more rhbz#1227244 CVE-2015-0848 heap overflow when decoding BMP images

2015-06-08 14:47:41 +01:00 · 2015-06-08 14:47:41 +01:00 · 54ef328b0a
commit 54ef328b0a
parent 80714b5689
2 changed files with 106 additions and 5 deletions
--- a/libwmf-0.2.8.4-CVE-2015-0848.patch
+++ b/libwmf-0.2.8.4-CVE-2015-0848.patch
@ -1,6 +1,90 @@
--- libwmf-0.2.8.4/src/ipa/ipa/bmp.h	2015-06-02 11:35:04.072201795 +0100
-+++ libwmf-0.2.8.4/src/ipa/ipa/bmp.h	2015-06-02 11:35:20.647406414 +0100
-@@ -1145,8 +1143,15 @@
+--- libwmf-0.2.8.4/src/ipa/ipa/bmp.h	2015-06-08 14:46:24.591876404 +0100
+++ libwmf-0.2.8.4/src/ipa/ipa/bmp.h	2015-06-08 14:46:35.345993247 +0100
+@@ -859,7 +859,7 @@
+ %
+ %
+ */
+-static void DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels)
+static int DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels)
+ {	int byte;
+ 	int count;
+ 	int i;
+@@ -870,12 +870,14 @@
+ 	U32 u;
+ 
+ 	unsigned char* q;
+	unsigned char* end;
+ 
+ 	for (u = 0; u < ((U32) bmp->width * (U32) bmp->height); u++) pixels[u] = 0;
+ 
+ 	byte = 0;
+ 	x = 0;
+ 	q = pixels;
+	end = pixels + bmp->width * bmp->height;
+ 
+ 	for (y = 0; y < bmp->height; )
+ 	{	count = ReadBlobByte (src);
+@@ -884,7 +886,10 @@
+ 		{	/* Encoded mode. */
+ 			byte = ReadBlobByte (src);
+ 			for (i = 0; i < count; i++)
+-			{	if (compression == 1)
+			{	
+				if (q == end)
+					return 0;
+			 	if (compression == 1)
+ 				{	(*(q++)) = (unsigned char) byte;
+ 				}
+ 				else
+@@ -896,13 +901,15 @@
+ 		else
+ 		{	/* Escape mode. */
+ 			count = ReadBlobByte (src);
+-			if (count == 0x01) return;
+			if (count == 0x01) return 1;
+ 			switch (count)
+ 			{
+ 			case 0x00:
+ 			 {	/* End of line. */
+ 				x = 0;
+ 				y++;
+				if (y >= bmp->height)
+					return 0;
+ 				q = pixels + y * bmp->width;
+ 				break;
+ 			 }
+@@ -910,13 +917,20 @@
+ 			 {	/* Delta mode. */
+ 				x += ReadBlobByte (src);
+ 				y += ReadBlobByte (src);
+				if (y >= bmp->height)
+					return 0;
+				if (x >= bmp->width)
+					return 0;
+ 				q = pixels + y * bmp->width + x;
+ 				break;
+ 			 }
+ 			default:
+ 			 {	/* Absolute mode. */
+ 				for (i = 0; i < count; i++)
+-				{	if (compression == 1)
+				{
+					if (q == end)
+						return 0;
+					if (compression == 1)
+ 					{	(*(q++)) = ReadBlobByte (src);
+ 					}
+ 					else
+@@ -943,7 +957,7 @@
+ 	byte = ReadBlobByte (src);  /* end of line */
+ 	byte = ReadBlobByte (src);
+ 
+-	return;
+	return 1;
+ }
+ 
+ /*
+@@ -1143,8 +1157,18 @@
 		}
 	}
 	else
@ -9,7 +93,10 @@
 +	{
 +		if (bmp_info.bits_per_pixel == 8)	/* Convert run-length encoded raster pixels. */
 +		{
-+			DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image);
+			if (!DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image))
+			{	WMF_ERROR (API,"corrupt bmp");
+				API->err = wmf_E_BadFormat;
+			}
 +		}
 +		else
 +		{	WMF_ERROR (API,"Unexpected pixel depth");
@ -18,3 +105,14 @@
 	}
 
 	if (ERR (API))
+--- libwmf-0.2.8.4/src/ipa/ipa.h	2015-06-08 14:46:24.590876393 +0100
+++ libwmf-0.2.8.4/src/ipa/ipa.h	2015-06-08 14:46:35.345993247 +0100
+@@ -48,7 +48,7 @@
+ static unsigned short ReadBlobLSBShort (BMPSource*);
+ static unsigned long  ReadBlobLSBLong (BMPSource*);
+ static long           TellBlob (BMPSource*);
+-static void           DecodeImage (wmfAPI*,wmfBMP*,BMPSource*,unsigned int,unsigned char*);
+static int            DecodeImage (wmfAPI*,wmfBMP*,BMPSource*,unsigned int,unsigned char*);
+ static void           ReadBMPImage (wmfAPI*,wmfBMP*,BMPSource*);
+ static int            ExtractColor (wmfAPI*,wmfBMP*,wmfRGB*,unsigned int,unsigned int);
+ static void           SetColor (wmfAPI*,wmfBMP*,wmfRGB*,unsigned char,unsigned int,unsigned int);
--- a/libwmf.spec
+++ b/libwmf.spec
@ -1,7 +1,7 @@
 Summary: Windows MetaFile Library
 Name: libwmf
 Version: 0.2.8.4
-Release: 42%{?dist}
+Release: 43%{?dist}
 Group: System Environment/Libraries
 #libwmf is under the LGPLv2+, however...
 #1. The tarball contains an old version of the urw-fonts under GPL+.
@ -170,6 +170,9 @@ gdk-pixbuf-query-loaders-%{__isa_bits} --update-cache || :


 %changelog
+* Tue Jun 08 2015 Caolán McNamara <caolanm@redhat.com> - 0.2.8.4-43
+- Resolves: rhbz#1227244 CVE-2015-0848 heap overflow when decoding BMP images
+
 * Tue Jun 02 2015 Caolán McNamara <caolanm@redhat.com> - 0.2.8.4-42
 - Resolves: rhbz#1227244 CVE-2015-0848 heap overflow when decoding BMP images