diff options
Diffstat (limited to 'graphics/libwmf/patches/patch-aa')
-rw-r--r-- | graphics/libwmf/patches/patch-aa | 119 |
1 files changed, 117 insertions, 2 deletions
diff --git a/graphics/libwmf/patches/patch-aa b/graphics/libwmf/patches/patch-aa index 9215c544068..3a194d58537 100644 --- a/graphics/libwmf/patches/patch-aa +++ b/graphics/libwmf/patches/patch-aa @@ -1,9 +1,17 @@ -$NetBSD: patch-aa,v 1.7 2011/01/24 13:55:18 wiz Exp $ +$NetBSD: patch-aa,v 1.8 2015/07/17 12:33:47 sevan Exp $ Fix build with png-1.5. https://sourceforge.net/tracker/?func=detail&aid=3164737&group_id=10501&atid=110501 ---- src/ipa/ipa/bmp.h.orig 2001-10-23 11:24:12.000000000 +0000 +CVE-2015-4588 - Heap-based buffer overflow in the DecodeImage function in libwmf +0.2.8.4 allows remote attackers to cause a denial of service (crash) or possibly +execute arbitrary code via a crafted "run-length count" in an image in a WMF +file. +CVE-2015-0848 - Heap-based buffer overflow in libwmf 0.2.8.4 allows remote +attackers to cause a denial of service (crash) or possibly execute arbitrary +code via a crafted BMP image. + +--- src/ipa/ipa/bmp.h.orig 2015-07-17 11:09:09.000000000 +0000 +++ src/ipa/ipa/bmp.h @@ -66,7 +66,7 @@ static void ldr_bmp_png (wmfAPI* API,wmf return; @@ -14,3 +22,110 @@ https://sourceforge.net/tracker/?func=detail&aid=3164737&group_id=10501&atid=110 { WMF_DEBUG (API,"Failed to write bitmap as PNG! (setjmp failed)"); png_destroy_write_struct (&png_ptr,&info_ptr); wmf_free (API,buffer); +@@ -859,7 +859,7 @@ static long TellBlob (BMPSource* src) + % + % + */ +-static void DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels) ++static int DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels) + { int byte; + int count; + int i; +@@ -870,12 +870,14 @@ static void DecodeImage (wmfAPI* API,wmf + U32 u; + + unsigned char* q; ++ unsigned char* end; + + for (u = 0; u < ((U32) bmp->width * (U32) bmp->height); u++) pixels[u] = 0; + + byte = 0; + x = 0; + q = pixels; ++ end = pixels + bmp->width * bmp->height; + + for (y = 0; y < bmp->height; ) + { count = ReadBlobByte (src); +@@ -884,7 +886,10 @@ static void DecodeImage (wmfAPI* API,wmf + { /* Encoded mode. */ + byte = ReadBlobByte (src); + for (i = 0; i < count; i++) +- { if (compression == 1) ++ { ++ if (q == end) ++ return 0; ++ if (compression == 1) + { (*(q++)) = (unsigned char) byte; + } + else +@@ -896,13 +901,15 @@ static void DecodeImage (wmfAPI* API,wmf + else + { /* Escape mode. */ + count = ReadBlobByte (src); +- if (count == 0x01) return; ++ if (count == 0x01) return 1; + switch (count) + { + case 0x00: + { /* End of line. */ + x = 0; + y++; ++ if (y >= bmp->height) ++ return 0; + q = pixels + y * bmp->width; + break; + } +@@ -910,13 +917,20 @@ static void DecodeImage (wmfAPI* API,wmf + { /* Delta mode. */ + x += ReadBlobByte (src); + y += ReadBlobByte (src); ++ if (y >= bmp->height) ++ return 0; ++ if (x >= bmp->width) ++ return 0; + q = pixels + y * bmp->width + x; + break; + } + default: + { /* Absolute mode. */ + for (i = 0; i < count; i++) +- { if (compression == 1) ++ { ++ if (q == end) ++ return 0; ++ if (compression == 1) + { (*(q++)) = ReadBlobByte (src); + } + else +@@ -943,7 +957,7 @@ static void DecodeImage (wmfAPI* API,wmf + byte = ReadBlobByte (src); /* end of line */ + byte = ReadBlobByte (src); + +- return; ++ return 1; + } + + /* +@@ -1143,8 +1157,20 @@ static void ReadBMPImage (wmfAPI* API,wm + } + } + else +- { /* Convert run-length encoded raster pixels. */ +- DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image); ++ { ++ if (bmp_info.bits_per_pixel == 8) /* Convert run-length encoded raster pixels. */ ++ { ++ if (!DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image)) ++ { ++ WMF_ERROR (API,"corrupt bmp"); ++ API->err = wmf_E_BadFormat; ++ } ++ } ++ else ++ { ++ WMF_ERROR (API,"Unexpected pixel depth"); ++ API->err = wmf_E_BadFormat; ++ } + } + + if (ERR (API)) |