libwmf/libwmf-0.2.8.4-cve_2006_3376.patch

diff -ru libwmf-0.2.8.4.orig/src/player.c libwmf-0.2.8.4/src/player.c
--- libwmf-0.2.8.4.orig/src/player.c	2002-12-10 19:30:26.000000000 +0000
+++ libwmf-0.2.8.4/src/player.c	2006-07-11 10:27:19.000000000 +0100
@@ -42,6 +42,7 @@
 #include "player/defaults.h" /* Provides: default settings               */
 #include "player/record.h"   /* Provides: parameter mechanism            */
 #include "player/meta.h"     /* Provides: record interpreters            */
+#include <stdint.h>
 
 /**
  * @internal
@@ -124,7 +125,14 @@
 	}
 
 	if (API->File->wmfheader->NumOfObjects > 0)
-	{	P->objects = (wmfObject*) wmf_malloc (API,NUM_OBJECTS (API) * sizeof (wmfObject));
+	{	
+		if (NUM_OBJECTS(API) > SIZE_MAX / sizeof (wmfObject))
+		{
+			WMF_DEBUG (API,"bailing...");
+			return (wmf_E_InsMem);
+		}
+
+		P->objects = (wmfObject*) wmf_malloc (API,NUM_OBJECTS (API) * sizeof (wmfObject));
 
 		if (ERR (API))
 		{	WMF_DEBUG (API,"bailing...");
@@ -132,8 +140,13 @@
 		}
 	}
 
-/*	P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)-3) * 2 * sizeof (unsigned char));
- */	P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)  ) * 2 * sizeof (unsigned char));
+	if (MAX_REC_SIZE(API) > SIZE_MAX / 2)
+	{
+		WMF_DEBUG (API,"bailing...");
+		return (wmf_E_InsMem);
+	}
+		
+ 	P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)  ) * 2);
 
 	if (ERR (API))
 	{	WMF_DEBUG (API,"bailing...");
automatic rebuild by autodist [release 0.2.8.4-7mamba;Thu Oct 28 2010] 2024-01-06 06:08:36 +01:00			`diff -ru libwmf-0.2.8.4.orig/src/player.c libwmf-0.2.8.4/src/player.c`
			`--- libwmf-0.2.8.4.orig/src/player.c 2002-12-10 19:30:26.000000000 +0000`
			`+++ libwmf-0.2.8.4/src/player.c 2006-07-11 10:27:19.000000000 +0100`
			`@@ -42,6 +42,7 @@`
			`#include "player/defaults.h" /* Provides: default settings */`
			`#include "player/record.h" /* Provides: parameter mechanism */`
			`#include "player/meta.h" /* Provides: record interpreters */`
			`+#include <stdint.h>`

			`/**`
			`* @internal`
			`@@ -124,7 +125,14 @@`
			`}`

			`if (API->File->wmfheader->NumOfObjects > 0)`
			`- { P->objects = (wmfObject) wmf_malloc (API,NUM_OBJECTS (API) sizeof (wmfObject));`
			`+ {`
			`+ if (NUM_OBJECTS(API) > SIZE_MAX / sizeof (wmfObject))`
			`+ {`
			`+ WMF_DEBUG (API,"bailing...");`
			`+ return (wmf_E_InsMem);`
			`+ }`
			`+`
			`+ P->objects = (wmfObject) wmf_malloc (API,NUM_OBJECTS (API) sizeof (wmfObject));`

			`if (ERR (API))`
			`{ WMF_DEBUG (API,"bailing...");`
			`@@ -132,8 +140,13 @@`
			`}`
			`}`

			`-/* P->Parameters = (unsigned char) wmf_malloc (API,(MAX_REC_SIZE(API)-3) 2 * sizeof (unsigned char));`
			`- / P->Parameters = (unsigned char) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char));`
			`+ if (MAX_REC_SIZE(API) > SIZE_MAX / 2)`
			`+ {`
			`+ WMF_DEBUG (API,"bailing...");`
			`+ return (wmf_E_InsMem);`
			`+ }`
			`+`
			`+ P->Parameters = (unsigned char) wmf_malloc (API,(MAX_REC_SIZE(API) ) 2);`

			`if (ERR (API))`
			`{ WMF_DEBUG (API,"bailing...");`