1http://cvs.fedoraproject.org/viewvc/devel/libwmf/libwmf-0.2.8.4-intoverflow.patch?view=log 2 3CVE-2006-3376 libwmf integer overflow 4 5--- libwmf-0.2.8.4.orig/src/player.c 2002-12-10 19:30:26.000000000 +0000 6+++ libwmf-0.2.8.4/src/player.c 2006-07-12 15:12:52.000000000 +0100 7@@ -42,6 +42,7 @@ 8 #include "player/defaults.h" /* Provides: default settings */ 9 #include "player/record.h" /* Provides: parameter mechanism */ 10 #include "player/meta.h" /* Provides: record interpreters */ 11+#include <stdint.h> 12 13 /** 14 * @internal 15@@ -132,8 +134,14 @@ 16 } 17 } 18 19-/* P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)-3) * 2 * sizeof (unsigned char)); 20- */ P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char)); 21+ if (MAX_REC_SIZE(API) > UINT32_MAX / 2) 22+ { 23+ API->err = wmf_E_InsMem; 24+ WMF_DEBUG (API,"bailing..."); 25+ return (API->err); 26+ } 27+ 28+ P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char)); 29 30 if (ERR (API)) 31 { WMF_DEBUG (API,"bailing..."); 32