From 9ed548643918bb9415b16707f360f49fcab89627 Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Mon, 6 Jul 2015 20:02:47 -0400 Subject: [PATCH] gnu: libwmf: Fix CVE-2006-3376, CVE-2009-1364, CVE-2015-{0848,4588,4695,4696}. * gnu/packages/patches/libwmf-CVE-2006-3376.patch, gnu/packages/patches/libwmf-CVE-2009-1364.patch, gnu/packages/patches/libwmf-CVE-2015-0848+4588+4695+4696.patch: New files. * gnu-system.am (dist_patch_DATA): Add them. * gnu/packages/image.scm (libwmf)[source]: Add patches. --- gnu-system.am | 3 + gnu/packages/image.scm | 6 +- .../patches/libwmf-CVE-2006-3376.patch | 30 +++ .../patches/libwmf-CVE-2009-1364.patch | 13 ++ .../libwmf-CVE-2015-0848+4588+4695+4696.patch | 189 ++++++++++++++++++ 5 files changed, 240 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/libwmf-CVE-2006-3376.patch create mode 100644 gnu/packages/patches/libwmf-CVE-2009-1364.patch create mode 100644 gnu/packages/patches/libwmf-CVE-2015-0848+4588+4695+4696.patch diff --git a/gnu-system.am b/gnu-system.am index 7e25f6f518..ef061e8429 100644 --- a/gnu-system.am +++ b/gnu-system.am @@ -518,6 +518,9 @@ dist_patch_DATA = \ gnu/packages/patches/libvpx-fix-armhf-link.patch \ gnu/packages/patches/libvpx-fix-ssse3-quantize.patch \ gnu/packages/patches/libvpx-vp9-out-of-bounds-access.patch \ + gnu/packages/patches/libwmf-CVE-2006-3376.patch \ + gnu/packages/patches/libwmf-CVE-2009-1364.patch \ + gnu/packages/patches/libwmf-CVE-2015-0848+4588+4695+4696.patch \ gnu/packages/patches/lirc-localstatedir.patch \ gnu/packages/patches/lm-sensors-hwmon-attrs.patch \ gnu/packages/patches/lua51-liblua-so.patch \ diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm index ad4acb787e..30f380038b 100644 --- a/gnu/packages/image.scm +++ b/gnu/packages/image.scm @@ -162,7 +162,11 @@ collection of tools for doing simple manipulations of TIFF images.") name "/" version "/" name "-" version ".tar.gz")) (sha256 - (base32 "1y3wba4q8pl7kr51212jwrsz1x6nslsx1gsjml1x0i8549lmqd2v")))) + (base32 "1y3wba4q8pl7kr51212jwrsz1x6nslsx1gsjml1x0i8549lmqd2v")) + (patches + (map search-patch '("libwmf-CVE-2006-3376.patch" + "libwmf-CVE-2009-1364.patch" + "libwmf-CVE-2015-0848+4588+4695+4696.patch"))))) (build-system gnu-build-system) (inputs diff --git a/gnu/packages/patches/libwmf-CVE-2006-3376.patch b/gnu/packages/patches/libwmf-CVE-2006-3376.patch new file mode 100644 index 0000000000..1e0e1ecfa8 --- /dev/null +++ b/gnu/packages/patches/libwmf-CVE-2006-3376.patch @@ -0,0 +1,30 @@ +Copied from Debian. + +--- libwmf-0.2.8.4.orig/src/player.c ++++ libwmf-0.2.8.4/src/player.c +@@ -23,6 +23,7 @@ + + #include + #include ++#include + #include + #include + +@@ -132,8 +133,14 @@ + } + } + +-/* P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)-3) * 2 * sizeof (unsigned char)); +- */ P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char)); ++ if (MAX_REC_SIZE(API) > UINT32_MAX / 2) ++ { ++ API->err = wmf_E_InsMem; ++ WMF_DEBUG (API,"bailing..."); ++ return (API->err); ++ } ++ ++ P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char)); + + if (ERR (API)) + { WMF_DEBUG (API,"bailing..."); + diff --git a/gnu/packages/patches/libwmf-CVE-2009-1364.patch b/gnu/packages/patches/libwmf-CVE-2009-1364.patch new file mode 100644 index 0000000000..254b821596 --- /dev/null +++ b/gnu/packages/patches/libwmf-CVE-2009-1364.patch @@ -0,0 +1,13 @@ +Copied from Debian. + +--- libwmf-0.2.8.4.orig/src/extra/gd/gd_clip.c ++++ libwmf-0.2.8.4/src/extra/gd/gd_clip.c +@@ -70,6 +70,7 @@ + { more = gdRealloc (im->clip->list,(im->clip->max + 8) * sizeof (gdClipRectangle)); + if (more == 0) return; + im->clip->max += 8; ++ im->clip->list = more; + } + im->clip->list[im->clip->count] = (*rect); + im->clip->count++; + diff --git a/gnu/packages/patches/libwmf-CVE-2015-0848+4588+4695+4696.patch b/gnu/packages/patches/libwmf-CVE-2015-0848+4588+4695+4696.patch new file mode 100644 index 0000000000..091fc8bb41 --- /dev/null +++ b/gnu/packages/patches/libwmf-CVE-2015-0848+4588+4695+4696.patch @@ -0,0 +1,189 @@ +Fix CVE-2015-0848, CVE-2015-4588, CVE-2015-4695, and CVE-2015-4696. +Copied from Debian. + +--- libwmf-0.2.8.4.orig/src/player/meta.h ++++ libwmf-0.2.8.4/src/player/meta.h +@@ -1565,7 +1565,7 @@ static int meta_rgn_create (wmfAPI* API, + objects = P->objects; + + i = 0; +- while (objects[i].type && (i < NUM_OBJECTS (API))) i++; ++ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++; + + if (i == NUM_OBJECTS (API)) + { WMF_ERROR (API,"Object out of range!"); +@@ -2142,7 +2142,7 @@ static int meta_dib_brush (wmfAPI* API,w + objects = P->objects; + + i = 0; +- while (objects[i].type && (i < NUM_OBJECTS (API))) i++; ++ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++; + + if (i == NUM_OBJECTS (API)) + { WMF_ERROR (API,"Object out of range!"); +@@ -2593,9 +2593,10 @@ static int meta_dc_restore (wmfAPI* API, + polyrect.BR = 0; + + polyrect.count = 0; ++ ++ if (FR->region_clip) FR->region_clip (API,&polyrect); + } + +- if (FR->region_clip) FR->region_clip (API,&polyrect); + + return (changed); + } +@@ -3067,7 +3068,7 @@ static int meta_pen_create (wmfAPI* API, + objects = P->objects; + + i = 0; +- while (objects[i].type && (i < NUM_OBJECTS (API))) i++; ++ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++; + + if (i == NUM_OBJECTS (API)) + { WMF_ERROR (API,"Object out of range!"); +@@ -3181,7 +3182,7 @@ static int meta_brush_create (wmfAPI* AP + objects = P->objects; + + i = 0; +- while (objects[i].type && (i < NUM_OBJECTS (API))) i++; ++ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++; + + if (i == NUM_OBJECTS (API)) + { WMF_ERROR (API,"Object out of range!"); +@@ -3288,7 +3289,7 @@ static int meta_font_create (wmfAPI* API + objects = P->objects; + + i = 0; +- while (objects[i].type && (i < NUM_OBJECTS (API))) i++; ++ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++; + + if (i == NUM_OBJECTS (API)) + { WMF_ERROR (API,"Object out of range!"); +@@ -3396,7 +3397,7 @@ static int meta_palette_create (wmfAPI* + objects = P->objects; + + i = 0; +- while (objects[i].type && (i < NUM_OBJECTS (API))) i++; ++ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++; + + if (i == NUM_OBJECTS (API)) + { WMF_ERROR (API,"Object out of range!"); +--- libwmf-0.2.8.4.orig/src/ipa/ipa.h ++++ libwmf-0.2.8.4/src/ipa/ipa.h +@@ -48,7 +48,7 @@ static int ReadBlobByte (BMPS + static unsigned short ReadBlobLSBShort (BMPSource*); + static unsigned long ReadBlobLSBLong (BMPSource*); + static long TellBlob (BMPSource*); +-static void DecodeImage (wmfAPI*,wmfBMP*,BMPSource*,unsigned int,unsigned char*); ++static int DecodeImage (wmfAPI*,wmfBMP*,BMPSource*,unsigned int,unsigned char*); + static void ReadBMPImage (wmfAPI*,wmfBMP*,BMPSource*); + static int ExtractColor (wmfAPI*,wmfBMP*,wmfRGB*,unsigned int,unsigned int); + static void SetColor (wmfAPI*,wmfBMP*,wmfRGB*,unsigned char,unsigned int,unsigned int); +--- libwmf-0.2.8.4.orig/src/ipa/ipa/bmp.h ++++ libwmf-0.2.8.4/src/ipa/ipa/bmp.h +@@ -859,7 +859,7 @@ static long TellBlob (BMPSource* src) + % + % + */ +-static void DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels) ++static int DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels) + { int byte; + int count; + int i; +@@ -870,12 +870,14 @@ static void DecodeImage (wmfAPI* API,wmf + U32 u; + + unsigned char* q; ++ unsigned char* end; + + for (u = 0; u < ((U32) bmp->width * (U32) bmp->height); u++) pixels[u] = 0; + + byte = 0; + x = 0; + q = pixels; ++ end = pixels + bmp->width * bmp->height; + + for (y = 0; y < bmp->height; ) + { count = ReadBlobByte (src); +@@ -884,7 +886,10 @@ static void DecodeImage (wmfAPI* API,wmf + { /* Encoded mode. */ + byte = ReadBlobByte (src); + for (i = 0; i < count; i++) +- { if (compression == 1) ++ { ++ if (q == end) ++ return 0; ++ if (compression == 1) + { (*(q++)) = (unsigned char) byte; + } + else +@@ -896,13 +901,15 @@ static void DecodeImage (wmfAPI* API,wmf + else + { /* Escape mode. */ + count = ReadBlobByte (src); +- if (count == 0x01) return; ++ if (count == 0x01) return 1; + switch (count) + { + case 0x00: + { /* End of line. */ + x = 0; + y++; ++ if (y >= bmp->height) ++ return 0; + q = pixels + y * bmp->width; + break; + } +@@ -910,13 +917,20 @@ static void DecodeImage (wmfAPI* API,wmf + { /* Delta mode. */ + x += ReadBlobByte (src); + y += ReadBlobByte (src); ++ if (y >= bmp->height) ++ return 0; ++ if (x >= bmp->width) ++ return 0; + q = pixels + y * bmp->width + x; + break; + } + default: + { /* Absolute mode. */ + for (i = 0; i < count; i++) +- { if (compression == 1) ++ { ++ if (q == end) ++ return 0; ++ if (compression == 1) + { (*(q++)) = ReadBlobByte (src); + } + else +@@ -943,7 +957,7 @@ static void DecodeImage (wmfAPI* API,wmf + byte = ReadBlobByte (src); /* end of line */ + byte = ReadBlobByte (src); + +- return; ++ return 1; + } + + /* +@@ -1143,8 +1157,18 @@ static void ReadBMPImage (wmfAPI* API,wm + } + } + else +- { /* Convert run-length encoded raster pixels. */ +- DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image); ++ { ++ if (bmp_info.bits_per_pixel == 8) /* Convert run-length encoded raster pixels. */ ++ { ++ if (!DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image)) ++ { WMF_ERROR (API,"corrupt bmp"); ++ API->err = wmf_E_BadFormat; ++ } ++ } ++ else ++ { WMF_ERROR (API,"Unexpected pixel depth"); ++ API->err = wmf_E_BadFormat; ++ } + } + + if (ERR (API))