plug integer overflows in skin handling (CVE-2007-0653, CVE-2007-0654),

patch from Debian

1 files changed, 46 insertions, 0 deletions

diff --git a/audio/xmms/patches/patch-aq b/audio/xmms/patches/patch-aq
new file mode 100644
index 00000000000..17524c30cdd
--- /dev/null
+++ b/audio/xmms/patches/patch-aq
@@ -0,0 +1,46 @@
+$NetBSD: patch-aq,v 1.3 2007/04/10 12:19:40 drochner Exp $
+
+--- ./xmms/bmp.c.orig	2002-02-12 00:15:56.000000000 +0100
++++ ./xmms/bmp.c
+@@ -19,6 +19,12 @@
+  */
+ #include "xmms.h"
+ 
++#if HAVE_STDINT_H
++#include <stdint.h>
++#elif !defined(UINT32_MAX)
++#define UINT32_MAX 0xffffffffU
++#endif
++
+ typedef struct tagRGBQUAD
+ {
+ 	guchar rgbBlue;
+@@ -184,7 +190,7 @@ GdkPixmap *read_bmp(gchar * filename)
+ 	}
+ 	else if (bitcount != 24 && bitcount != 16 && bitcount != 32)
+ 	{
+-		gint ncols, i;
++		guint32 ncols, i;
+ 
+ 		ncols = offset - headSize - 14;
+ 		if (headSize == 12)
+@@ -200,10 +206,18 @@ GdkPixmap *read_bmp(gchar * filename)
+ 		}
+ 	}
+ 	fseek(file, offset, SEEK_SET);
++	/* verify buffer size */
++	if (!h || !w ||
++	    w > (((UINT32_MAX - 3) / 3) / h) ||
++	    h > (((UINT32_MAX - 3) / 3) / w)) {
++		g_warning("read_bmp(): width(%u)*height(%u) too large", w, h);
++		fclose(file);
++		return NULL;
++	}
++	data = g_malloc0((w * 3 * h) + 3);      /* +3 is just for safety */
+ 	buffer = g_malloc(imgsize);
+ 	fread(buffer, imgsize, 1, file);
+ 	fclose(file);
+-	data = g_malloc0((w * 3 * h) + 3);	/* +3 is just for safety */
+ 
+ 	if (bitcount == 1)
+ 		read_1b_rgb(buffer, imgsize, data, w, h, rgb_quads);