119 lines
3.1 KiB
Text
119 lines
3.1 KiB
Text
Security fixes for CVE-2015-0848, CVE-2015-4588
|
|
https://bugzilla.redhat.com/show_bug.cgi?id=1227243
|
|
|
|
--- src/ipa/ipa/bmp.h.orig Wed Jun 24 17:34:35 2015
|
|
+++ src/ipa/ipa/bmp.h Wed Jun 24 17:34:25 2015
|
|
@@ -66,7 +66,7 @@ static void ldr_bmp_png (wmfAPI* API,wmfBMP_Draw_t* bm
|
|
return;
|
|
}
|
|
|
|
- if (setjmp (png_ptr->jmpbuf))
|
|
+ if (setjmp (png_jmpbuf(png_ptr)))
|
|
{ WMF_DEBUG (API,"Failed to write bitmap as PNG! (setjmp failed)");
|
|
png_destroy_write_struct (&png_ptr,&info_ptr);
|
|
wmf_free (API,buffer);
|
|
@@ -859,7 +859,7 @@ static long TellBlob (BMPSource* src)
|
|
%
|
|
%
|
|
*/
|
|
-static void DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels)
|
|
+static int DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels)
|
|
{ int byte;
|
|
int count;
|
|
int i;
|
|
@@ -870,12 +870,14 @@ static void DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSo
|
|
U32 u;
|
|
|
|
unsigned char* q;
|
|
+ unsigned char* end;
|
|
|
|
for (u = 0; u < ((U32) bmp->width * (U32) bmp->height); u++) pixels[u] = 0;
|
|
|
|
byte = 0;
|
|
x = 0;
|
|
q = pixels;
|
|
+ end = pixels + bmp->width * bmp->height;
|
|
|
|
for (y = 0; y < bmp->height; )
|
|
{ count = ReadBlobByte (src);
|
|
@@ -884,7 +886,10 @@ static void DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSo
|
|
{ /* Encoded mode. */
|
|
byte = ReadBlobByte (src);
|
|
for (i = 0; i < count; i++)
|
|
- { if (compression == 1)
|
|
+ {
|
|
+ if (q == end)
|
|
+ return 0;
|
|
+ if (compression == 1)
|
|
{ (*(q++)) = (unsigned char) byte;
|
|
}
|
|
else
|
|
@@ -896,13 +901,15 @@ static void DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSo
|
|
else
|
|
{ /* Escape mode. */
|
|
count = ReadBlobByte (src);
|
|
- if (count == 0x01) return;
|
|
+ if (count == 0x01) return 1;
|
|
switch (count)
|
|
{
|
|
case 0x00:
|
|
{ /* End of line. */
|
|
x = 0;
|
|
y++;
|
|
+ if (y >= bmp->height)
|
|
+ return 0;
|
|
q = pixels + y * bmp->width;
|
|
break;
|
|
}
|
|
@@ -910,13 +917,20 @@ static void DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSo
|
|
{ /* Delta mode. */
|
|
x += ReadBlobByte (src);
|
|
y += ReadBlobByte (src);
|
|
+ if (y >= bmp->height)
|
|
+ return 0;
|
|
+ if (x >= bmp->width)
|
|
+ return 0;
|
|
q = pixels + y * bmp->width + x;
|
|
break;
|
|
}
|
|
default:
|
|
{ /* Absolute mode. */
|
|
for (i = 0; i < count; i++)
|
|
- { if (compression == 1)
|
|
+ {
|
|
+ if (q == end)
|
|
+ return 0;
|
|
+ if (compression == 1)
|
|
{ (*(q++)) = ReadBlobByte (src);
|
|
}
|
|
else
|
|
@@ -943,7 +957,7 @@ static void DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSo
|
|
byte = ReadBlobByte (src); /* end of line */
|
|
byte = ReadBlobByte (src);
|
|
|
|
- return;
|
|
+ return 1;
|
|
}
|
|
|
|
/*
|
|
@@ -1143,8 +1157,18 @@ static void ReadBMPImage (wmfAPI* API,wmfBMP* bmp,BMPS
|
|
}
|
|
}
|
|
else
|
|
- { /* Convert run-length encoded raster pixels. */
|
|
- DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image);
|
|
+ {
|
|
+ if (bmp_info.bits_per_pixel == 8) /* Convert run-length encoded raster pixels. */
|
|
+ {
|
|
+ if (!DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image))
|
|
+ { WMF_ERROR (API,"corrupt bmp");
|
|
+ API->err = wmf_E_BadFormat;
|
|
+ }
|
|
+ }
|
|
+ else
|
|
+ { WMF_ERROR (API,"Unexpected pixel depth");
|
|
+ API->err = wmf_E_BadFormat;
|
|
+ }
|
|
}
|
|
|
|
if (ERR (API))
|