Hello community, here is the log from the commit of package libEMF for openSUSE:Leap:15.2 checked in at 2020-06-14 04:44:27 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.2/libEMF (Old) and /work/SRC/openSUSE:Leap:15.2/.libEMF.new.3606 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libEMF" Sun Jun 14 04:44:27 2020 rev:12 rq:814299 version:1.0.7 Changes: -------- --- /work/SRC/openSUSE:Leap:15.2/libEMF/libEMF.changes 2020-01-15 15:18:38.178349482 +0100 +++ /work/SRC/openSUSE:Leap:15.2/.libEMF.new.3606/libEMF.changes 2020-06-14 04:44:32.690684737 +0200 @@ -1,0 +2,8 @@ +Sun May 31 21:03:24 UTC 2020 - Jason Sikes <jsi...@suse.com> + +- Added libEMF-1.0.7-handle-corrupted-metafiles.patch + * CVE-2020-11863, CVE-2020-11864, + CVE-2020-11865, and CVE-2020-11866. + * bsc#1171496, bsc#1171497, bsc#1171498, and bsc#1171499 + +------------------------------------------------------------------- New: ---- libEMF-1.0.7-handle-corrupted-metafiles.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libEMF.spec ++++++ --- /var/tmp/diff_new_pack.UCCOdo/_old 2020-06-14 04:44:33.010685777 +0200 +++ /var/tmp/diff_new_pack.UCCOdo/_new 2020-06-14 04:44:33.014685791 +0200 @@ -26,6 +26,7 @@ Source: http://downloads.sourceforge.net/project/libemf/libemf/%{version}/%{name}-%{version}.tar.gz Patch0: aarch64-support.patch Patch2: ppc64le-support.patch +Patch3: libEMF-1.0.7-handle-corrupted-metafiles.patch BuildRequires: gcc-c++ BuildRoot: %{_tmppath}/%{name}-%{version}-build # taken from includes/wine/winnt.h @@ -94,6 +95,7 @@ %setup -q %patch0 -p1 %patch2 -p1 +%patch3 -p1 %build %configure\ ++++++ libEMF-1.0.7-handle-corrupted-metafiles.patch ++++++ Index: libEMF-1.0.7/libemf/libemf.cpp =================================================================== --- libEMF-1.0.7.orig/libemf/libemf.cpp +++ libEMF-1.0.7/libemf/libemf.cpp @@ -211,10 +211,19 @@ namespace EMF { */ OBJECT* GLOBALOBJECTS::find ( const HGDIOBJ handle ) { - if ( handle & ENHMETA_STOCK_OBJECT ) - return objects[ handle & (~ENHMETA_STOCK_OBJECT) ]; - else + if ( handle & ENHMETA_STOCK_OBJECT ) { + size_t o = handle & (~ENHMETA_STOCK_OBJECT); + if ( o >= objects.size() ) { + return NULL; + } + return objects[o]; + } + else { + if ( handle >= objects.size() ) { + return NULL; + } return objects[ handle ]; + } } /*! @@ -538,7 +547,8 @@ namespace EMF { // destination dc wants to see. emf_handles is manipulated when // a Create* object record is executed. - if ( !( ihObject & ENHMETA_STOCK_OBJECT ) ) + if ( !( ihObject & ENHMETA_STOCK_OBJECT ) and + source->emf_handles.find( ihObject ) != source->emf_handles.end() ) DeleteObject( source->emf_handles[ihObject] ); } @@ -1021,8 +1031,11 @@ extern "C" { delete[] filename_a; - if ( fp == 0 ) + if ( fp == 0 ) { + std::cerr << "GetEnhMetaFileW read error. cannot continue" + << std::endl; return 0; + } // Create an implicit device context for this metafile. This // also creates an implicit metafile header. @@ -1037,6 +1050,8 @@ extern "C" { dc->ds >> emr; if ( emr.iType != EMR_HEADER ) { + std::cerr << "GetEnhMetaFileW read error. cannot continue: Not an EMF" + << std::endl; DeleteDC( dc->handle ); return 0; } Index: libEMF-1.0.7/libemf/libemf.h =================================================================== --- libEMF-1.0.7.orig/libemf/libemf.h +++ libEMF-1.0.7/libemf/libemf.h @@ -26,6 +26,7 @@ #include <map> #include <functional> #include <algorithm> +#include <stdexcept> #include <config.h> #include <libEMF/emf.h> @@ -3538,6 +3539,21 @@ namespace EMF { ds >> counts; + // Counts have to add up to less than the number of points + // we have. DWORD is unsigned so we most care about overflow. + DWORD n = 0, n_old = 0; + for ( DWORD c = 0; c < nPolys; ++c ) { + n_old = n; + n += lcounts[c]; + if ( n < n_old ) { + throw std::runtime_error( "Unsigned overflow" ); + } + } + if ( n > cptl ) { + throw std::runtime_error( "Too few points" ); + } + + lpoints = new POINTL[cptl]; POINTLARRAY points( lpoints, cptl ); @@ -3728,6 +3744,20 @@ namespace EMF { ds >> counts; + // Counts have to add up to less than the number of points + // we have. DWORD is unsigned so we most care about overflow. + DWORD n = 0, n_old = 0; + for ( DWORD c = 0; c < nPolys; ++c ) { + n_old = n; + n += lcounts[c]; + if ( n < n_old ) { + throw std::runtime_error( "Unsigned overflow" ); + } + } + if ( n > cpts ) { + throw std::runtime_error( "Too few points" ); + } + lpoints = new POINT16[cpts]; POINT16ARRAY points( lpoints, cpts );