libwmf/libwmf-0.2.8.3-gd-CAN-2004-0990.patch

--- libwmf-0.2.8.3/src/extra/gd/gd_security.c.can-2004-0941	2006-06-27 10:50:03.759375715 -0600
+++ libwmf-0.2.8.3/src/extra/gd/gd_security.c	2006-06-27 10:50:03.758375891 -0600
@@ -0,0 +1,29 @@
+/*
+   * gd_security.c
+   *
+   * Implements buffer overflow check routines.
+   *
+   * Written 2004, Phil Knirsch.
+   * Based on netpbm fixes by Alan Cox.
+   *
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <limits.h>
+#include "gd.h"
+
+int overflow2(int a, int b)
+{
+	if(a < 0 || b < 0) {
+		fprintf(stderr, "gd warning: one parameter to a memory allocation multiplication is negative, failing operation gracefully\n");
+		return 1;
+	}
+	if(b == 0)
+		return 0;
+	if(a > INT_MAX / b) {
+		fprintf(stderr, "gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully\n");
+		return 1;
+	}
+	return 0;
+}
--- libwmf-0.2.8.3/src/extra/gd/gd_png.c.can-2004-0941	2001-05-19 07:09:34.000000000 -0600
+++ libwmf-0.2.8.3/src/extra/gd/gd_png.c	2006-06-27 10:50:03.759375715 -0600
@@ -181,6 +181,14 @@ gdImageCreateFromPngCtx (gdIOCtx * infil

   png_get_IHDR (png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
 		&interlace_type, NULL, NULL);
+  if (overflow2(sizeof (int), width))
+    {
+      return NULL;
+    }
+  if (overflow2(sizeof (int) * width, height))
+    {
+      return NULL;
+    }
   if ((color_type == PNG_COLOR_TYPE_RGB) ||
       (color_type == PNG_COLOR_TYPE_RGB_ALPHA))
     {
--- libwmf-0.2.8.3/src/extra/gd/Makefile.am.can-2004-0941	2006-06-27 11:17:53.989958700 -0600
+++ libwmf-0.2.8.3/src/extra/gd/Makefile.am	2006-06-27 11:18:22.549314009 -0600
@@ -22,7 +22,7 @@ libgd_la_SOURCES = gd.c gd_gd.c gd_gd2.c
 		gd_io_file.c gd_ss.c gd_io_ss.c gd_png.c gd_jpeg.c gdxpm.c \
 		gdfontt.c gdfonts.c gdfontmb.c gdfontl.c gdfontg.c \
 		gdtables.c gdft.c gdcache.c gdkanji.c wbmp.c \
-		gd_wbmp.c gdhelpers.c gd_topal.c gd_clip.c
+		gd_wbmp.c gdhelpers.c gd_topal.c gd_clip.c gd_security.c

 gddir = $(includedir)/libwmf/gd