libwmf integer overflow infamous41md discovered an integer overflow bug in libwmf. There is more information here: http://www.securityfocus.com/archive/1/archive/1/438803/100/0/threaded
Created attachment 132225 [details] maybe this will suffice
Created attachment 132312 [details] testcase I don't have a proper test case, but here's a wmf which has a size field which will overflow as reported above on a box where size_t is 32. With the fix in place it shouldn't open on such a system.
built and mkerrata-wrapper dist-4E-errata-candidate libwmf-0.2.8.3-5.2 has been run. The attached .wmf shouldn't open on 32bit platforms after this change, but normal .wmf's should
RHSA-2006:0597 in progress.
Created attachment 132425 [details] maybe a better testcase Maybe this testcase will trigger better on RHEL-4 ?
Seems to work better, but shows I need another fix for casting on 64bit. built and mkerrata-wrapper dist-4E-errata-candidate libwmf-0.2.8.3-5.3 has been run.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2006-0597.html