diff mbox series

[meta-oe,kirkstone,6/6] libwmf: patch CVE-2016-9011

Message ID 20251114202627.656631-6-skandigraun@gmail.com
State New
Headers show
Series [meta-oe,kirkstone,1/6] libwmf: add proper CVE tag to patch | expand

Commit Message

Gyorgy Sarvari Nov. 14, 2025, 8:26 p.m. UTC 
Details: https://nvd.nist.gov/vuln/detail/CVE-2016-9011

Pick the patch that explicitly mentions the vulnerability ID.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../libwmf/libwmf/CVE-2016-9011.patch         | 50 +++++++++++++++++++
 .../recipes-extended/libwmf/libwmf_0.2.8.4.bb |  1 +
 2 files changed, 51 insertions(+)
 create mode 100644 meta-oe/recipes-extended/libwmf/libwmf/CVE-2016-9011.patch
diff mbox series

Patch

diff --git a/meta-oe/recipes-extended/libwmf/libwmf/CVE-2016-9011.patch b/meta-oe/recipes-extended/libwmf/libwmf/CVE-2016-9011.patch
new file mode 100644
index 0000000000..e2044bc3e6
--- /dev/null
+++ b/meta-oe/recipes-extended/libwmf/libwmf/CVE-2016-9011.patch
@@ -0,0 +1,50 @@ 
+From 245ec5c80d8d9964d150507f5583ab890a327fe8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
+Date: Wed, 8 Aug 2018 14:01:34 +0100
+Subject: [PATCH] CVE-2016-9011
+
+CVE: CVE-2016-9011
+Upstream-Status: Backport [https://github.com/caolanm/libwmf/commit/2208b4881ceb8056480735dc330cfd52be03893e]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/player.c | 27 +++++++++++++++++++++++++--
+ 1 file changed, 25 insertions(+), 2 deletions(-)
+
+diff --git a/src/player.c b/src/player.c
+index cd87cb5..628cdcb 100644
+--- a/src/player.c
++++ b/src/player.c
+@@ -139,8 +139,31 @@ wmf_error_t wmf_scan (wmfAPI* API,unsigned long flags,wmfD_Rect* d_r)
+ 		WMF_DEBUG (API,"bailing...");
+ 		return (API->err);
+ 	}
+-	
+- 	P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)  ) * 2 * sizeof (unsigned char));
++
++	U32 nMaxRecordSize = (MAX_REC_SIZE(API)  ) * 2 * sizeof (unsigned char);
++	if (nMaxRecordSize)
++	{
++		//before allocating memory do a sanity check on size by seeking
++		//to claimed end to see if its possible. We're constrained here
++		//by the api and existing implementations to not simply seeking
++		//to SEEK_END. So use what we have to skip to the last byte and
++		//try and read it.
++		const long nPos = WMF_TELL (API);
++		WMF_SEEK (API, nPos + nMaxRecordSize - 1);
++		if (ERR (API))
++		{	WMF_DEBUG (API,"bailing...");
++			return (API->err);
++		}
++		int byte = WMF_READ (API);
++		if (byte == (-1))
++		{	WMF_ERROR (API,"Unexpected EOF!");
++		       	API->err = wmf_E_EOF;
++		       	return (API->err);
++		}
++		WMF_SEEK (API, nPos);
++	}
++
++ 	P->Parameters = (unsigned char*) wmf_malloc (API, nMaxRecordSize);
+ 
+ 	if (ERR (API))
+ 	{	WMF_DEBUG (API,"bailing...");
diff --git a/meta-oe/recipes-extended/libwmf/libwmf_0.2.8.4.bb b/meta-oe/recipes-extended/libwmf/libwmf_0.2.8.4.bb
index bb1aecd16d..2eb7f44114 100644
--- a/meta-oe/recipes-extended/libwmf/libwmf_0.2.8.4.bb
+++ b/meta-oe/recipes-extended/libwmf/libwmf_0.2.8.4.bb
@@ -23,6 +23,7 @@  SRC_URI = "${SOURCEFORGE_MIRROR}/wvware/${BPN}/${PV}/${BPN}-${PV}.tar.gz;name=ta
            file://CVE-2015-0848-CVE-2015-4588.patch \
            file://CVE-2015-4695.patch \
            file://CVE-2015-4696.patch \
+           file://CVE-2016-9011.patch \
            "
 
 SRC_URI[tarball.md5sum] = "d1177739bf1ceb07f57421f0cee191e0"