From b439c6f363d3f9c7b22e7f3b2211d423abd7d612 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
Date: Wed, 8 Feb 2017 15:05:20 +0000
Subject: [PATCH] Related: rhbz#1418992 backport CVE-2016-10167 to embedded
 libwmf gd

---
 libwmf-0.2.8.4-CVE-2016-10167.patch | 30 +++++++++++++++++++++++++++++
 libwmf.spec                         |  5 ++++-
 2 files changed, 34 insertions(+), 1 deletion(-)
 create mode 100644 libwmf-0.2.8.4-CVE-2016-10167.patch

diff --git a/libwmf-0.2.8.4-CVE-2016-10167.patch b/libwmf-0.2.8.4-CVE-2016-10167.patch
new file mode 100644
index 0000000..5e28197
--- /dev/null
+++ b/libwmf-0.2.8.4-CVE-2016-10167.patch
@@ -0,0 +1,30 @@
+--- libwmf-0.2.8.4/src/extra/gd/gd_gd2.c
++++ libwmf-0.2.8.4/src/extra/gd/gd_gd2.c
+@@ -362,10 +362,9 @@
+ 			{
+ 			  if (!gdGetInt (&im->tpixels[y][x], in))
+ 			    {
+-			      /*printf("EOF while reading\n"); */
+-			      /*gdImageDestroy(im); */
+-			      /*return 0; */
+-			      im->tpixels[y][x] = 0;
++                               fprintf(stderr, "gd2: EOF while reading\n");
++                               gdImageDestroy(im);
++                               return NULL;
+ 			    }
+ 			}
+ 		      else
+@@ -373,10 +372,9 @@
+ 			  int ch;
+ 			  if (!gdGetByte (&ch, in))
+ 			    {
+-			      /*printf("EOF while reading\n"); */
+-			      /*gdImageDestroy(im); */
+-			      /*return 0; */
+-			      ch = 0;
++                              fprintf(stderr, "gd2: EOF while reading\n");
++                              gdImageDestroy(im);
++                              return NULL;
+ 			    }
+ 			  im->pixels[y][x] = ch;
+ 			}
diff --git a/libwmf.spec b/libwmf.spec
index a58cf1c..67e3960 100644
--- a/libwmf.spec
+++ b/libwmf.spec
@@ -67,6 +67,8 @@ Patch20: libwmf-0.2.8.4-autoheader.patch
 Patch21: libwmf-0.2.8.4-CVE-2016-9011.patch
 # CVE-2016-9317
 Patch22: libwmf-0.2.8.4-CVE-2016-9317.patch
+# CVE-2016-10167
+Patch23: libwmf-0.2.8.4-CVE-2016-10167.patch
 
 Requires: urw-fonts
 Requires: %{name}-lite = %{version}-%{release}
@@ -122,6 +124,7 @@ using libwmf.
 %patch20 -p1 -b .autoheader
 %patch21 -p1 -b .CVE-2016-9011
 %patch22 -p1 -b .CVE-2016-9317
+%patch23 -p1 -b .CVE-2016-10167
 f=README ; iconv -f iso-8859-2 -t utf-8 $f > $f.utf8 ; mv $f.utf8 $f
 
 %build
@@ -184,7 +187,7 @@ sed -i $RPM_BUILD_ROOT%{_datadir}/libwmf/fonts/fontmap -e 's#libwmf/fonts#fonts/
 
 %changelog
 * Wed Feb 08 2017 Caolán McNamara <caolanm@redhat.com> - 0.2.8.4-50
-- CVE-2016-9317
+- CVE-2016-9317, CVE-2016-10167
 
 * Wed Oct 26 2016 Caolán McNamara <caolanm@redhat.com> - 0.2.8.4-49
 - Resolves: rhbz#1388451 (CVE-2016-9011) check max claimed record len