HCoop / jackhill / guix / guix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
gnu: offlineimap: Update to 7.0.12.
[jackhill/guix/guix.git] / gnu / packages / patches / libwmf-CVE-2015-0848+CVE-2015-4588.patch
1 Copied from Fedora.
2
3 http://pkgs.fedoraproject.org/cgit/libwmf.git/tree/libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch
4
5 --- libwmf-0.2.8.4/src/ipa/ipa/bmp.h 2015-06-08 14:46:24.591876404 +0100
6 +++ libwmf-0.2.8.4/src/ipa/ipa/bmp.h 2015-06-08 14:46:35.345993247 +0100
7 @@ -859,7 +859,7 @@
8 %
9 %
10 */
11 -static void DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels)
12 +static int DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels)
13 { int byte;
14 int count;
15 int i;
16 @@ -870,12 +870,14 @@
17 U32 u;
18
19 unsigned char* q;
20 + unsigned char* end;
21
22 for (u = 0; u < ((U32) bmp->width * (U32) bmp->height); u++) pixels[u] = 0;
23
24 byte = 0;
25 x = 0;
26 q = pixels;
27 + end = pixels + bmp->width * bmp->height;
28
29 for (y = 0; y < bmp->height; )
30 { count = ReadBlobByte (src);
31 @@ -884,7 +886,10 @@
32 { /* Encoded mode. */
33 byte = ReadBlobByte (src);
34 for (i = 0; i < count; i++)
35 - { if (compression == 1)
36 + {
37 + if (q == end)
38 + return 0;
39 + if (compression == 1)
40 { (*(q++)) = (unsigned char) byte;
41 }
42 else
43 @@ -896,13 +901,15 @@
44 else
45 { /* Escape mode. */
46 count = ReadBlobByte (src);
47 - if (count == 0x01) return;
48 + if (count == 0x01) return 1;
49 switch (count)
50 {
51 case 0x00:
52 { /* End of line. */
53 x = 0;
54 y++;
55 + if (y >= bmp->height)
56 + return 0;
57 q = pixels + y * bmp->width;
58 break;
59 }
60 @@ -910,13 +917,20 @@
61 { /* Delta mode. */
62 x += ReadBlobByte (src);
63 y += ReadBlobByte (src);
64 + if (y >= bmp->height)
65 + return 0;
66 + if (x >= bmp->width)
67 + return 0;
68 q = pixels + y * bmp->width + x;
69 break;
70 }
71 default:
72 { /* Absolute mode. */
73 for (i = 0; i < count; i++)
74 - { if (compression == 1)
75 + {
76 + if (q == end)
77 + return 0;
78 + if (compression == 1)
79 { (*(q++)) = ReadBlobByte (src);
80 }
81 else
82 @@ -943,7 +957,7 @@
83 byte = ReadBlobByte (src); /* end of line */
84 byte = ReadBlobByte (src);
85
86 - return;
87 + return 1;
88 }
89
90 /*
91 @@ -1143,8 +1157,18 @@
92 }
93 }
94 else
95 - { /* Convert run-length encoded raster pixels. */
96 - DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image);
97 + {
98 + if (bmp_info.bits_per_pixel == 8) /* Convert run-length encoded raster pixels. */
99 + {
100 + if (!DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image))
101 + { WMF_ERROR (API,"corrupt bmp");
102 + API->err = wmf_E_BadFormat;
103 + }
104 + }
105 + else
106 + { WMF_ERROR (API,"Unexpected pixel depth");
107 + API->err = wmf_E_BadFormat;
108 + }
109 }
110
111 if (ERR (API))
112 --- libwmf-0.2.8.4/src/ipa/ipa.h 2015-06-08 14:46:24.590876393 +0100
113 +++ libwmf-0.2.8.4/src/ipa/ipa.h 2015-06-08 14:46:35.345993247 +0100
114 @@ -48,7 +48,7 @@
115 static unsigned short ReadBlobLSBShort (BMPSource*);
116 static unsigned long ReadBlobLSBLong (BMPSource*);
117 static long TellBlob (BMPSource*);
118 -static void DecodeImage (wmfAPI*,wmfBMP*,BMPSource*,unsigned int,unsigned char*);
119 +static int DecodeImage (wmfAPI*,wmfBMP*,BMPSource*,unsigned int,unsigned char*);
120 static void ReadBMPImage (wmfAPI*,wmfBMP*,BMPSource*);
121 static int ExtractColor (wmfAPI*,wmfBMP*,wmfRGB*,unsigned int,unsigned int);
122 static void SetColor (wmfAPI*,wmfBMP*,wmfRGB*,unsigned char,unsigned int,unsigned int);
jackhill's copy of GNU Guix: https://guix.gnu.org/