64 lines
1.6 KiB
Diff
64 lines
1.6 KiB
Diff
Based on a patch from Fedora.
|
|
|
|
http://pkgs.fedoraproject.org/cgit/libwmf.git/tree/libwmf-0.2.8.4-CVE-2007-3472.patch
|
|
|
|
--- libwmf-0.2.8.4/src/extra/gd/gd.c
|
|
+++ libwmf-0.2.8.4/src/extra/gd/gd.c
|
|
@@ -106,6 +106,18 @@
|
|
gdImagePtr im;
|
|
unsigned long cpa_size;
|
|
|
|
+ if (overflow2(sx, sy)) {
|
|
+ return NULL;
|
|
+ }
|
|
+
|
|
+ if (overflow2(sizeof (int *), sy)) {
|
|
+ return NULL;
|
|
+ }
|
|
+
|
|
+ if (overflow2(sizeof(int), sx)) {
|
|
+ return NULL;
|
|
+ }
|
|
+
|
|
im = (gdImage *) gdMalloc (sizeof (gdImage));
|
|
if (im == 0) return 0;
|
|
memset (im, 0, sizeof (gdImage));
|
|
--- libwmf-0.2.8.4/src/extra/gd/gdhelpers.c 2010-12-06 11:47:31.000000000 +0000
|
|
+++ libwmf-0.2.8.4/src/extra/gd/gdhelpers.c 2010-12-06 11:48:04.000000000 +0000
|
|
@@ -2,6 +2,7 @@
|
|
#include "gdhelpers.h"
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
+#include <limits.h>
|
|
|
|
/* TBB: gd_strtok_r is not portable; provide an implementation */
|
|
|
|
@@ -94,3 +95,18 @@
|
|
{
|
|
free (ptr);
|
|
}
|
|
+
|
|
+int overflow2(int a, int b)
|
|
+{
|
|
+ if(a < 0 || b < 0) {
|
|
+ fprintf(stderr, "gd warning: one parameter to a memory allocation multiplication is negative, failing operation gracefully\n");
|
|
+ return 1;
|
|
+ }
|
|
+ if(b == 0)
|
|
+ return 0;
|
|
+ if(a > INT_MAX / b) {
|
|
+ fprintf(stderr, "gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully\n");
|
|
+ return 1;
|
|
+ }
|
|
+ return 0;
|
|
+}
|
|
--- libwmf-0.2.8.4/src/extra/gd/gdhelpers.h 2010-12-06 11:47:17.000000000 +0000
|
|
+++ libwmf-0.2.8.4/src/extra/gd/gdhelpers.h 2010-12-06 11:48:36.000000000 +0000
|
|
@@ -15,4 +15,6 @@
|
|
void *gdMalloc(size_t size);
|
|
void *gdRealloc(void *ptr, size_t size);
|
|
|
|
+int overflow2(int a, int b);
|
|
+
|
|
#endif /* GDHELPERS_H */
|