From d8c724ed484d01f3535bd1f317d6c5aa6d33aa80 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
Date: Wed, 8 Feb 2017 15:11:22 +0000
Subject: [PATCH] Related: rhbz#1418992 backport CVE-2016-10168 to embedded
 libwmf gd

---
 libwmf-0.2.8.4-CVE-2016-10168.patch | 14 ++++++++++++++
 libwmf.spec                         |  5 ++++-
 2 files changed, 18 insertions(+), 1 deletion(-)
 create mode 100644 libwmf-0.2.8.4-CVE-2016-10168.patch

diff --git a/libwmf-0.2.8.4-CVE-2016-10168.patch b/libwmf-0.2.8.4-CVE-2016-10168.patch
new file mode 100644
index 0000000..f08b1f1
--- /dev/null
+++ b/libwmf-0.2.8.4-CVE-2016-10168.patch
@@ -0,0 +1,14 @@
+--- libwmf-0.2.8.4/src/extra/gd/gd_gd2.c
++++ libwmf-0.2.8.4/src/extra/gd/gd_gd2.c
+@@ -145,6 +145,11 @@
+ 
+   if ((*fmt) == GD2_FMT_COMPRESSED)
+     {
++      if (*ncx <= 0 || *ncy <= 0 || *ncx > INT_MAX / *ncy) {
++              GD2_DBG(printf ("Illegal chunk counts: %d * %d\n", *ncx, *ncy));
++              goto fail1;
++      }
++
+       nc = (*ncx) * (*ncy);
+       GD2_DBG (printf ("Reading %d chunk index entries\n", nc));
+       sidx = sizeof (t_chunk_info) * nc;
diff --git a/libwmf.spec b/libwmf.spec
index 67e3960..0a2a7e5 100644
--- a/libwmf.spec
+++ b/libwmf.spec
@@ -69,6 +69,8 @@ Patch21: libwmf-0.2.8.4-CVE-2016-9011.patch
 Patch22: libwmf-0.2.8.4-CVE-2016-9317.patch
 # CVE-2016-10167
 Patch23: libwmf-0.2.8.4-CVE-2016-10167.patch
+# CVE-2016-10168
+Patch24: libwmf-0.2.8.4-CVE-2016-10168.patch
 
 Requires: urw-fonts
 Requires: %{name}-lite = %{version}-%{release}
@@ -125,6 +127,7 @@ using libwmf.
 %patch21 -p1 -b .CVE-2016-9011
 %patch22 -p1 -b .CVE-2016-9317
 %patch23 -p1 -b .CVE-2016-10167
+%patch24 -p1 -b .CVE-2016-10168
 f=README ; iconv -f iso-8859-2 -t utf-8 $f > $f.utf8 ; mv $f.utf8 $f
 
 %build
@@ -187,7 +190,7 @@ sed -i $RPM_BUILD_ROOT%{_datadir}/libwmf/fonts/fontmap -e 's#libwmf/fonts#fonts/
 
 %changelog
 * Wed Feb 08 2017 Caolán McNamara <caolanm@redhat.com> - 0.2.8.4-50
-- CVE-2016-9317, CVE-2016-10167
+- CVE-2016-9317, CVE-2016-10167, CVE-2016-10168
 
 * Wed Oct 26 2016 Caolán McNamara <caolanm@redhat.com> - 0.2.8.4-49
 - Resolves: rhbz#1388451 (CVE-2016-9011) check max claimed record len