slackware-current/source/l/libwmf/libwmf-0.2.8.4-CVE-2016-9011.patch

--- libwmf-0.2.8.4/src/player.c
+++ libwmf-0.2.8.4/src/player.c
@@ -139,8 +139,31 @@
 		WMF_DEBUG (API,"bailing...");
 		return (API->err);
 	}
-	
- 	P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)  ) * 2 * sizeof (unsigned char));
+
+	U32 nMaxRecordSize = (MAX_REC_SIZE(API)  ) * 2 * sizeof (unsigned char);
+	if (nMaxRecordSize)
+	{
+		//before allocating memory do a sanity check on size by seeking
+		//to claimed end to see if its possible. We're constrained here
+		//by the api and existing implementations to not simply seeking
+		//to SEEK_END. So use what we have to skip to the last byte and
+		//try and read it.
+		const long nPos = WMF_TELL (API);
+		WMF_SEEK (API, nPos + nMaxRecordSize - 1);
+		if (ERR (API))
+		{	WMF_DEBUG (API,"bailing...");
+			return (API->err);
+		}
+		int byte = WMF_READ (API);
+		if (byte == (-1))
+		{	WMF_ERROR (API,"Unexpected EOF!");
+		       	API->err = wmf_E_EOF;
+		       	return (API->err);
+		}
+		WMF_SEEK (API, nPos);
+	}
+
+ 	P->Parameters = (unsigned char*) wmf_malloc (API, nMaxRecordSize);
 
 	if (ERR (API))
 	{	WMF_DEBUG (API,"bailing...");
Mon May 28 19:12:29 UTC 2018 a/pkgtools-15.0-noarch-13.txz: Rebuilt. installpkg: default line length for --terselength is the number of columns. removepkg: added --terse mode. upgradepkg: default line length for --terselength is the number of columns. upgradepkg: accept -option in addition to --option. ap/vim-8.1.0026-x86_64-1.txz: Upgraded. d/bison-3.0.5-x86_64-1.txz: Upgraded. e/emacs-26.1-x86_64-1.txz: Upgraded. kde/kopete-4.14.3-x86_64-8.txz: Rebuilt. Recompiled against libidn-1.35. n/conntrack-tools-1.4.5-x86_64-1.txz: Upgraded. n/libnetfilter_conntrack-1.0.7-x86_64-1.txz: Upgraded. n/libnftnl-1.1.0-x86_64-1.txz: Upgraded. n/links-2.16-x86_64-2.txz: Rebuilt. Rebuilt to enable X driver for -g mode. n/lynx-2.8.9dev.19-x86_64-1.txz: Upgraded. n/nftables-0.8.5-x86_64-1.txz: Upgraded. n/p11-kit-0.23.11-x86_64-1.txz: Upgraded. n/ulogd-2.0.7-x86_64-1.txz: Upgraded. n/whois-5.3.1-x86_64-1.txz: Upgraded. xap/network-manager-applet-1.8.12-x86_64-1.txz: Upgraded. xap/vim-gvim-8.1.0026-x86_64-1.txz: Upgraded. 2018-05-28 21:12:29 +02:00			`--- libwmf-0.2.8.4/src/player.c`
			`+++ libwmf-0.2.8.4/src/player.c`
			`@@ -139,8 +139,31 @@`
			`WMF_DEBUG (API,"bailing...");`
			`return (API->err);`
			`}`
			`-`
			`- P->Parameters = (unsigned char) wmf_malloc (API,(MAX_REC_SIZE(API) ) 2 * sizeof (unsigned char));`
			`+`
			`+ U32 nMaxRecordSize = (MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char);`
			`+ if (nMaxRecordSize)`
			`+ {`
			`+ //before allocating memory do a sanity check on size by seeking`
			`+ //to claimed end to see if its possible. We're constrained here`
			`+ //by the api and existing implementations to not simply seeking`
			`+ //to SEEK_END. So use what we have to skip to the last byte and`
			`+ //try and read it.`
			`+ const long nPos = WMF_TELL (API);`
			`+ WMF_SEEK (API, nPos + nMaxRecordSize - 1);`
			`+ if (ERR (API))`
			`+ { WMF_DEBUG (API,"bailing...");`
			`+ return (API->err);`
			`+ }`
			`+ int byte = WMF_READ (API);`
			`+ if (byte == (-1))`
			`+ { WMF_ERROR (API,"Unexpected EOF!");`
			`+ API->err = wmf_E_EOF;`
			`+ return (API->err);`
			`+ }`
			`+ WMF_SEEK (API, nPos);`
			`+ }`
			`+`
			`+ P->Parameters = (unsigned char*) wmf_malloc (API, nMaxRecordSize);`

			`if (ERR (API))`
			`{ WMF_DEBUG (API,"bailing...");`