From 0bd8d392a9bd2521b09a02bb0bbe518d286ffe2f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
Date: Tue, 23 Jun 2015 14:07:19 +0100
Subject: [PATCH] rename to assigned CVEs

---
 ...-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch |  0
 libwmf-0.2.8.4-CVE-2015-4695.patch            | 56 +++++++++++++++++++
 ...atch => libwmf-0.2.8.4-CVE-2015-4696.patch |  0
 libwmf.spec                                   | 22 ++++----
 4 files changed, 67 insertions(+), 11 deletions(-)
 rename libwmf-0.2.8.4-CVE-2015-0848.patch => libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch (100%)
 create mode 100644 libwmf-0.2.8.4-CVE-2015-4695.patch
 rename libwmf-0.2.8.4-deb784192.patch => libwmf-0.2.8.4-CVE-2015-4696.patch (100%)

diff --git a/libwmf-0.2.8.4-CVE-2015-0848.patch b/libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch
similarity index 100%
rename from libwmf-0.2.8.4-CVE-2015-0848.patch
rename to libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch
diff --git a/libwmf-0.2.8.4-CVE-2015-4695.patch b/libwmf-0.2.8.4-CVE-2015-4695.patch
new file mode 100644
index 0000000..b6d499d
--- /dev/null
+++ b/libwmf-0.2.8.4-CVE-2015-4695.patch
@@ -0,0 +1,56 @@
+--- libwmf-0.2.8.4/src/player/meta.h
++++ libwmf-0.2.8.4/src/player/meta.h
+@@ -1565,7 +1565,7 @@ static int meta_rgn_create (wmfAPI* API,
+ 	objects = P->objects;
+ 
+ 	i = 0;
+-	while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
++	while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
+ 
+ 	if (i == NUM_OBJECTS (API))
+ 	{	WMF_ERROR (API,"Object out of range!");
+@@ -2142,7 +2142,7 @@ static int meta_dib_brush (wmfAPI* API,w
+ 	objects = P->objects;
+ 
+ 	i = 0;
+-	while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
++	while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
+ 
+ 	if (i == NUM_OBJECTS (API))
+ 	{	WMF_ERROR (API,"Object out of range!");
+@@ -3067,7 +3067,7 @@ static int meta_pen_create (wmfAPI* API,
+ 	objects = P->objects;
+ 
+ 	i = 0;
+-	while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
++	while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
+ 
+ 	if (i == NUM_OBJECTS (API))
+ 	{	WMF_ERROR (API,"Object out of range!");
+@@ -3181,7 +3181,7 @@ static int meta_brush_create (wmfAPI* AP
+ 	objects = P->objects;
+ 
+ 	i = 0;
+-	while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
++	while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
+ 
+ 	if (i == NUM_OBJECTS (API))
+ 	{	WMF_ERROR (API,"Object out of range!");
+@@ -3288,7 +3288,7 @@ static int meta_font_create (wmfAPI* API
+ 	objects = P->objects;
+ 
+ 	i = 0;
+-	while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
++	while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
+ 
+ 	if (i == NUM_OBJECTS (API))
+ 	{	WMF_ERROR (API,"Object out of range!");
+@@ -3396,7 +3396,7 @@ static int meta_palette_create (wmfAPI*
+ 	objects = P->objects;
+ 
+ 	i = 0;
+-	while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
++	while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
+ 
+ 	if (i == NUM_OBJECTS (API))
+ 	{	WMF_ERROR (API,"Object out of range!");
diff --git a/libwmf-0.2.8.4-deb784192.patch b/libwmf-0.2.8.4-CVE-2015-4696.patch
similarity index 100%
rename from libwmf-0.2.8.4-deb784192.patch
rename to libwmf-0.2.8.4-CVE-2015-4696.patch
diff --git a/libwmf.spec b/libwmf.spec
index 0f58159..bdc0857 100644
--- a/libwmf.spec
+++ b/libwmf.spec
@@ -55,12 +55,12 @@ Patch14: libwmf-0.2.8.4-CAN-2004-0941.patch
 Patch15: libwmf-0.2.8.4-CVE-2009-3546.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=925929
 Patch16: libwmf-aarch64.patch
-# CVE-2015-0848
-Patch17: libwmf-0.2.8.4-CVE-2015-0848.patch
-# deb#784205
-Patch18: libwmf-0.2.8.4-deb784205.patch
-# deb#784192
-Patch19: libwmf-0.2.8.4-deb784192.patch
+# CVE-2015-0848+CVE-2015-4588
+Patch17: libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch
+# CVE-2015-4695
+Patch18: libwmf-0.2.8.4-CVE-2015-4695.patch
+# CVE-2015-4696
+Patch19: libwmf-0.2.8.4-CVE-2015-4696.patch
 
 Requires: urw-fonts
 Requires: %{name}-lite = %{version}-%{release}
@@ -108,9 +108,9 @@ using libwmf.
 %patch14 -p1 -b .CAN-2004-0941
 %patch15 -p1 -b .CVE-2009-3546
 %patch16 -p1 -b .aarch64
-%patch17 -p1 -b .CVE-2015-0848
-%patch18 -p1 -b .deb784205
-%patch19 -p1 -b .deb784192
+%patch17 -p1 -b .CVE-2015-0848+CVE-2015-4588
+%patch18 -p1 -b .CVE-2015-4695
+%patch19 -p1 -b .CVE-2015-4696
 f=README ; iconv -f iso-8859-2 -t utf-8 $f > $f.utf8 ; mv $f.utf8 $f
 
 %build
@@ -177,8 +177,8 @@ gdk-pixbuf-query-loaders-%{__isa_bits} --update-cache || :
 
 %changelog
 * Tue Jun 23 2015 Caolán McNamara <caolanm@redhat.com> - 0.2.8.4-45
-- Related: rhbz#1227244 fix deb#784205
-- Related: rhbz#1227244 fix deb#784192
+- Related: rhbz#1227244 CVE-2015-4695 meta_pen_create heap buffer overflow
+- Related: rhbz#1227244 CVE-2015-4696 wmf2gd/wmf2eps use after free
 
 * Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.2.8.4-44
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild