From 80714b56899ad0b0e995df5f4a01911c5cb8136e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
Date: Tue, 2 Jun 2015 11:38:54 +0100
Subject: [PATCH] Resolves: rhbz#1227244 CVE-2015-0848 heap overflow when
 decoding BMP images

---
 libwmf-0.2.8.4-CVE-2015-0848.patch | 20 ++++++++++++++++++++
 libwmf.spec                        | 10 ++++++++--
 2 files changed, 28 insertions(+), 2 deletions(-)
 create mode 100644 libwmf-0.2.8.4-CVE-2015-0848.patch

diff --git a/libwmf-0.2.8.4-CVE-2015-0848.patch b/libwmf-0.2.8.4-CVE-2015-0848.patch
new file mode 100644
index 0000000..40e71f2
--- /dev/null
+++ b/libwmf-0.2.8.4-CVE-2015-0848.patch
@@ -0,0 +1,20 @@
+--- libwmf-0.2.8.4/src/ipa/ipa/bmp.h	2015-06-02 11:35:04.072201795 +0100
++++ libwmf-0.2.8.4/src/ipa/ipa/bmp.h	2015-06-02 11:35:20.647406414 +0100
+@@ -1145,8 +1143,15 @@
+ 		}
+ 	}
+ 	else
+-	{	/* Convert run-length encoded raster pixels. */
+-		DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image);
++	{
++		if (bmp_info.bits_per_pixel == 8)	/* Convert run-length encoded raster pixels. */
++		{
++			DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image);
++		}
++		else
++		{	WMF_ERROR (API,"Unexpected pixel depth");
++			API->err = wmf_E_BadFormat;
++		}
+ 	}
+ 
+ 	if (ERR (API))
diff --git a/libwmf.spec b/libwmf.spec
index 2c78123..4a753e9 100644
--- a/libwmf.spec
+++ b/libwmf.spec
@@ -1,7 +1,7 @@
 Summary: Windows MetaFile Library
 Name: libwmf
 Version: 0.2.8.4
-Release: 41%{?dist}
+Release: 42%{?dist}
 Group: System Environment/Libraries
 #libwmf is under the LGPLv2+, however...
 #1. The tarball contains an old version of the urw-fonts under GPL+.
@@ -55,6 +55,8 @@ Patch14: libwmf-0.2.8.4-CAN-2004-0941.patch
 Patch15: libwmf-0.2.8.4-CVE-2009-3546.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=925929
 Patch16: libwmf-aarch64.patch
+# CVE-2015-0848
+Patch17: libwmf-0.2.8.4-CVE-2015-0848.patch
 
 Requires: urw-fonts
 Requires: %{name}-lite = %{version}-%{release}
@@ -102,6 +104,7 @@ using libwmf.
 %patch14 -p1 -b .CAN-2004-0941
 %patch15 -p1 -b .CVE-2009-3546
 %patch16 -p1 -b .aarch64
+%patch17 -p1 -b .CVE-2015-0848
 f=README ; iconv -f iso-8859-2 -t utf-8 $f > $f.utf8 ; mv $f.utf8 $f
 
 %build
@@ -167,6 +170,9 @@ gdk-pixbuf-query-loaders-%{__isa_bits} --update-cache || :
 
 
 %changelog
+* Tue Jun 02 2015 Caolán McNamara <caolanm@redhat.com> - 0.2.8.4-42
+- Resolves: rhbz#1227244 CVE-2015-0848 heap overflow when decoding BMP images
+
 * Sat Feb 21 2015 Till Maas <opensource@till.name> - 0.2.8.4-41
 - Rebuilt for Fedora 23 Change
   https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code
@@ -290,7 +296,7 @@ gdk-pixbuf-query-loaders-%{__isa_bits} --update-cache || :
 * Tue Feb 07 2006 Jesse Keating <jkeating@redhat.com> - 0.2.8.4-4.1
 - rebuilt for new gcc4.1 snapshot and glibc changes
 
-* Tue Jan 19 2006 Caolan McNamara <caolanm@redhat.com> 0.2.8.4-4
+* Thu Jan 19 2006 Caolan McNamara <caolanm@redhat.com> 0.2.8.4-4
 - rh#178275# match srvg gtk2 _host usage for pixbuf loaders
 
 * Tue Jan 03 2006 Caolan McNamara <caolanm@redhat.com> 0.2.8.4-3