Commit | Line | Data |
---|---|---|
f956d661 MW |
1 | Copied from Fedora. |
2 | ||
3 | http://pkgs.fedoraproject.org/cgit/libwmf.git/tree/libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch | |
4 | ||
5 | --- libwmf-0.2.8.4/src/ipa/ipa/bmp.h 2015-06-08 14:46:24.591876404 +0100 | |
6 | +++ libwmf-0.2.8.4/src/ipa/ipa/bmp.h 2015-06-08 14:46:35.345993247 +0100 | |
7 | @@ -859,7 +859,7 @@ | |
8 | % | |
9 | % | |
10 | */ | |
11 | -static void DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels) | |
12 | +static int DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels) | |
13 | { int byte; | |
14 | int count; | |
15 | int i; | |
16 | @@ -870,12 +870,14 @@ | |
17 | U32 u; | |
18 | ||
19 | unsigned char* q; | |
20 | + unsigned char* end; | |
21 | ||
22 | for (u = 0; u < ((U32) bmp->width * (U32) bmp->height); u++) pixels[u] = 0; | |
23 | ||
24 | byte = 0; | |
25 | x = 0; | |
26 | q = pixels; | |
27 | + end = pixels + bmp->width * bmp->height; | |
28 | ||
29 | for (y = 0; y < bmp->height; ) | |
30 | { count = ReadBlobByte (src); | |
31 | @@ -884,7 +886,10 @@ | |
32 | { /* Encoded mode. */ | |
33 | byte = ReadBlobByte (src); | |
34 | for (i = 0; i < count; i++) | |
35 | - { if (compression == 1) | |
36 | + { | |
37 | + if (q == end) | |
38 | + return 0; | |
39 | + if (compression == 1) | |
40 | { (*(q++)) = (unsigned char) byte; | |
41 | } | |
42 | else | |
43 | @@ -896,13 +901,15 @@ | |
44 | else | |
45 | { /* Escape mode. */ | |
46 | count = ReadBlobByte (src); | |
47 | - if (count == 0x01) return; | |
48 | + if (count == 0x01) return 1; | |
49 | switch (count) | |
50 | { | |
51 | case 0x00: | |
52 | { /* End of line. */ | |
53 | x = 0; | |
54 | y++; | |
55 | + if (y >= bmp->height) | |
56 | + return 0; | |
57 | q = pixels + y * bmp->width; | |
58 | break; | |
59 | } | |
60 | @@ -910,13 +917,20 @@ | |
61 | { /* Delta mode. */ | |
62 | x += ReadBlobByte (src); | |
63 | y += ReadBlobByte (src); | |
64 | + if (y >= bmp->height) | |
65 | + return 0; | |
66 | + if (x >= bmp->width) | |
67 | + return 0; | |
68 | q = pixels + y * bmp->width + x; | |
69 | break; | |
70 | } | |
71 | default: | |
72 | { /* Absolute mode. */ | |
73 | for (i = 0; i < count; i++) | |
74 | - { if (compression == 1) | |
75 | + { | |
76 | + if (q == end) | |
77 | + return 0; | |
78 | + if (compression == 1) | |
79 | { (*(q++)) = ReadBlobByte (src); | |
80 | } | |
81 | else | |
82 | @@ -943,7 +957,7 @@ | |
83 | byte = ReadBlobByte (src); /* end of line */ | |
84 | byte = ReadBlobByte (src); | |
85 | ||
86 | - return; | |
87 | + return 1; | |
88 | } | |
89 | ||
90 | /* | |
91 | @@ -1143,8 +1157,18 @@ | |
92 | } | |
93 | } | |
94 | else | |
95 | - { /* Convert run-length encoded raster pixels. */ | |
96 | - DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image); | |
97 | + { | |
98 | + if (bmp_info.bits_per_pixel == 8) /* Convert run-length encoded raster pixels. */ | |
99 | + { | |
100 | + if (!DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image)) | |
101 | + { WMF_ERROR (API,"corrupt bmp"); | |
102 | + API->err = wmf_E_BadFormat; | |
103 | + } | |
104 | + } | |
105 | + else | |
106 | + { WMF_ERROR (API,"Unexpected pixel depth"); | |
107 | + API->err = wmf_E_BadFormat; | |
108 | + } | |
109 | } | |
110 | ||
111 | if (ERR (API)) | |
112 | --- libwmf-0.2.8.4/src/ipa/ipa.h 2015-06-08 14:46:24.590876393 +0100 | |
113 | +++ libwmf-0.2.8.4/src/ipa/ipa.h 2015-06-08 14:46:35.345993247 +0100 | |
114 | @@ -48,7 +48,7 @@ | |
115 | static unsigned short ReadBlobLSBShort (BMPSource*); | |
116 | static unsigned long ReadBlobLSBLong (BMPSource*); | |
117 | static long TellBlob (BMPSource*); | |
118 | -static void DecodeImage (wmfAPI*,wmfBMP*,BMPSource*,unsigned int,unsigned char*); | |
119 | +static int DecodeImage (wmfAPI*,wmfBMP*,BMPSource*,unsigned int,unsigned char*); | |
120 | static void ReadBMPImage (wmfAPI*,wmfBMP*,BMPSource*); | |
121 | static int ExtractColor (wmfAPI*,wmfBMP*,wmfRGB*,unsigned int,unsigned int); | |
122 | static void SetColor (wmfAPI*,wmfBMP*,wmfRGB*,unsigned char,unsigned int,unsigned int); |