Related: rhbz#1418992 backport CVE-2016-10168 to embedded libwmf gd

libwmf-0.2.8.4-CVE-2016-10168.patch

@@ -0,0 +1,14 @@
+--- libwmf-0.2.8.4/src/extra/gd/gd_gd2.c
++++ libwmf-0.2.8.4/src/extra/gd/gd_gd2.c
+@@ -145,6 +145,11 @@
+ 
+   if ((*fmt) == GD2_FMT_COMPRESSED)
+     {
++      if (*ncx <= 0 || *ncy <= 0 || *ncx > INT_MAX / *ncy) {
++              GD2_DBG(printf ("Illegal chunk counts: %d * %d\n", *ncx, *ncy));
++              goto fail1;
++      }
++
+       nc = (*ncx) * (*ncy);
+       GD2_DBG (printf ("Reading %d chunk index entries\n", nc));
+       sidx = sizeof (t_chunk_info) * nc;

libwmf.spec

@@ -69,6 +69,8 @@ Patch21: libwmf-0.2.8.4-CVE-2016-9011.patch
 Patch22: libwmf-0.2.8.4-CVE-2016-9317.patch
 # CVE-2016-10167
 Patch23: libwmf-0.2.8.4-CVE-2016-10167.patch
+# CVE-2016-10168
+Patch24: libwmf-0.2.8.4-CVE-2016-10168.patch
 
 Requires: urw-fonts
 Requires: %{name}-lite = %{version}-%{release}
@@ -125,6 +127,7 @@ using libwmf.
 %patch21 -p1 -b .CVE-2016-9011
 %patch22 -p1 -b .CVE-2016-9317
 %patch23 -p1 -b .CVE-2016-10167
+%patch24 -p1 -b .CVE-2016-10168
 f=README ; iconv -f iso-8859-2 -t utf-8 $f > $f.utf8 ; mv $f.utf8 $f
 
 %build
@@ -187,7 +190,7 @@ sed -i $RPM_BUILD_ROOT%{_datadir}/libwmf/fonts/fontmap -e 's#libwmf/fonts#fonts/
 
 %changelog
 * Wed Feb 08 2017 Caolán McNamara <caolanm@redhat.com> - 0.2.8.4-50
-- CVE-2016-9317, CVE-2016-10167
+- CVE-2016-9317, CVE-2016-10167, CVE-2016-10168
 
 * Wed Oct 26 2016 Caolán McNamara <caolanm@redhat.com> - 0.2.8.4-49
 - Resolves: rhbz#1388451 (CVE-2016-9011) check max claimed record len