summaryrefslogtreecommitdiffstats
path: root/abs/extra/xmms/xmms-1.2.11-CVE-2007-0653.0654.patch
diff options
context:
space:
mode:
Diffstat (limited to 'abs/extra/xmms/xmms-1.2.11-CVE-2007-0653.0654.patch')
-rw-r--r--abs/extra/xmms/xmms-1.2.11-CVE-2007-0653.0654.patch43
1 files changed, 43 insertions, 0 deletions
diff --git a/abs/extra/xmms/xmms-1.2.11-CVE-2007-0653.0654.patch b/abs/extra/xmms/xmms-1.2.11-CVE-2007-0653.0654.patch
new file mode 100644
index 0000000..5fa9772
--- /dev/null
+++ b/abs/extra/xmms/xmms-1.2.11-CVE-2007-0653.0654.patch
@@ -0,0 +1,43 @@
+--- xmms-1.2.11/xmms/bmp.c.CVE-2007-0653.0654 2006-07-16 15:40:04.000000000 +0200
++++ xmms-1.2.11/xmms/bmp.c 2007-11-18 21:23:11.000000000 +0100
+@@ -19,6 +19,12 @@
+ */
+ #include "xmms.h"
+
++#if HAVE_STDINT_H
++#include <stdint.h>
++#elif !defined(UINT32_MAX)
++#define UINT32_MAX 0xffffffffU
++#endif
++
+ struct rgb_quad
+ {
+ guchar rgbBlue;
+@@ -183,7 +189,7 @@ GdkPixmap *read_bmp(gchar * filename)
+ }
+ else if (bitcount != 24 && bitcount != 16 && bitcount != 32)
+ {
+- gint ncols, i;
++ guint32 ncols, i;
+
+ ncols = offset - headSize - 14;
+ if (headSize == 12)
+@@ -201,9 +207,17 @@ GdkPixmap *read_bmp(gchar * filename)
+ }
+ }
+ fseek(file, offset, SEEK_SET);
++ /* verify buffer size */
++ if (!h || !w ||
++ w > (((UINT32_MAX - 3) / 3) / h) ||
++ h > (((UINT32_MAX - 3) / 3) / w)) {
++ g_warning("read_bmp(): width(%u)*height(%u) too large", w, h);
++ fclose(file);
++ return NULL;
++ }
++ data = g_malloc0((w * 3 * h) + 3); /* +3 is just for safety */
+ buffer = g_malloc(imgsize);
+ fread(buffer, imgsize, 1, file);
+- data = g_malloc0((w * 3 * h) + 3); /* +3 is just for safety */
+
+ if (bitcount == 1)
+ read_1b_rgb(buffer, imgsize, data, w, h, rgb_quads);
generated by cgit v0.12 at 2024-05-13 03:46:50 (GMT)