http://cvs.fedoraproject.org/viewvc/devel/libwmf/libwmf-0.2.8.4-intoverflow.patch?view=log CVE-2006-3376 libwmf integer overflow --- libwmf-0.2.8.4.orig/src/player.c 2002-12-10 19:30:26.000000000 +0000 +++ libwmf-0.2.8.4/src/player.c 2006-07-12 15:12:52.000000000 +0100 @@ -42,6 +42,7 @@ #include "player/defaults.h" /* Provides: default settings */ #include "player/record.h" /* Provides: parameter mechanism */ #include "player/meta.h" /* Provides: record interpreters */ +#include /** * @internal @@ -132,8 +134,14 @@ } } -/* P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)-3) * 2 * sizeof (unsigned char)); - */ P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char)); + if (MAX_REC_SIZE(API) > UINT32_MAX / 2) + { + API->err = wmf_E_InsMem; + WMF_DEBUG (API,"bailing..."); + return (API->err); + } + + P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char)); if (ERR (API)) { WMF_DEBUG (API,"bailing...");