[Midnightbsd-cvs] mports [19263] trunk/graphics/libwmf/files: add cve patches
laffer1 at midnightbsd.org
laffer1 at midnightbsd.org
Sat May 30 18:52:09 EDT 2015
Revision: 19263
http://svnweb.midnightbsd.org/mports/?rev=19263
Author: laffer1
Date: 2015-05-30 18:52:09 -0400 (Sat, 30 May 2015)
Log Message:
-----------
add cve patches
Added Paths:
-----------
trunk/graphics/libwmf/files/patch-cve-2006-3376
trunk/graphics/libwmf/files/patch-cve-2009-1364
Added: trunk/graphics/libwmf/files/patch-cve-2006-3376
===================================================================
--- trunk/graphics/libwmf/files/patch-cve-2006-3376 (rev 0)
+++ trunk/graphics/libwmf/files/patch-cve-2006-3376 2015-05-30 22:52:09 UTC (rev 19263)
@@ -0,0 +1,27 @@
+--- src/player.c
++++ src/player.c
+@@ -23,6 +23,7 @@
+
+ #include <stdio.h>
+ #include <stdlib.h>
++#include <stdint.h>
+ #include <string.h>
+ #include <math.h>
+
+@@ -132,8 +133,14 @@
+ }
+ }
+
+-/* P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)-3) * 2 * sizeof (unsigned char));
+- */ P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char));
++ if (MAX_REC_SIZE(API) > UINT32_MAX / 2)
++ {
++ API->err = wmf_E_InsMem;
++ WMF_DEBUG (API,"bailing...");
++ return (API->err);
++ }
++
++ P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char));
+
+ if (ERR (API))
+ { WMF_DEBUG (API,"bailing...");
Property changes on: trunk/graphics/libwmf/files/patch-cve-2006-3376
___________________________________________________________________
Added: svn:eol-style
## -0,0 +1 ##
+native
\ No newline at end of property
Added: svn:mime-type
## -0,0 +1 ##
+text/plain
\ No newline at end of property
Added: trunk/graphics/libwmf/files/patch-cve-2009-1364
===================================================================
--- trunk/graphics/libwmf/files/patch-cve-2009-1364 (rev 0)
+++ trunk/graphics/libwmf/files/patch-cve-2009-1364 2015-05-30 22:52:09 UTC (rev 19263)
@@ -0,0 +1,10 @@
+--- src/extra/gd/gd_clip.c
++++ src/extra/gd/gd_clip.c
+@@ -70,6 +70,7 @@
+ { more = gdRealloc (im->clip->list,(im->clip->max + 8) * sizeof (gdClipRectangle));
+ if (more == 0) return;
+ im->clip->max += 8;
++ im->clip->list = more;
+ }
+ im->clip->list[im->clip->count] = (*rect);
+ im->clip->count++;
Property changes on: trunk/graphics/libwmf/files/patch-cve-2009-1364
___________________________________________________________________
Added: svn:eol-style
## -0,0 +1 ##
+native
\ No newline at end of property
Added: svn:mime-type
## -0,0 +1 ##
+text/plain
\ No newline at end of property
More information about the Midnightbsd-cvs
mailing list