summaryrefslogtreecommitdiff
path: root/patches/source/libwmf/libwmf-0.2.8.4-CVE-2016-10168.patch
blob: b1578bb91eaf0e601942b369abe7816e871fd6d8 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
--- libwmf-0.2.8.4/src/extra/gd/gd_gd2.c
+++ libwmf-0.2.8.4/src/extra/gd/gd_gd2.c
@@ -145,6 +145,11 @@
 
   if ((*fmt) == GD2_FMT_COMPRESSED)
     {
+      if (*ncx <= 0 || *ncy <= 0 || *ncx > 2147483647 / *ncy) {
+              GD2_DBG(printf ("Illegal chunk counts: %d * %d\n", *ncx, *ncy));
+              goto fail1;
+      }
+
       nc = (*ncx) * (*ncy);
       GD2_DBG (printf ("Reading %d chunk index entries\n", nc));
       sidx = sizeof (t_chunk_info) * nc;