diff options
| author | Mark H Weaver <mhw@netris.org> | 2015-10-08 10:43:40 -0400 |
|---|---|---|
| committer | Mark H Weaver <mhw@netris.org> | 2015-10-08 10:46:30 -0400 |
| commit | f956d661add890acb41592482a8a0c3fd90afd76 (patch) | |
| tree | 796d7838d9fd3b8dac7020988bb963e0c325f7a9 /gnu/packages/patches/libwmf-CVE-2007-3472.patch | |
| parent | 48e4a9f32f93c404b6fb4472164d8e00d12b2937 (diff) | |
| download | guix-f956d661add890acb41592482a8a0c3fd90afd76.tar.gz | |
gnu: libwmf: Add fixes for several security flaws.
* gnu/packages/patches/libwmf-CAN-2004-0941.patch, gnu/packages/patches/libwmf-CVE-2007-0455.patch, gnu/packages/patches/libwmf-CVE-2007-2756.patch, gnu/packages/patches/libwmf-CVE-2007-3472.patch, gnu/packages/patches/libwmf-CVE-2007-3473.patch, gnu/packages/patches/libwmf-CVE-2007-3477.patch, gnu/packages/patches/libwmf-CVE-2009-3546.patch: New files. * gnu/packages/patches/libwmf-CVE-2015-0848+4588+4695+4696.patch: Delete file. Replace with ... * gnu/packages/patches/libwmf-CVE-2015-0848+CVE-2015-4588.patch, gnu/packages/patches/libwmf-CVE-2015-4695.patch, gnu/packages/patches/libwmf-CVE-2015-4696.patch: ... these new files. * gnu-system.am (dist_patch_DATA): Adjust accordingly. * gnu/packages/image.scm (libwmf)[source]: Adjust set of patches.
Diffstat (limited to 'gnu/packages/patches/libwmf-CVE-2007-3472.patch')
| -rw-r--r-- | gnu/packages/patches/libwmf-CVE-2007-3472.patch | 63 |
1 files changed, 63 insertions, 0 deletions
diff --git a/gnu/packages/patches/libwmf-CVE-2007-3472.patch b/gnu/packages/patches/libwmf-CVE-2007-3472.patch new file mode 100644 index 0000000000..180bdb5fc2 --- /dev/null +++ b/gnu/packages/patches/libwmf-CVE-2007-3472.patch @@ -0,0 +1,63 @@ +Based on a patch from Fedora. + +http://pkgs.fedoraproject.org/cgit/libwmf.git/tree/libwmf-0.2.8.4-CVE-2007-3472.patch + +--- libwmf-0.2.8.4/src/extra/gd/gd.c ++++ libwmf-0.2.8.4/src/extra/gd/gd.c +@@ -106,6 +106,18 @@ + gdImagePtr im; + unsigned long cpa_size; + ++ if (overflow2(sx, sy)) { ++ return NULL; ++ } ++ ++ if (overflow2(sizeof (int *), sy)) { ++ return NULL; ++ } ++ ++ if (overflow2(sizeof(int), sx)) { ++ return NULL; ++ } ++ + im = (gdImage *) gdMalloc (sizeof (gdImage)); + if (im == 0) return 0; + memset (im, 0, sizeof (gdImage)); +--- libwmf-0.2.8.4/src/extra/gd/gdhelpers.c 2010-12-06 11:47:31.000000000 +0000 ++++ libwmf-0.2.8.4/src/extra/gd/gdhelpers.c 2010-12-06 11:48:04.000000000 +0000 +@@ -2,6 +2,7 @@ + #include "gdhelpers.h" + #include <stdlib.h> + #include <string.h> ++#include <limits.h> + + /* TBB: gd_strtok_r is not portable; provide an implementation */ + +@@ -94,3 +95,18 @@ + { + free (ptr); + } ++ ++int overflow2(int a, int b) ++{ ++ if(a < 0 || b < 0) { ++ fprintf(stderr, "gd warning: one parameter to a memory allocation multiplication is negative, failing operation gracefully\n"); ++ return 1; ++ } ++ if(b == 0) ++ return 0; ++ if(a > INT_MAX / b) { ++ fprintf(stderr, "gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully\n"); ++ return 1; ++ } ++ return 0; ++} +--- libwmf-0.2.8.4/src/extra/gd/gdhelpers.h 2010-12-06 11:47:17.000000000 +0000 ++++ libwmf-0.2.8.4/src/extra/gd/gdhelpers.h 2010-12-06 11:48:36.000000000 +0000 +@@ -15,4 +15,6 @@ + void *gdMalloc(size_t size); + void *gdRealloc(void *ptr, size_t size); + ++int overflow2(int a, int b); ++ + #endif /* GDHELPERS_H */ |