diff --git a/SOURCES/libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch b/SOURCES/libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch new file mode 100644 index 0000000..e8ba8db --- /dev/null +++ b/SOURCES/libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch @@ -0,0 +1,118 @@ +--- libwmf-0.2.8.4/src/ipa/ipa/bmp.h 2015-06-08 14:46:24.591876404 +0100 ++++ libwmf-0.2.8.4/src/ipa/ipa/bmp.h 2015-06-08 14:46:35.345993247 +0100 +@@ -859,7 +859,7 @@ + % + % + */ +-static void DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels) ++static int DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels) + { int byte; + int count; + int i; +@@ -870,12 +870,14 @@ + U32 u; + + unsigned char* q; ++ unsigned char* end; + + for (u = 0; u < ((U32) bmp->width * (U32) bmp->height); u++) pixels[u] = 0; + + byte = 0; + x = 0; + q = pixels; ++ end = pixels + bmp->width * bmp->height; + + for (y = 0; y < bmp->height; ) + { count = ReadBlobByte (src); +@@ -884,7 +886,10 @@ + { /* Encoded mode. */ + byte = ReadBlobByte (src); + for (i = 0; i < count; i++) +- { if (compression == 1) ++ { ++ if (q == end) ++ return 0; ++ if (compression == 1) + { (*(q++)) = (unsigned char) byte; + } + else +@@ -896,13 +901,15 @@ + else + { /* Escape mode. */ + count = ReadBlobByte (src); +- if (count == 0x01) return; ++ if (count == 0x01) return 1; + switch (count) + { + case 0x00: + { /* End of line. */ + x = 0; + y++; ++ if (y >= bmp->height) ++ return 0; + q = pixels + y * bmp->width; + break; + } +@@ -910,13 +917,20 @@ + { /* Delta mode. */ + x += ReadBlobByte (src); + y += ReadBlobByte (src); ++ if (y >= bmp->height) ++ return 0; ++ if (x >= bmp->width) ++ return 0; + q = pixels + y * bmp->width + x; + break; + } + default: + { /* Absolute mode. */ + for (i = 0; i < count; i++) +- { if (compression == 1) ++ { ++ if (q == end) ++ return 0; ++ if (compression == 1) + { (*(q++)) = ReadBlobByte (src); + } + else +@@ -943,7 +957,7 @@ + byte = ReadBlobByte (src); /* end of line */ + byte = ReadBlobByte (src); + +- return; ++ return 1; + } + + /* +@@ -1143,8 +1157,18 @@ + } + } + else +- { /* Convert run-length encoded raster pixels. */ +- DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image); ++ { ++ if (bmp_info.bits_per_pixel == 8) /* Convert run-length encoded raster pixels. */ ++ { ++ if (!DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image)) ++ { WMF_ERROR (API,"corrupt bmp"); ++ API->err = wmf_E_BadFormat; ++ } ++ } ++ else ++ { WMF_ERROR (API,"Unexpected pixel depth"); ++ API->err = wmf_E_BadFormat; ++ } + } + + if (ERR (API)) +--- libwmf-0.2.8.4/src/ipa/ipa.h 2015-06-08 14:46:24.590876393 +0100 ++++ libwmf-0.2.8.4/src/ipa/ipa.h 2015-06-08 14:46:35.345993247 +0100 +@@ -48,7 +48,7 @@ + static unsigned short ReadBlobLSBShort (BMPSource*); + static unsigned long ReadBlobLSBLong (BMPSource*); + static long TellBlob (BMPSource*); +-static void DecodeImage (wmfAPI*,wmfBMP*,BMPSource*,unsigned int,unsigned char*); ++static int DecodeImage (wmfAPI*,wmfBMP*,BMPSource*,unsigned int,unsigned char*); + static void ReadBMPImage (wmfAPI*,wmfBMP*,BMPSource*); + static int ExtractColor (wmfAPI*,wmfBMP*,wmfRGB*,unsigned int,unsigned int); + static void SetColor (wmfAPI*,wmfBMP*,wmfRGB*,unsigned char,unsigned int,unsigned int); diff --git a/SOURCES/libwmf-0.2.8.4-CVE-2015-4695.patch b/SOURCES/libwmf-0.2.8.4-CVE-2015-4695.patch new file mode 100644 index 0000000..b6d499d --- /dev/null +++ b/SOURCES/libwmf-0.2.8.4-CVE-2015-4695.patch @@ -0,0 +1,56 @@ +--- libwmf-0.2.8.4/src/player/meta.h ++++ libwmf-0.2.8.4/src/player/meta.h +@@ -1565,7 +1565,7 @@ static int meta_rgn_create (wmfAPI* API, + objects = P->objects; + + i = 0; +- while (objects[i].type && (i < NUM_OBJECTS (API))) i++; ++ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++; + + if (i == NUM_OBJECTS (API)) + { WMF_ERROR (API,"Object out of range!"); +@@ -2142,7 +2142,7 @@ static int meta_dib_brush (wmfAPI* API,w + objects = P->objects; + + i = 0; +- while (objects[i].type && (i < NUM_OBJECTS (API))) i++; ++ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++; + + if (i == NUM_OBJECTS (API)) + { WMF_ERROR (API,"Object out of range!"); +@@ -3067,7 +3067,7 @@ static int meta_pen_create (wmfAPI* API, + objects = P->objects; + + i = 0; +- while (objects[i].type && (i < NUM_OBJECTS (API))) i++; ++ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++; + + if (i == NUM_OBJECTS (API)) + { WMF_ERROR (API,"Object out of range!"); +@@ -3181,7 +3181,7 @@ static int meta_brush_create (wmfAPI* AP + objects = P->objects; + + i = 0; +- while (objects[i].type && (i < NUM_OBJECTS (API))) i++; ++ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++; + + if (i == NUM_OBJECTS (API)) + { WMF_ERROR (API,"Object out of range!"); +@@ -3288,7 +3288,7 @@ static int meta_font_create (wmfAPI* API + objects = P->objects; + + i = 0; +- while (objects[i].type && (i < NUM_OBJECTS (API))) i++; ++ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++; + + if (i == NUM_OBJECTS (API)) + { WMF_ERROR (API,"Object out of range!"); +@@ -3396,7 +3396,7 @@ static int meta_palette_create (wmfAPI* + objects = P->objects; + + i = 0; +- while (objects[i].type && (i < NUM_OBJECTS (API))) i++; ++ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++; + + if (i == NUM_OBJECTS (API)) + { WMF_ERROR (API,"Object out of range!"); diff --git a/SOURCES/libwmf-0.2.8.4-CVE-2015-4696.patch b/SOURCES/libwmf-0.2.8.4-CVE-2015-4696.patch new file mode 100644 index 0000000..3312841 --- /dev/null +++ b/SOURCES/libwmf-0.2.8.4-CVE-2015-4696.patch @@ -0,0 +1,23 @@ +--- libwmf-0.2.8.4/src/player/meta.h ++++ libwmf-0.2.8.4/src/player/meta.h +@@ -2585,6 +2585,8 @@ + polyrect.BR[i] = clip->rects[i].BR; + } + ++ if (FR->region_clip) FR->region_clip (API,&polyrect); ++ + wmf_free (API,polyrect.TL); + wmf_free (API,polyrect.BR); + } +@@ -2593,9 +2595,10 @@ + polyrect.BR = 0; + + polyrect.count = 0; ++ ++ if (FR->region_clip) FR->region_clip (API,&polyrect); + } + +- if (FR->region_clip) FR->region_clip (API,&polyrect); + + return (changed); + } diff --git a/SPECS/libwmf.spec b/SPECS/libwmf.spec index 0c8cf18..1e3ff22 100644 --- a/SPECS/libwmf.spec +++ b/SPECS/libwmf.spec @@ -1,7 +1,7 @@ Summary: Windows MetaFile Library Name: libwmf Version: 0.2.8.4 -Release: 39%{?dist} +Release: 41%{?dist} Group: System Environment/Libraries #libwmf is under the LGPLv2+, however... #1. The tarball contains an old version of the urw-fonts under GPL+. @@ -55,6 +55,12 @@ Patch14: libwmf-0.2.8.4-CAN-2004-0941.patch Patch15: libwmf-0.2.8.4-CVE-2009-3546.patch # https://bugzilla.redhat.com/show_bug.cgi?id=925929 Patch16: libwmf-aarch64.patch +# CVE-2015-0848+CVE-2015-4588 +Patch17: libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch +# CVE-2015-4695 +Patch18: libwmf-0.2.8.4-CVE-2015-4695.patch +# CVE-2015-4696 +Patch19: libwmf-0.2.8.4-CVE-2015-4696.patch Requires: urw-fonts Requires: %{name}-lite = %{version}-%{release} @@ -102,6 +108,9 @@ using libwmf. %patch14 -p1 -b .CAN-2004-0941 %patch15 -p1 -b .CVE-2009-3546 %patch16 -p1 -b .aarch64 +%patch17 -p1 -b .CVE-2015-0848+CVE-2015-4588 +%patch18 -p1 -b .CVE-2015-4695 +%patch19 -p1 -b .CVE-2015-4696 f=README ; iconv -f iso-8859-2 -t utf-8 $f > $f.utf8 ; mv $f.utf8 $f %build @@ -167,6 +176,15 @@ gdk-pixbuf-query-loaders-%{__isa_bits} --update-cache || : %changelog +* Wed Sep 02 2015 Caolán McNamara - 0.2.8.4-41 +- Related: rhbz#1239161 fix patch context + +* Mon Jun 08 2015 Caolán McNamara - 0.2.8.4-40 +- Resolves: rhbz#1239161 CVE-2015-0848 CVE-2015-4588 CVE-2015-4695 CVE-2015-4696 + +* Mon Jun 08 2015 Caolán McNamara - 0.2.8.4-39.1 +- Resolves: rhbz#1227430 CVE-2015-0848 heap overflow when decoding BMP images + * Fri Jan 24 2014 Daniel Mach - 0.2.8.4-39 - Mass rebuild 2014-01-24