3 http://pkgs.fedoraproject.org/cgit/libwmf.git/tree/libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch
5 --- libwmf-0.2.8.4/src/ipa/ipa/bmp.h 2015-06-08 14:46:24.591876404 +0100
6 +++ libwmf-0.2.8.4/src/ipa/ipa/bmp.h 2015-06-08 14:46:35.345993247 +0100
11 -static void DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels)
12 +static int DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels)
22 for (u = 0; u < ((U32) bmp->width * (U32) bmp->height); u++) pixels[u] = 0;
27 + end = pixels + bmp->width * bmp->height;
29 for (y = 0; y < bmp->height; )
30 { count = ReadBlobByte (src);
33 byte = ReadBlobByte (src);
34 for (i = 0; i < count; i++)
35 - { if (compression == 1)
39 + if (compression == 1)
40 { (*(q++)) = (unsigned char) byte;
46 count = ReadBlobByte (src);
47 - if (count == 0x01) return;
48 + if (count == 0x01) return 1;
55 + if (y >= bmp->height)
57 q = pixels + y * bmp->width;
62 x += ReadBlobByte (src);
63 y += ReadBlobByte (src);
64 + if (y >= bmp->height)
66 + if (x >= bmp->width)
68 q = pixels + y * bmp->width + x;
72 { /* Absolute mode. */
73 for (i = 0; i < count; i++)
74 - { if (compression == 1)
78 + if (compression == 1)
79 { (*(q++)) = ReadBlobByte (src);
83 byte = ReadBlobByte (src); /* end of line */
84 byte = ReadBlobByte (src);
91 @@ -1143,8 +1157,18 @@
95 - { /* Convert run-length encoded raster pixels. */
96 - DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image);
98 + if (bmp_info.bits_per_pixel == 8) /* Convert run-length encoded raster pixels. */
100 + if (!DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image))
101 + { WMF_ERROR (API,"corrupt bmp");
102 + API->err = wmf_E_BadFormat;
106 + { WMF_ERROR (API,"Unexpected pixel depth");
107 + API->err = wmf_E_BadFormat;
112 --- libwmf-0.2.8.4/src/ipa/ipa.h 2015-06-08 14:46:24.590876393 +0100
113 +++ libwmf-0.2.8.4/src/ipa/ipa.h 2015-06-08 14:46:35.345993247 +0100
115 static unsigned short ReadBlobLSBShort (BMPSource*);
116 static unsigned long ReadBlobLSBLong (BMPSource*);
117 static long TellBlob (BMPSource*);
118 -static void DecodeImage (wmfAPI*,wmfBMP*,BMPSource*,unsigned int,unsigned char*);
119 +static int DecodeImage (wmfAPI*,wmfBMP*,BMPSource*,unsigned int,unsigned char*);
120 static void ReadBMPImage (wmfAPI*,wmfBMP*,BMPSource*);
121 static int ExtractColor (wmfAPI*,wmfBMP*,wmfRGB*,unsigned int,unsigned int);
122 static void SetColor (wmfAPI*,wmfBMP*,wmfRGB*,unsigned char,unsigned int,unsigned int);