void-packages/srcpkgs/libwmf/patches/CVE-2016-9011.patch

35 lines
1.0 KiB
Diff

--- a/src/player.c
+++ b/src/player.c
@@ -140,7 +140,30 @@
return (API->err);
}
- P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char));
+ U32 nMaxRecordSize = (MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char);
+ if (nMaxRecordSize)
+ {
+ //before allocating memory do a sanity check on size by seeking
+ //to claimed end to see if its possible. We're constrained here
+ //by the api and existing implementations to not simply seeking
+ //to SEEK_END. So use what we have to skip to the last byte and
+ //try and read it.
+ const long nPos = WMF_TELL (API);
+ WMF_SEEK (API, nPos + nMaxRecordSize - 1);
+ if (ERR (API))
+ { WMF_DEBUG (API,"bailing...");
+ return (API->err);
+ }
+ int byte = WMF_READ (API);
+ if (byte == (-1))
+ { WMF_ERROR (API,"Unexpected EOF!");
+ API->err = wmf_E_EOF;
+ return (API->err);
+ }
+ WMF_SEEK (API, nPos);
+ }
+
+ P->Parameters = (unsigned char*) wmf_malloc (API, nMaxRecordSize);
if (ERR (API))
{ WMF_DEBUG (API,"bailing...");