3 files changed, 35 insertions, 3 deletions

diff --git a/graphics/libwmf/Makefile b/graphics/libwmf/Makefile
index 5ec053bff61..32c50512027 100644
--- a/graphics/libwmf/Makefile
+++ b/graphics/libwmf/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.59 2006/04/17 13:46:00 wiz Exp $
+# $NetBSD: Makefile,v 1.60 2006/08/20 21:38:45 salo Exp $
 
 DISTNAME=	libwmf-0.2.8.4
-PKGREVISION=	3
+PKGREVISION=	4
 CATEGORIES=	graphics devel
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE:=wvware/}
 
diff --git a/graphics/libwmf/distinfo b/graphics/libwmf/distinfo
index 4cec03d233f..6256186c176 100644
--- a/graphics/libwmf/distinfo
+++ b/graphics/libwmf/distinfo
@@ -1,6 +1,7 @@
-$NetBSD: distinfo,v 1.13 2006/01/18 22:04:58 adam Exp $
+$NetBSD: distinfo,v 1.14 2006/08/20 21:38:45 salo Exp $
 
 SHA1 (libwmf-0.2.8.4.tar.gz) = 822ab3bd0f5e8f39ad732f2774a8e9f18fc91e89
 RMD160 (libwmf-0.2.8.4.tar.gz) = 98cd631adb5bb332d9224d04bc8a265c105435f2
 Size (libwmf-0.2.8.4.tar.gz) = 2169375 bytes
 SHA1 (patch-ad) = b74be16c5da490394b86403009f5f35d80ba4bfa
+SHA1 (patch-ae) = 644684733090c26250a1ce0e2c5a6c978bd54b74
diff --git a/graphics/libwmf/patches/patch-ae b/graphics/libwmf/patches/patch-ae
new file mode 100644
index 00000000000..11c39521681
--- /dev/null
+++ b/graphics/libwmf/patches/patch-ae
@@ -0,0 +1,31 @@
+$NetBSD: patch-ae,v 1.1 2006/08/20 21:38:45 salo Exp $
+
+Security fix for CVE-2006-3376, from Red Hat.
+
+--- src/player.c.orig	2002-12-10 20:30:26.000000000 +0100
++++ src/player.c	2006-08-20 23:29:44.000000000 +0200
+@@ -42,6 +42,7 @@
+ #include "player/defaults.h" /* Provides: default settings               */
+ #include "player/record.h"   /* Provides: parameter mechanism            */
+ #include "player/meta.h"     /* Provides: record interpreters            */
++#include <stdint.h>
+ 
+ /**
+  * @internal
+@@ -132,8 +133,14 @@
+ 		}
+ 	}
+ 
+-/*	P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)-3) * 2 * sizeof (unsigned char));
+- */	P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)  ) * 2 * sizeof (unsigned char));
++	if (MAX_REC_SIZE(API) > UINT32_MAX/ 2)
++	{
++		API->err = wmf_E_InsMem;
++		WMF_DEBUG (API,"bailing...");
++		return (API->err);
++	}
++	
++ 	P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)  ) * 2 * sizeof (unsigned char));
+ 
+ 	if (ERR (API))
+ 	{	WMF_DEBUG (API,"bailing...");