blob: 50d915c01095c00d3a1fe52be95884ff6261a1dc (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
|
http://cvs.fedoraproject.org/viewvc/devel/libwmf/libwmf-0.2.8.4-intoverflow.patch?view=log
CVE-2006-3376 libwmf integer overflow
--- libwmf-0.2.8.4.orig/src/player.c 2002-12-10 19:30:26.000000000 +0000
+++ libwmf-0.2.8.4/src/player.c 2006-07-12 15:12:52.000000000 +0100
@@ -42,6 +42,7 @@
#include "player/defaults.h" /* Provides: default settings */
#include "player/record.h" /* Provides: parameter mechanism */
#include "player/meta.h" /* Provides: record interpreters */
+#include <stdint.h>
/**
* @internal
@@ -132,8 +134,14 @@
}
}
-/* P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)-3) * 2 * sizeof (unsigned char));
- */ P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char));
+ if (MAX_REC_SIZE(API) > UINT32_MAX / 2)
+ {
+ API->err = wmf_E_InsMem;
+ WMF_DEBUG (API,"bailing...");
+ return (API->err);
+ }
+
+ P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char));
if (ERR (API))
{ WMF_DEBUG (API,"bailing...");
|
