Based on a patch from Fedora. http://pkgs.fedoraproject.org/cgit/libwmf.git/tree/libwmf-0.2.8.4-CVE-2007-3472.patch --- libwmf-0.2.8.4/src/extra/gd/gd.c +++ libwmf-0.2.8.4/src/extra/gd/gd.c @@ -106,6 +106,18 @@ gdImagePtr im; unsigned long cpa_size; + if (overflow2(sx, sy)) { + return NULL; + } + + if (overflow2(sizeof (int *), sy)) { + return NULL; + } + + if (overflow2(sizeof(int), sx)) { + return NULL; + } + im = (gdImage *) gdMalloc (sizeof (gdImage)); if (im == 0) return 0; memset (im, 0, sizeof (gdImage)); --- libwmf-0.2.8.4/src/extra/gd/gdhelpers.c 2010-12-06 11:47:31.000000000 +0000 +++ libwmf-0.2.8.4/src/extra/gd/gdhelpers.c 2010-12-06 11:48:04.000000000 +0000 @@ -2,6 +2,7 @@ #include "gdhelpers.h" #include #include +#include /* TBB: gd_strtok_r is not portable; provide an implementation */ @@ -94,3 +95,18 @@ { free (ptr); } + +int overflow2(int a, int b) +{ + if(a < 0 || b < 0) { + fprintf(stderr, "gd warning: one parameter to a memory allocation multiplication is negative, failing operation gracefully\n"); + return 1; + } + if(b == 0) + return 0; + if(a > INT_MAX / b) { + fprintf(stderr, "gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully\n"); + return 1; + } + return 0; +} --- libwmf-0.2.8.4/src/extra/gd/gdhelpers.h 2010-12-06 11:47:17.000000000 +0000 +++ libwmf-0.2.8.4/src/extra/gd/gdhelpers.h 2010-12-06 11:48:36.000000000 +0000 @@ -15,4 +15,6 @@ void *gdMalloc(size_t size); void *gdRealloc(void *ptr, size_t size); +int overflow2(int a, int b); + #endif /* GDHELPERS_H */