rpms/libwmf
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
main
libwmf/libwmf-0.2.8.4-CAN-2004-0941.patch

106 lines
3.6 KiB
Diff
Raw Permalink Normal View History

automatic rebuild by autodist [release 0.2.8.4-7mamba;Thu Oct 28 2010]
2024-01-06 06:08:36 +01:00
diff -pur libwmf-0.2.8.4/src/extra/gd/gd.c libwmf-0.2.8.4-fix/src/extra/gd/gd.c
--- libwmf-0.2.8.4/src/extra/gd/gd.c 2005-07-27 22:35:05.000000000 +0200
+++ libwmf-0.2.8.4-fix/src/extra/gd/gd.c 2006-06-30 09:23:28.000000000 +0200
@@ -1866,6 +1866,12 @@ gdImageCopyResized (gdImagePtr dst, gdIm
int *sty;
/* We only need to use floating point to determine the correct
stretch vector for one line's worth. */
+ if (overflow2(sizeof (int), srcW)) {
+ return;
+ }
+ if (overflow2(sizeof (int), srcH)) {
+ return;
+ }
double accum;
stx = (int *) gdMalloc (sizeof (int) * srcW);
sty = (int *) gdMalloc (sizeof (int) * srcH);
@@ -2275,6 +2281,9 @@ gdImageFilledPolygon (gdImagePtr im, gdP
}
if (!im->polyAllocated)
{
+ if (overflow2(sizeof (int), n)) {
+ return;
+ }
im->polyInts = (int *) gdMalloc (sizeof (int) * n);
im->polyAllocated = n;
}
@@ -2369,6 +2378,9 @@ gdImageSetStyle (gdImagePtr im, int *sty
{
gdFree (im->style);
}
+ if (overflow2(sizeof (int), noOfPixels)) {
+ return;
+ }
im->style = (int *)
gdMalloc (sizeof (int) * noOfPixels);
memcpy (im->style, style, sizeof (int) * noOfPixels);
diff -pur libwmf-0.2.8.4/src/extra/gd/gd_io_dp.c libwmf-0.2.8.4-fix/src/extra/gd/gd_io_dp.c
--- libwmf-0.2.8.4/src/extra/gd/gd_io_dp.c 2001-05-19 15:09:34.000000000 +0200
+++ libwmf-0.2.8.4-fix/src/extra/gd/gd_io_dp.c 2006-06-30 09:21:43.000000000 +0200
@@ -185,6 +185,9 @@ dynamicSeek (struct gdIOCtx *ctx, const
bytesNeeded = pos;
if (bytesNeeded > dp->realSize)
{
+ if (overflow2(dp->realSize, 2)) {
+ return FALSE;
+ }
if (!gdReallocDynamic (dp, dp->realSize * 2))
{
dp->dataGood = FALSE;
@@ -356,6 +359,9 @@ appendDynamic (dynamicPtr * dp, const vo
if (bytesNeeded > dp->realSize)
{
+ if (overflow2(dp->realSize, 2)) {
+ return FALSE;
+ }
if (!gdReallocDynamic (dp, bytesNeeded * 2))
{
dp->dataGood = FALSE;
Only in libwmf-0.2.8.4/src/extra/gd: gd_security.c.CAN-2004-0990
diff -pur libwmf-0.2.8.4/src/extra/gd/gd_topal.c libwmf-0.2.8.4-fix/src/extra/gd/gd_topal.c
--- libwmf-0.2.8.4/src/extra/gd/gd_topal.c 2005-07-27 22:35:06.000000000 +0200
+++ libwmf-0.2.8.4-fix/src/extra/gd/gd_topal.c 2006-06-30 09:19:29.000000000 +0200
@@ -670,6 +670,9 @@ select_colors (gdImagePtr im, my_cquanti
int i;
/* Allocate workspace for box list */
+ if (overflow2(desired_colors, sizeof (box))) {
+ return;
+ }
boxlist = (boxptr) gdMalloc (desired_colors * sizeof (box));
/* Initialize one box containing whole space */
numboxes = 1;
diff -pur libwmf-0.2.8.4/src/extra/gd/wbmp.c libwmf-0.2.8.4-fix/src/extra/gd/wbmp.c
--- libwmf-0.2.8.4/src/extra/gd/wbmp.c 2005-07-27 22:35:06.000000000 +0200
+++ libwmf-0.2.8.4-fix/src/extra/gd/wbmp.c 2006-06-30 09:18:53.000000000 +0200
@@ -116,6 +116,14 @@ createwbmp (int width, int height, int c
if ((wbmp = (Wbmp *) gdMalloc (sizeof (Wbmp))) == NULL)
return (NULL);
+ if (overflow2(sizeof (int), width)) {
+ gdFree(wbmp);
+ return (NULL);
+ }
+ if (overflow2(sizeof (int) * width, height)) {
+ gdFree(wbmp);
+ return (NULL);
+ }
if ((wbmp->bitmap = (int *) gdMalloc (sizeof (int) * width * height)) == NULL)
{
gdFree (wbmp);
@@ -176,6 +184,13 @@ readwbmp (int (*getin) (void *in), void
printf ("W: %d, H: %d\n", wbmp->width, wbmp->height);
#endif
+ if (overflow2(sizeof (int), wbmp->width) ||
+ overflow2(sizeof (int) * wbmp->width, wbmp->height))
+ {
+ gdFree(wbmp);
+ return (-1);
+ }
+
if ((wbmp->bitmap = (int *) gdMalloc (sizeof (int) * wbmp->width * wbmp->height)) == NULL)
{
gdFree (wbmp);
Reference in New Issue Copy Permalink