Resolves: rhbz#1227244 CVE-2015-0848 heap overflow when decoding BMP images

2015-06-02 11:38:54 +01:00 · 2015-06-02 11:38:54 +01:00 · 80714b5689
commit 80714b5689
parent bfa26c6d5a
2 changed files with 28 additions and 2 deletions
--- a/libwmf-0.2.8.4-CVE-2015-0848.patch
+++ b/libwmf-0.2.8.4-CVE-2015-0848.patch
@ -0,0 +1,20 @@
+--- libwmf-0.2.8.4/src/ipa/ipa/bmp.h	2015-06-02 11:35:04.072201795 +0100
+++ libwmf-0.2.8.4/src/ipa/ipa/bmp.h	2015-06-02 11:35:20.647406414 +0100
+@@ -1145,8 +1143,15 @@
+ 		}
+ 	}
+ 	else
+-	{	/* Convert run-length encoded raster pixels. */
+-		DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image);
+	{
+		if (bmp_info.bits_per_pixel == 8)	/* Convert run-length encoded raster pixels. */
+		{
+			DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image);
+		}
+		else
+		{	WMF_ERROR (API,"Unexpected pixel depth");
+			API->err = wmf_E_BadFormat;
+		}
+ 	}
+ 
+ 	if (ERR (API))
--- a/libwmf.spec
+++ b/libwmf.spec
@ -1,7 +1,7 @@
 Summary: Windows MetaFile Library
 Name: libwmf
 Version: 0.2.8.4
-Release: 41%{?dist}
+Release: 42%{?dist}
 Group: System Environment/Libraries
 #libwmf is under the LGPLv2+, however...
 #1. The tarball contains an old version of the urw-fonts under GPL+.
@ -55,6 +55,8 @@ Patch14: libwmf-0.2.8.4-CAN-2004-0941.patch
 Patch15: libwmf-0.2.8.4-CVE-2009-3546.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=925929
 Patch16: libwmf-aarch64.patch
+# CVE-2015-0848
+Patch17: libwmf-0.2.8.4-CVE-2015-0848.patch

 Requires: urw-fonts
 Requires: %{name}-lite = %{version}-%{release}
@ -102,6 +104,7 @@ using libwmf.
 %patch14 -p1 -b .CAN-2004-0941
 %patch15 -p1 -b .CVE-2009-3546
 %patch16 -p1 -b .aarch64
+%patch17 -p1 -b .CVE-2015-0848
 f=README ; iconv -f iso-8859-2 -t utf-8 $f > $f.utf8 ; mv $f.utf8 $f

 %build
@ -167,6 +170,9 @@ gdk-pixbuf-query-loaders-%{__isa_bits} --update-cache || :


 %changelog
+* Tue Jun 02 2015 Caolán McNamara <caolanm@redhat.com> - 0.2.8.4-42
+- Resolves: rhbz#1227244 CVE-2015-0848 heap overflow when decoding BMP images
+
 * Sat Feb 21 2015 Till Maas <opensource@till.name> - 0.2.8.4-41
 - Rebuilt for Fedora 23 Change
  https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code
@ -290,7 +296,7 @@ gdk-pixbuf-query-loaders-%{__isa_bits} --update-cache || :
 * Tue Feb 07 2006 Jesse Keating <jkeating@redhat.com> - 0.2.8.4-4.1
 - rebuilt for new gcc4.1 snapshot and glibc changes

-* Tue Jan 19 2006 Caolan McNamara <caolanm@redhat.com> 0.2.8.4-4
+* Thu Jan 19 2006 Caolan McNamara <caolanm@redhat.com> 0.2.8.4-4
 - rh#178275# match srvg gtk2 _host usage for pixbuf loaders

 * Tue Jan 03 2006 Caolan McNamara <caolanm@redhat.com> 0.2.8.4-3