$NetBSD: patch-aa,v 1.8 2015/07/17 12:33:47 sevan Exp $

Fix build with png-1.5.
https://sourceforge.net/tracker/?func=detail&aid=3164737&group_id=10501&atid=110501

CVE-2015-4588 - Heap-based buffer overflow in the DecodeImage function in libwmf
0.2.8.4 allows remote attackers to cause a denial of service (crash) or possibly
execute arbitrary code via a crafted "run-length count" in an image in a WMF
file.
CVE-2015-0848 - Heap-based buffer overflow in libwmf 0.2.8.4 allows remote
attackers to cause a denial of service (crash) or possibly execute arbitrary
code via a crafted BMP image.

--- src/ipa/ipa/bmp.h.orig	2015-07-17 11:09:09.000000000 +0000
+++ src/ipa/ipa/bmp.h
@@ -66,7 +66,7 @@ static void ldr_bmp_png (wmfAPI* API,wmf
 		return;
 	}
 
-	if (setjmp (png_ptr->jmpbuf))
+	if (setjmp (png_jmpbuf(png_ptr)))
 	{	WMF_DEBUG (API,"Failed to write bitmap as PNG! (setjmp failed)");
 		png_destroy_write_struct (&png_ptr,&info_ptr);
 		wmf_free (API,buffer);
@@ -859,7 +859,7 @@ static long TellBlob (BMPSource* src)
 %
 %
 */
-static void DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels)
+static int DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels)
 {	int byte;
 	int count;
 	int i;
@@ -870,12 +870,14 @@ static void DecodeImage (wmfAPI* API,wmf
 	U32 u;
 
 	unsigned char* q;
+	unsigned char* end;
 
 	for (u = 0; u < ((U32) bmp->width * (U32) bmp->height); u++) pixels[u] = 0;
 
 	byte = 0;
 	x = 0;
 	q = pixels;
+	end = pixels + bmp->width * bmp->height;
 
 	for (y = 0; y < bmp->height; )
 	{	count = ReadBlobByte (src);
@@ -884,7 +886,10 @@ static void DecodeImage (wmfAPI* API,wmf
 		{	/* Encoded mode. */
 			byte = ReadBlobByte (src);
 			for (i = 0; i < count; i++)
-			{	if (compression == 1)
+			{	
+				if (q == end)
+					return 0;
+			 	if (compression == 1)
 				{	(*(q++)) = (unsigned char) byte;
 				}
 				else
@@ -896,13 +901,15 @@ static void DecodeImage (wmfAPI* API,wmf
 		else
 		{	/* Escape mode. */
 			count = ReadBlobByte (src);
-			if (count == 0x01) return;
+			if (count == 0x01) return 1;
 			switch (count)
 			{
 			case 0x00:
 			 {	/* End of line. */
 				x = 0;
 				y++;
+				if (y >= bmp->height)
+					return 0;
 				q = pixels + y * bmp->width;
 				break;
 			 }
@@ -910,13 +917,20 @@ static void DecodeImage (wmfAPI* API,wmf
 			 {	/* Delta mode. */
 				x += ReadBlobByte (src);
 				y += ReadBlobByte (src);
+				if (y >= bmp->height)
+					return 0;
+				if (x >= bmp->width)
+					return 0;
 				q = pixels + y * bmp->width + x;
 				break;
 			 }
 			default:
 			 {	/* Absolute mode. */
 				for (i = 0; i < count; i++)
-				{	if (compression == 1)
+				{
+					if (q == end)
+						return 0;
+					if (compression == 1)
 					{	(*(q++)) = ReadBlobByte (src);
 					}
 					else
@@ -943,7 +957,7 @@ static void DecodeImage (wmfAPI* API,wmf
 	byte = ReadBlobByte (src);  /* end of line */
 	byte = ReadBlobByte (src);
 
-	return;
+	return 1;
 }
 
 /*
@@ -1143,8 +1157,20 @@ static void ReadBMPImage (wmfAPI* API,wm
 		}
 	}
 	else
-	{	/* Convert run-length encoded raster pixels. */
-		DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image);
+	{
+		if (bmp_info.bits_per_pixel == 8)	/* Convert run-length encoded raster pixels. */
+		{
+			if (!DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image))	
+			{
+				WMF_ERROR (API,"corrupt bmp");
+				API->err = wmf_E_BadFormat;
+			}
+		}
+		else
+		{
+			WMF_ERROR (API,"Unexpected pixel depth");
+			API->err = wmf_E_BadFormat;
+		}
 	}
 
 	if (ERR (API))