[jackhill/guix/guix.git] / gnu / packages / patches / libwmf-CVE-2015-0848+CVE-2015-4588.patch

Copied from Fedora.

http://pkgs.fedoraproject.org/cgit/libwmf.git/tree/libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch

--- libwmf-0.2.8.4/src/ipa/ipa/bmp.h	2015-06-08 14:46:24.591876404 +0100
+++ libwmf-0.2.8.4/src/ipa/ipa/bmp.h	2015-06-08 14:46:35.345993247 +0100
@@ -859,7 +859,7 @@
 %
 %
 */
-static void DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels)
+static int DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels)
 {	int byte;
 	int count;
 	int i;
@@ -870,12 +870,14 @@
 	U32 u;
 
 	unsigned char* q;
+	unsigned char* end;
 
 	for (u = 0; u < ((U32) bmp->width * (U32) bmp->height); u++) pixels[u] = 0;
 
 	byte = 0;
 	x = 0;
 	q = pixels;
+	end = pixels + bmp->width * bmp->height;
 
 	for (y = 0; y < bmp->height; )
 	{	count = ReadBlobByte (src);
@@ -884,7 +886,10 @@
 		{	/* Encoded mode. */
 			byte = ReadBlobByte (src);
 			for (i = 0; i < count; i++)
-			{	if (compression == 1)
+			{	
+				if (q == end)
+					return 0;
+			 	if (compression == 1)
 				{	(*(q++)) = (unsigned char) byte;
 				}
 				else
@@ -896,13 +901,15 @@
 		else
 		{	/* Escape mode. */
 			count = ReadBlobByte (src);
-			if (count == 0x01) return;
+			if (count == 0x01) return 1;
 			switch (count)
 			{
 			case 0x00:
 			 {	/* End of line. */
 				x = 0;
 				y++;
+				if (y >= bmp->height)
+					return 0;
 				q = pixels + y * bmp->width;
 				break;
 			 }
@@ -910,13 +917,20 @@
 			 {	/* Delta mode. */
 				x += ReadBlobByte (src);
 				y += ReadBlobByte (src);
+				if (y >= bmp->height)
+					return 0;
+				if (x >= bmp->width)
+					return 0;
 				q = pixels + y * bmp->width + x;
 				break;
 			 }
 			default:
 			 {	/* Absolute mode. */
 				for (i = 0; i < count; i++)
-				{	if (compression == 1)
+				{
+					if (q == end)
+						return 0;
+					if (compression == 1)
 					{	(*(q++)) = ReadBlobByte (src);
 					}
 					else
@@ -943,7 +957,7 @@
 	byte = ReadBlobByte (src);  /* end of line */
 	byte = ReadBlobByte (src);
 
-	return;
+	return 1;
 }
 
 /*
@@ -1143,8 +1157,18 @@
 		}
 	}
 	else
-	{	/* Convert run-length encoded raster pixels. */
-		DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image);
+	{
+		if (bmp_info.bits_per_pixel == 8)	/* Convert run-length encoded raster pixels. */
+		{
+			if (!DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image))
+			{	WMF_ERROR (API,"corrupt bmp");
+				API->err = wmf_E_BadFormat;
+			}
+		}
+		else
+		{	WMF_ERROR (API,"Unexpected pixel depth");
+			API->err = wmf_E_BadFormat;
+		}
 	}
 
 	if (ERR (API))
--- libwmf-0.2.8.4/src/ipa/ipa.h	2015-06-08 14:46:24.590876393 +0100
+++ libwmf-0.2.8.4/src/ipa/ipa.h	2015-06-08 14:46:35.345993247 +0100
@@ -48,7 +48,7 @@
 static unsigned short ReadBlobLSBShort (BMPSource*);
 static unsigned long  ReadBlobLSBLong (BMPSource*);
 static long           TellBlob (BMPSource*);
-static void           DecodeImage (wmfAPI*,wmfBMP*,BMPSource*,unsigned int,unsigned char*);
+static int            DecodeImage (wmfAPI*,wmfBMP*,BMPSource*,unsigned int,unsigned char*);
 static void           ReadBMPImage (wmfAPI*,wmfBMP*,BMPSource*);
 static int            ExtractColor (wmfAPI*,wmfBMP*,wmfRGB*,unsigned int,unsigned int);
 static void           SetColor (wmfAPI*,wmfBMP*,wmfRGB*,unsigned char,unsigned int,unsigned int);
Commit	Line	Data
f956d661 MW	1	Copied from Fedora.
	2
	3	http://pkgs.fedoraproject.org/cgit/libwmf.git/tree/libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch
	4
	5	--- libwmf-0.2.8.4/src/ipa/ipa/bmp.h 2015-06-08 14:46:24.591876404 +0100
	6	+++ libwmf-0.2.8.4/src/ipa/ipa/bmp.h 2015-06-08 14:46:35.345993247 +0100
	7	@@ -859,7 +859,7 @@
	8	%
	9	%
	10	*/
	11	-static void DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels)
	12	+static int DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels)
	13	{ int byte;
	14	int count;
	15	int i;
	16	@@ -870,12 +870,14 @@
	17	U32 u;
	18
	19	unsigned char* q;
	20	+ unsigned char* end;
	21
	22	for (u = 0; u < ((U32) bmp->width * (U32) bmp->height); u++) pixels[u] = 0;
	23
	24	byte = 0;
	25	x = 0;
	26	q = pixels;
	27	+ end = pixels + bmp->width * bmp->height;
	28
	29	for (y = 0; y < bmp->height; )
	30	{ count = ReadBlobByte (src);
	31	@@ -884,7 +886,10 @@
	32	{ /* Encoded mode. */
	33	byte = ReadBlobByte (src);
	34	for (i = 0; i < count; i++)
	35	- { if (compression == 1)
	36	+ {
	37	+ if (q == end)
	38	+ return 0;
	39	+ if (compression == 1)
	40	{ (*(q++)) = (unsigned char) byte;
	41	}
	42	else
	43	@@ -896,13 +901,15 @@
	44	else
	45	{ /* Escape mode. */
	46	count = ReadBlobByte (src);
	47	- if (count == 0x01) return;
	48	+ if (count == 0x01) return 1;
	49	switch (count)
	50	{
	51	case 0x00:
	52	{ /* End of line. */
	53	x = 0;
	54	y++;
	55	+ if (y >= bmp->height)
	56	+ return 0;
	57	q = pixels + y * bmp->width;
	58	break;
	59	}
	60	@@ -910,13 +917,20 @@
	61	{ /* Delta mode. */
	62	x += ReadBlobByte (src);
	63	y += ReadBlobByte (src);
	64	+ if (y >= bmp->height)
65	+ return 0;
66	+ if (x >= bmp->width)
67	+ return 0;
68	q = pixels + y * bmp->width + x;
69	break;
70	}
71	default:
72	{ /* Absolute mode. */
73	for (i = 0; i < count; i++)
74	- { if (compression == 1)
75	+ {
76	+ if (q == end)
77	+ return 0;
78	+ if (compression == 1)
79	{ (*(q++)) = ReadBlobByte (src);
80	}
81	else
82	@@ -943,7 +957,7 @@
83	byte = ReadBlobByte (src); /* end of line */
84	byte = ReadBlobByte (src);
85
86	- return;
87	+ return 1;
88	}
89
90	/*
91	@@ -1143,8 +1157,18 @@
92	}
93	}
94	else
95	- { /* Convert run-length encoded raster pixels. */
96	- DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image);
97	+ {
98	+ if (bmp_info.bits_per_pixel == 8) /* Convert run-length encoded raster pixels. */
99	+ {
100	+ if (!DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image))
101	+ { WMF_ERROR (API,"corrupt bmp");
102	+ API->err = wmf_E_BadFormat;
103	+ }
104	+ }
105	+ else
106	+ { WMF_ERROR (API,"Unexpected pixel depth");
107	+ API->err = wmf_E_BadFormat;
108	+ }
109	}
110
111	if (ERR (API))
112	--- libwmf-0.2.8.4/src/ipa/ipa.h 2015-06-08 14:46:24.590876393 +0100
113	+++ libwmf-0.2.8.4/src/ipa/ipa.h 2015-06-08 14:46:35.345993247 +0100
114	@@ -48,7 +48,7 @@
115	static unsigned short ReadBlobLSBShort (BMPSource*);
116	static unsigned long ReadBlobLSBLong (BMPSource*);
117	static long TellBlob (BMPSource*);
118	-static void DecodeImage (wmfAPI,wmfBMP,BMPSource,unsigned int,unsigned char);
119	+static int DecodeImage (wmfAPI,wmfBMP,BMPSource,unsigned int,unsigned char);
120	static void ReadBMPImage (wmfAPI,wmfBMP,BMPSource*);
121	static int ExtractColor (wmfAPI,wmfBMP,wmfRGB*,unsigned int,unsigned int);
122	static void SetColor (wmfAPI,wmfBMP,wmfRGB*,unsigned char,unsigned int,unsigned int);