Based on a patch from Fedora. http://pkgs.fedoraproject.org/cgit/libwmf.git/tree/libwmf-0.2.8.4-CVE-2007-3472.patch --- libwmf-0.2.8.4/src/extra/gd/gd.c +++ libwmf-0.2.8.4/src/extra/gd/gd.c @@ -106,6 +106,18 @@ gdImagePtr im; unsigned long cpa_size; + if (overflow2(sx, sy)) { + return NULL; + } + + if (overflow2(sizeof (int *), sy)) { + return NULL; + } + + if (overflow2(sizeof(int), sx)) { + return NULL; + } + im = (gdImage *) gdMalloc (sizeof (gdImage)); if (im == 0) return 0; memset (im, 0, sizeof (gdImage)); --- libwmf-0.2.8.4/src/extra/gd/gdhelpers.c 2010-12-06 11:47:31.000000000 +0000 +++ libwmf-0.2.8.4/src/extra/gd/gdhelpers.c 2010-12-06 11:48:04.000000000 +0000 @@ -2,6 +2,7 @@ #include "gdhelpers.h" #include #include +#include /* TBB: gd_strtok_r is not portable; provide an implementation */ @@ -94,3 +95,18 @@ { free (ptr); } + +int overflow2(int a, int b) +{ + if(a < 0 || b < 0) { + fprintf(stderr, "gd warning: one parameter to a memory allocation multiplication is negative, failing operation gracefully\n")
aboutsummaryrefslogtreecommit