aboutsummaryrefslogtreecommitdiffstats
path: root/graphics/libwmf
diff options
context:
space:
mode:
Diffstat (limited to 'graphics/libwmf')
-rw-r--r--graphics/libwmf/Makefile2
-rw-r--r--graphics/libwmf/files/patch-cve-2006-337627
-rw-r--r--graphics/libwmf/files/patch-cve-2009-136410
3 files changed, 38 insertions, 1 deletions
diff --git a/graphics/libwmf/Makefile b/graphics/libwmf/Makefile
index 8064dc406e2b..f3bb06258d5d 100644
--- a/graphics/libwmf/Makefile
+++ b/graphics/libwmf/Makefile
@@ -7,7 +7,7 @@
PORTNAME= libwmf
PORTVERSION= 0.2.8.4
-PORTREVISION= 2
+PORTREVISION= 3
CATEGORIES= graphics
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE}
MASTER_SITE_SUBDIR= wvware
diff --git a/graphics/libwmf/files/patch-cve-2006-3376 b/graphics/libwmf/files/patch-cve-2006-3376
new file mode 100644
index 000000000000..0b48a35b422f
--- /dev/null
+++ b/graphics/libwmf/files/patch-cve-2006-3376
@@ -0,0 +1,27 @@
+--- src/player.c
++++ src/player.c
+@@ -23,6 +23,7 @@
+
+ #include <stdio.h>
+ #include <stdlib.h>
++#include <stdint.h>
+ #include <string.h>
+ #include <math.h>
+
+@@ -132,8 +133,14 @@
+ }
+ }
+
+-/* P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)-3) * 2 * sizeof (unsigned char));
+- */ P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char));
++ if (MAX_REC_SIZE(API) > UINT32_MAX / 2)
++ {
++ API->err = wmf_E_InsMem;
++ WMF_DEBUG (API,"bailing...");
++ return (API->err);
++ }
++
++ P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char));
+
+ if (ERR (API))
+ { WMF_DEBUG (API,"bailing...");
diff --git a/graphics/libwmf/files/patch-cve-2009-1364 b/graphics/libwmf/files/patch-cve-2009-1364
new file mode 100644
index 000000000000..0af8c98d6613
--- /dev/null
+++ b/graphics/libwmf/files/patch-cve-2009-1364
@@ -0,0 +1,10 @@
+--- src/extra/gd/gd_clip.c
++++ src/extra/gd/gd_clip.c
+@@ -70,6 +70,7 @@
+ { more = gdRealloc (im->clip->list,(im->clip->max + 8) * sizeof (gdClipRectangle));
+ if (more == 0) return;
+ im->clip->max += 8;
++ im->clip->list = more;
+ }
+ im->clip->list[im->clip->count] = (*rect);
+ im->clip->count++;
generated by cgit (git 2.34.1) at 2025-01-06 23:47:06 +0800