Resolves: CVE-2016-9011 check max claimed record len against max seekable position
This commit is contained in:
Caolán McNamara
parent
6754e24377
commit
9a43f910ab
36
libwmf-0.2.8.4-CVE-2016-9011.patch
Normal file
36
libwmf-0.2.8.4-CVE-2016-9011.patch
Normal file
@ -0,0 +1,36 @@
|
||||
--- libwmf-0.2.8.4/src/player.c
|
||||
+++ libwmf-0.2.8.4/src/player.c
|
||||
@@ -139,8 +139,31 @@
|
||||
WMF_DEBUG (API,"bailing...");
|
||||
return (API->err);
|
||||
}
|
||||
-
|
||||
- P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char));
|
||||
+
|
||||
+ U32 nMaxRecordSize = (MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char);
|
||||
+ if (nMaxRecordSize)
|
||||
+ {
|
||||
+ //before allocating memory do a sanity check on size by seeking
|
||||
+ //to claimed end to see if its possible. We're constrained here
|
||||
+ //by the api and existing implementations to not simply seeking
|
||||
+ //to SEEK_END. So use what we have to skip to the last byte and
|
||||
+ //try and read it.
|
||||
+ const long nPos = WMF_TELL (API);
|
||||
+ WMF_SEEK (API, nPos + nMaxRecordSize - 1);
|
||||
+ if (ERR (API))
|
||||
+ { WMF_DEBUG (API,"bailing...");
|
||||
+ return (API->err);
|
||||
+ }
|
||||
+ int byte = WMF_READ (API);
|
||||
+ if (byte == (-1))
|
||||
+ { WMF_ERROR (API,"Unexpected EOF!");
|
||||
+ API->err = wmf_E_EOF;
|
||||
+ return (API->err);
|
||||
+ }
|
||||
+ WMF_SEEK (API, nPos);
|
||||
+ }
|
||||
+
|
||||
+ P->Parameters = (unsigned char*) wmf_malloc (API, nMaxRecordSize);
|
||||
|
||||
if (ERR (API))
|
||||
{ WMF_DEBUG (API,"bailing...");
|
||||
@ -1,7 +1,7 @@
|
||||
Summary: Windows MetaFile Library
|
||||
Name: libwmf
|
||||
Version: 0.2.8.4
|
||||
Release: 48%{?dist}
|
||||
Release: 49%{?dist}
|
||||
Group: System Environment/Libraries
|
||||
#libwmf is under the LGPLv2+, however...
|
||||
#1. The tarball contains an old version of the urw-fonts under GPL+.
|
||||
@ -63,6 +63,8 @@ Patch18: libwmf-0.2.8.4-CVE-2015-4695.patch
|
||||
Patch19: libwmf-0.2.8.4-CVE-2015-4696.patch
|
||||
# autoheader build failure
|
||||
Patch20: libwmf-0.2.8.4-autoheader.patch
|
||||
# CVE-2016-9011
|
||||
Patch21: libwmf-0.2.8.4-CVE-2016-9011.patch
|
||||
|
||||
Requires: urw-fonts
|
||||
Requires: %{name}-lite = %{version}-%{release}
|
||||
@ -116,6 +118,7 @@ using libwmf.
|
||||
%patch18 -p1 -b .CVE-2015-4695
|
||||
%patch19 -p1 -b .CVE-2015-4696
|
||||
%patch20 -p1 -b .autoheader
|
||||
%patch21 -p1 -b .CVE-2016-9011
|
||||
f=README ; iconv -f iso-8859-2 -t utf-8 $f > $f.utf8 ; mv $f.utf8 $f
|
||||
|
||||
%build
|
||||
@ -177,6 +180,10 @@ sed -i $RPM_BUILD_ROOT%{_datadir}/libwmf/fonts/fontmap -e 's#libwmf/fonts#fonts/
|
||||
|
||||
|
||||
%changelog
|
||||
* Wed Oct 26 2016 Caolán McNamara <caolanm@redhat.com> - 0.2.8.4-49
|
||||
- Resolves: rhbz#1388451 (CVE-2016-9011) check max claimed record len
|
||||
against max seekable position
|
||||
|
||||
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.2.8.4-48
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user