summaryrefslogtreecommitdiff
path: root/patches/source/libwmf/libwmf-0.2.8.4-CVE-2016-10168.patch
diff options
context:
space:
mode:
Diffstat (limited to 'patches/source/libwmf/libwmf-0.2.8.4-CVE-2016-10168.patch')
-rw-r--r--patches/source/libwmf/libwmf-0.2.8.4-CVE-2016-10168.patch14
1 files changed, 14 insertions, 0 deletions
diff --git a/patches/source/libwmf/libwmf-0.2.8.4-CVE-2016-10168.patch b/patches/source/libwmf/libwmf-0.2.8.4-CVE-2016-10168.patch
new file mode 100644
index 00000000..b1578bb9
--- /dev/null
+++ b/patches/source/libwmf/libwmf-0.2.8.4-CVE-2016-10168.patch
@@ -0,0 +1,14 @@
+--- libwmf-0.2.8.4/src/extra/gd/gd_gd2.c
++++ libwmf-0.2.8.4/src/extra/gd/gd_gd2.c
+@@ -145,6 +145,11 @@
+
+ if ((*fmt) == GD2_FMT_COMPRESSED)
+ {
++ if (*ncx <= 0 || *ncy <= 0 || *ncx > 2147483647 / *ncy) {
++ GD2_DBG(printf ("Illegal chunk counts: %d * %d\n", *ncx, *ncy));
++ goto fail1;
++ }
++
+ nc = (*ncx) * (*ncy);
+ GD2_DBG (printf ("Reading %d chunk index entries\n", nc));
+ sidx = sizeof (t_chunk_info) * nc;