[meta-oe,kirkstone,3/6] libwmf: patch CVE-2015-0848 and CVE-2015-4588

diff --git a/meta-oe/recipes-extended/libwmf/libwmf/CVE-2015-0848-CVE-2015-4588.patch b/meta-oe/recipes-extended/libwmf/libwmf/CVE-2015-0848-CVE-2015-4588.patch
new file mode 100644
index 0000000000..b65610aa88
--- /dev/null
+++ b/meta-oe/recipes-extended/libwmf/libwmf/CVE-2015-0848-CVE-2015-4588.patch
@@ -0,0 +1,135 @@ 
+From f42e4f4505b07278f4baccddfc1f47059ae4f931 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
+Date: Wed, 8 Aug 2018 13:59:18 +0100
+Subject: [PATCH] CVE-2015-0848+CVE-2015-4588
+
+CVE: CVE-2015-0848 CVE-2015-4588
+Upstream-Status: Backport [https://github.com/caolanm/libwmf/commit/879d6bffa6dd21b8c0e9ec3b5aa31b6ae090ef83]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/ipa/ipa.h     |  2 +-
+ src/ipa/ipa/bmp.h | 38 +++++++++++++++++++++++++++++++-------
+ 2 files changed, 32 insertions(+), 8 deletions(-)
+
+diff --git a/src/ipa/ipa.h b/src/ipa/ipa.h
+index d050a7e..3003540 100644
+--- a/src/ipa/ipa.h
++++ b/src/ipa/ipa.h
+@@ -48,7 +48,7 @@ static int            ReadBlobByte (BMPSource*);
+ static unsigned short ReadBlobLSBShort (BMPSource*);
+ static unsigned long  ReadBlobLSBLong (BMPSource*);
+ static long           TellBlob (BMPSource*);
+-static void           DecodeImage (wmfAPI*,wmfBMP*,BMPSource*,unsigned int,unsigned char*);
++static int            DecodeImage (wmfAPI*,wmfBMP*,BMPSource*,unsigned int,unsigned char*);
+ static void           ReadBMPImage (wmfAPI*,wmfBMP*,BMPSource*);
+ static int            ExtractColor (wmfAPI*,wmfBMP*,wmfRGB*,unsigned int,unsigned int);
+ static void           SetColor (wmfAPI*,wmfBMP*,wmfRGB*,unsigned char,unsigned int,unsigned int);
+diff --git a/src/ipa/ipa/bmp.h b/src/ipa/ipa/bmp.h
+index 29eee34..7751a36 100644
+--- a/src/ipa/ipa/bmp.h
++++ b/src/ipa/ipa/bmp.h
+@@ -859,7 +859,7 @@ static long TellBlob (BMPSource* src)
+ %
+ %
+ */
+-static void DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels)
++static int DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels)
+ {	int byte;
+ 	int count;
+ 	int i;
+@@ -870,12 +870,14 @@ static void DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int com
+ 	U32 u;
+ 
+ 	unsigned char* q;
++	unsigned char* end;
+ 
+ 	for (u = 0; u < ((U32) bmp->width * (U32) bmp->height); u++) pixels[u] = 0;
+ 
+ 	byte = 0;
+ 	x = 0;
+ 	q = pixels;
++	end = pixels + bmp->width * bmp->height;
+ 
+ 	for (y = 0; y < bmp->height; )
+ 	{	count = ReadBlobByte (src);
+@@ -884,7 +886,10 @@ static void DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int com
+ 		{	/* Encoded mode. */
+ 			byte = ReadBlobByte (src);
+ 			for (i = 0; i < count; i++)
+-			{	if (compression == 1)
++			{	
++				if (q == end)
++					return 0;
++			 	if (compression == 1)
+ 				{	(*(q++)) = (unsigned char) byte;
+ 				}
+ 				else
+@@ -896,13 +901,15 @@ static void DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int com
+ 		else
+ 		{	/* Escape mode. */
+ 			count = ReadBlobByte (src);
+-			if (count == 0x01) return;
++			if (count == 0x01) return 1;
+ 			switch (count)
+ 			{
+ 			case 0x00:
+ 			 {	/* End of line. */
+ 				x = 0;
+ 				y++;
++				if (y >= bmp->height)
++					return 0;
+ 				q = pixels + y * bmp->width;
+ 				break;
+ 			 }
+@@ -910,13 +917,20 @@ static void DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int com
+ 			 {	/* Delta mode. */
+ 				x += ReadBlobByte (src);
+ 				y += ReadBlobByte (src);
++				if (y >= bmp->height)
++					return 0;
++				if (x >= bmp->width)
++					return 0;
+ 				q = pixels + y * bmp->width + x;
+ 				break;
+ 			 }
+ 			default:
+ 			 {	/* Absolute mode. */
+ 				for (i = 0; i < count; i++)
+-				{	if (compression == 1)
++				{
++					if (q == end)
++						return 0;
++					if (compression == 1)
+ 					{	(*(q++)) = ReadBlobByte (src);
+ 					}
+ 					else
+@@ -943,7 +957,7 @@ static void DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int com
+ 	byte = ReadBlobByte (src);  /* end of line */
+ 	byte = ReadBlobByte (src);
+ 
+-	return;
++	return 1;
+ }
+ 
+ /*
+@@ -1143,8 +1157,18 @@ static void ReadBMPImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src)
+ 		}
+ 	}
+ 	else
+-	{	/* Convert run-length encoded raster pixels. */
+-		DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image);
++	{
++		if (bmp_info.bits_per_pixel == 8)	/* Convert run-length encoded raster pixels. */
++		{
++			if (!DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image))
++			{	WMF_ERROR (API,"corrupt bmp");
++				API->err = wmf_E_BadFormat;
++			}
++		}
++		else
++		{	WMF_ERROR (API,"Unexpected pixel depth");
++			API->err = wmf_E_BadFormat;
++		}
+ 	}
+ 
+ 	if (ERR (API))
diff --git a/meta-oe/recipes-extended/libwmf/libwmf_0.2.8.4.bb b/meta-oe/recipes-extended/libwmf/libwmf_0.2.8.4.bb
index 955dd5154b..56fd0b9eba 100644
--- a/meta-oe/recipes-extended/libwmf/libwmf_0.2.8.4.bb
+++ b/meta-oe/recipes-extended/libwmf/libwmf_0.2.8.4.bb
@@ -20,7 +20,8 @@  SRC_URI = "${SOURCEFORGE_MIRROR}/wvware/${BPN}/${PV}/${BPN}-${PV}.tar.gz;name=ta
            file://libwmf-0.2.8.4-intoverflow.patch \
            file://libwmf-0.2.8.4-useafterfree.patch \
            file://0001-configure-use-pkg-config-for-freetype.patch \
-          "
+           file://CVE-2015-0848-CVE-2015-4588.patch \
+           "
 
 SRC_URI[tarball.md5sum] = "d1177739bf1ceb07f57421f0cee191e0"
 SRC_URI[tarball.sha256sum] = "5b345c69220545d003ad52bfd035d5d6f4f075e65204114a9e875e84895a7cf8"