = (unsigned char) byte; | ||
37 | } | ||
38 | else | ||
39 | @@ -896,13 +901,15 @@ | ||
40 | else | ||
41 | { /* Escape mode. */ | ||
42 | count = ReadBlobByte (src); | ||
43 | - if (count == 0x01) return; | ||
44 | + if (count == 0x01) return 1; | ||
45 | switch (count) | ||
46 | { | ||
47 | case 0x00: | ||
48 | { /* End of line. */ | ||
49 | x = 0; | ||
50 | y++; | ||
51 | + if (y >= bmp->height) | ||
52 | + return 0; | ||
53 | q = pixels + y * bmp->width; | ||
54 | break; | ||
55 | } | ||
56 | @@ -910,13 +917,20 @@ | ||
57 | { /* Delta mode. */ | ||
58 | x += ReadBlobByte (src); | ||
59 | y += ReadBlobByte (src); | ||
60 | + if (y >= bmp->height) | ||
61 | + return 0; | ||
62 | + if (x >= bmp->width) | ||
63 | + return 0; | ||
64 | q = pixels + y * bmp->width + x; | ||
65 | break; | ||
66 | } | ||
67 | default: | ||
68 | { /* Absolute mode. */ | ||
69 | for (i = 0; i < count; i++) | ||
70 | - { if (compression == 1) | ||
71 | + { | ||
72 | + if (q == end) | ||
73 | + return 0; | ||
74 | + if (compression == 1) | ||
75 | { (*(q++)) = ReadBlobByte (src); | ||
76 | } | ||
77 | else | ||
78 | @@ -943,7 +957,7 @@ | ||
79 | byte = ReadBlobByte (src); /* end of line */ | ||
80 | byte = ReadBlobByte (src); | ||
81 | |||
82 | - return; | ||
83 | + return 1; | ||
84 | } | ||
85 | |||
86 | /* | ||
87 | @@ -1143,8 +1157,18 @@ | ||
88 | } | ||
89 | } | ||
90 | else | ||
91 | - { /* Convert run-length encoded raster pixels. */ | ||
92 | - DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image); | ||
93 | + { | ||
94 | + if (bmp_info.bits_per_pixel == 8) /* Convert run-length encoded raster pixels. */ | ||
95 | + { | ||
96 | + if (!DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image)) | ||
97 | + { WMF_ERROR (API,"corrupt bmp"); | ||
98 | + API->err = wmf_E_BadFormat; | ||
99 | + } | ||
100 | + } | ||
101 | + else | ||
102 | + { WMF_ERROR (API,"Unexpected pixel depth"); | ||
103 | + API->err = wmf_E_BadFormat; | ||
104 | + } | ||
105 | } | ||
106 | |||
107 | if (ERR (API)) | ||
108 | --- libwmf-0.2.8.4/src/ipa/ipa.h 2015-06-08 14:46:24.590876393 +0100 | ||
109 | +++ libwmf-0.2.8.4/src/ipa/ipa.h 2015-06-08 14:46:35.345993247 +0100 | ||
110 | @@ -48,7 +48,7 @@ | ||
111 | static unsigned short ReadBlobLSBShort (BMPSource*); | ||
112 | static unsigned long ReadBlobLSBLong (BMPSource*); | ||
113 | static long TellBlob (BMPSource*); | ||
114 | -static void DecodeImage (wmfAPI*,wmfBMP*,BMPSource*,unsigned int,unsigned char*); | ||
115 | +static int DecodeImage (wmfAPI*,wmfBMP*,BMPSource*,unsigned int,unsigned char*); | ||
116 | static void ReadBMPImage (wmfAPI*,wmfBMP*,BMPSource*); | ||
117 | static int ExtractColor (wmfAPI*,wmfBMP*,wmfRGB*,unsigned int,unsigned int); | ||
118 | static void SetColor (wmfAPI*,wmfBMP*,wmfRGB*,unsigned char,unsigned int,unsigned int); |