summary refs log tree commit diff
path: root/gnu/packages/patches/libwmf-CVE-2006-3376.patch
blob: 1e0e1ecfa8b4c3482c509f10b85b12d17226b8d5 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
Copied from Debian.

--- libwmf-0.2.8.4.orig/src/player.c
+++ libwmf-0.2.8.4/src/player.c
@@ -23,6 +23,7 @@
 
 #include <stdio.h>
 #include <stdlib.h>
+#include <stdint.h>
 #include <string.h>
 #include <math.h>
 
@@ -132,8 +133,14 @@
 		}
 	}
 
-/*	P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)-3) * 2 * sizeof (unsigned char));
- */	P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)  ) * 2 * sizeof (unsigned char));
+	if (MAX_REC_SIZE(API) > UINT32_MAX / 2)
+	{
+		API->err = wmf_E_InsMem;
+		WMF_DEBUG (API,"bailing...");
+		return (API->err);
+	}
+
+ 	P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)  ) * 2 * sizeof (unsigned char));
 
 	if (ERR (API))
 	{	WMF_DEBUG (API,"bailing...");