summaryrefslogtreecommitdiff
path: root/patches/source/libwmf/libwmf-0.2.8.4-CVE-2006-3376.patch
blob: 507fe66223ce57b1be2a4ed439f6a8ad2c210220 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
--- libwmf-0.2.8.4.orig/src/player.c	2002-12-10 19:30:26.000000000 +0000
+++ libwmf-0.2.8.4/src/player.c	2006-07-12 15:12:52.000000000 +0100
@@ -42,6 +42,7 @@
 #include "player/defaults.h" /* Provides: default settings               */
 #include "player/record.h"   /* Provides: parameter mechanism            */
 #include "player/meta.h"     /* Provides: record interpreters            */
+#include <stdint.h>
 
 /**
  * @internal
@@ -132,8 +134,14 @@
 		}
 	}
 
-/*	P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)-3) * 2 * sizeof (unsigned char));
- */	P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)  ) * 2 * sizeof (unsigned char));
+	if (MAX_REC_SIZE(API) > UINT32_MAX / 2)
+	{
+		API->err = wmf_E_InsMem;
+		WMF_DEBUG (API,"bailing...");
+		return (API->err);
+	}
+	
+ 	P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)  ) * 2 * sizeof (unsigned char));
 
 	if (ERR (API))
 	{	WMF_DEBUG (API,"bailing...");