You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
46 lines
1.3 KiB
46 lines
1.3 KiB
Index: src/font.c |
|
--- src/font.c.orig 2005-07-27 22:35:06 +0200 |
|
+++ src/font.c 2006-11-04 19:20:55 +0100 |
|
@@ -199,7 +199,7 @@ |
|
unsigned int i = 0; |
|
|
|
while (font_data->cache[i].name) |
|
- { if (strcmp (font_data->cache[i].path,entry->path) == 0) break; |
|
+ { if (strcmp (font_data->cache[i].name,entry->name) == 0) break; |
|
i++; |
|
} |
|
|
|
@@ -422,7 +422,6 @@ |
|
|
|
fontmap_data->FD.FI = 0; |
|
|
|
- if (API->flags & WMF_OPT_SYS_FONTS) |
|
{ if (API->flags & WMF_OPT_SYS_FONTMAP) |
|
{ wmf_ipa_font_map_xml (API,&(fontmap_data->FD),options->sys_fontmap_file); |
|
} |
|
|
|
----------------------------------------------------------------------------- |
|
|
|
Security Fix (CVE-2006-3376) |
|
|
|
Integer overflow allowing remote attackers to execute arbitrary code |
|
via the MaxRecordSize header field in a WMF file. |
|
|
|
Index: src/player.c |
|
--- src/player.c.orig 2002-12-10 20:30:26 +0100 |
|
+++ src/player.c 2006-11-04 19:50:32 +0100 |
|
@@ -132,6 +132,14 @@ |
|
} |
|
} |
|
|
|
+#define WMF_SIZE_MAX ((size_t)(~((size_t)0))) /* portable version of SIZE_MAX */ |
|
+ if (MAX_REC_SIZE(API) > WMF_SIZE_MAX / 2) |
|
+ { |
|
+ API->err = wmf_E_InsMem; |
|
+ WMF_DEBUG (API,"bailing..."); |
|
+ return (API->err); |
|
+ } |
|
+ |
|
/* P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)-3) * 2 * sizeof (unsigned char)); |
|
*/ P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char)); |
|
|
|
|