libwmf/libwmf-0.2.8.3-gd-CAN-2004-0990.patch

61 lines
2.0 KiB
Diff
Raw Permalink Normal View History

--- libwmf-0.2.8.3/src/extra/gd/gd_security.c.can-2004-0941 2006-06-27 10:50:03.759375715 -0600
+++ libwmf-0.2.8.3/src/extra/gd/gd_security.c 2006-06-27 10:50:03.758375891 -0600
@@ -0,0 +1,29 @@
+/*
+ * gd_security.c
+ *
+ * Implements buffer overflow check routines.
+ *
+ * Written 2004, Phil Knirsch.
+ * Based on netpbm fixes by Alan Cox.
+ *
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <limits.h>
+#include "gd.h"
+
+int overflow2(int a, int b)
+{
+ if(a < 0 || b < 0) {
+ fprintf(stderr, "gd warning: one parameter to a memory allocation multiplication is negative, failing operation gracefully\n");
+ return 1;
+ }
+ if(b == 0)
+ return 0;
+ if(a > INT_MAX / b) {
+ fprintf(stderr, "gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully\n");
+ return 1;
+ }
+ return 0;
+}
--- libwmf-0.2.8.3/src/extra/gd/gd_png.c.can-2004-0941 2001-05-19 07:09:34.000000000 -0600
+++ libwmf-0.2.8.3/src/extra/gd/gd_png.c 2006-06-27 10:50:03.759375715 -0600
@@ -181,6 +181,14 @@ gdImageCreateFromPngCtx (gdIOCtx * infil
png_get_IHDR (png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
&interlace_type, NULL, NULL);
+ if (overflow2(sizeof (int), width))
+ {
+ return NULL;
+ }
+ if (overflow2(sizeof (int) * width, height))
+ {
+ return NULL;
+ }
if ((color_type == PNG_COLOR_TYPE_RGB) ||
(color_type == PNG_COLOR_TYPE_RGB_ALPHA))
{
--- libwmf-0.2.8.3/src/extra/gd/Makefile.am.can-2004-0941 2006-06-27 11:17:53.989958700 -0600
+++ libwmf-0.2.8.3/src/extra/gd/Makefile.am 2006-06-27 11:18:22.549314009 -0600
@@ -22,7 +22,7 @@ libgd_la_SOURCES = gd.c gd_gd.c gd_gd2.c
gd_io_file.c gd_ss.c gd_io_ss.c gd_png.c gd_jpeg.c gdxpm.c \
gdfontt.c gdfonts.c gdfontmb.c gdfontl.c gdfontg.c \
gdtables.c gdft.c gdcache.c gdkanji.c wbmp.c \
- gd_wbmp.c gdhelpers.c gd_topal.c gd_clip.c
+ gd_wbmp.c gdhelpers.c gd_topal.c gd_clip.c gd_security.c
gddir = $(includedir)/libwmf/gd