libwmf: Apply two patches from Fedora to address known issues

CVE-2006-3376, CVE-2009-1364

diff --git a/recipes/libwmf/files/libwmf-0.2.8.4-intoverflow.patch b/recipes/libwmf/files/libwmf-0.2.8.4-intoverflow.patch
new file mode 100644 (file)
index 0000000..50d915c
--- /dev/null
+++ b/recipes/libwmf/files/libwmf-0.2.8.4-intoverflow.patch
@@ -0,0 +1,31 @@
+http://cvs.fedoraproject.org/viewvc/devel/libwmf/libwmf-0.2.8.4-intoverflow.patch?view=log
+
+CVE-2006-3376 libwmf integer overflow
+
+--- libwmf-0.2.8.4.orig/src/player.c   2002-12-10 19:30:26.000000000 +0000
++++ libwmf-0.2.8.4/src/player.c        2006-07-12 15:12:52.000000000 +0100
+@@ -42,6 +42,7 @@
+ #include "player/defaults.h" /* Provides: default settings               */
+ #include "player/record.h"   /* Provides: parameter mechanism            */
+ #include "player/meta.h"     /* Provides: record interpreters            */
++#include <stdint.h>
+ 
+ /**
+  * @internal
+@@ -132,8 +134,14 @@
+               }
+       }
+ 
+-/*    P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)-3) * 2 * sizeof (unsigned char));
+- */   P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)  ) * 2 * sizeof (unsigned char));
++      if (MAX_REC_SIZE(API) > UINT32_MAX / 2)
++      {
++              API->err = wmf_E_InsMem;
++              WMF_DEBUG (API,"bailing...");
++              return (API->err);
++      }
++      
++      P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)  ) * 2 * sizeof (unsigned char));
+ 
+       if (ERR (API))
+       {       WMF_DEBUG (API,"bailing...");

diff --git a/recipes/libwmf/files/libwmf-0.2.8.4-useafterfree.patch b/recipes/libwmf/files/libwmf-0.2.8.4-useafterfree.patch
new file mode 100644 (file)
index 0000000..4d2d285
--- /dev/null
+++ b/recipes/libwmf/files/libwmf-0.2.8.4-useafterfree.patch
@@ -0,0 +1,14 @@
+
+http://cvs.fedoraproject.org/viewvc/devel/libwmf/libwmf-0.2.8.4-useafterfree.patch?view=log
+Resolves: CVE-2009-1364
+
+--- libwmf-0.2.8.4/src/extra/gd/gd_clip.c.CVE-2009-1364-im-clip-list   2009-04-24 04:06:44.000000000 -0400
++++ libwmf-0.2.8.4/src/extra/gd/gd_clip.c      2009-04-24 04:08:30.000000000 -0400
+@@ -70,6 +70,7 @@ void gdClipSetAdd(gdImagePtr im,gdClipRe
+       {       more = gdRealloc (im->clip->list,(im->clip->max + 8) * sizeof (gdClipRectangle));
+               if (more == 0) return;
+               im->clip->max += 8;
++                im->clip->list = more;
+       }
+       im->clip->list[im->clip->count] = (*rect);
+       im->clip->count++;

diff --git a/recipes/libwmf/libwmf-native_0.2.8.4.bb b/recipes/libwmf/libwmf-native_0.2.8.4.bb
index a33461f..4b7c225 100644 (file)
--- a/recipes/libwmf/libwmf-native_0.2.8.4.bb
+++ b/recipes/libwmf/libwmf-native_0.2.8.4.bb
@@ -1,4 +1,6 @@
 require libwmf_0.2.8.4.bb
 inherit native
 
-SRC_URI = "${SOURCEFORGE_MIRROR}/wvware/libwmf/${PV}/libwmf-${PV}.tar.gz;name=tarball"
+SRC_URI = "${SOURCEFORGE_MIRROR}/wvware/${PN}/${PV}/libwmf-${PV}.tar.gz;name=tarball \
+           file://libwmf-0.2.8.4-intoverflow.patch;patch=1                   \
+           file://libwmf-0.2.8.4-useafterfree.patch;patch=1"

diff --git a/recipes/libwmf/libwmf_0.2.8.4.bb b/recipes/libwmf/libwmf_0.2.8.4.bb
index fc02940..37e69e3 100644 (file)
--- a/recipes/libwmf/libwmf_0.2.8.4.bb
+++ b/recipes/libwmf/libwmf_0.2.8.4.bb
@@ -1,6 +1,8 @@
 inherit autotools_stage
 
-SRC_URI = "${SOURCEFORGE_MIRROR}/wvware/${PN}/${PV}/${P}.tar.gz;name=tarball"
+SRC_URI = "${SOURCEFORGE_MIRROR}/wvware/${PN}/${PV}/${P}.tar.gz;name=tarball \
+           file://libwmf-0.2.8.4-intoverflow.patch;patch=1                   \
+           file://libwmf-0.2.8.4-useafterfree.patch;patch=1"
 SRC_URI[tarball.md5sum] = "d1177739bf1ceb07f57421f0cee191e0"
 SRC_URI[tarball.sha256sum] = "5b345c69220545d003ad52bfd035d5d6f4f075e65204114a9e875e84895a7cf8"
 
@@ -10,3 +12,4 @@ LICENSE = "GPL-2"
 
 SECTION = "libs"
 
+PR="r1"