Index: src/font.c
--- src/font.c.orig	2005-07-27 22:35:06 +0200
+++ src/font.c	2006-11-04 19:20:55 +0100
@@ -199,7 +199,7 @@
 	unsigned int i = 0;
 
 	while (font_data->cache[i].name)
-	{	if (strcmp (font_data->cache[i].path,entry->path) == 0) break;
+	{	if (strcmp (font_data->cache[i].name,entry->name) == 0) break;
 		i++;
 	}
 
@@ -422,7 +422,6 @@
 
 	fontmap_data->FD.FI = 0;
 
-	if (API->flags & WMF_OPT_SYS_FONTS)
 	{	if (API->flags & WMF_OPT_SYS_FONTMAP)
 		{	wmf_ipa_font_map_xml (API,&(fontmap_data->FD),options->sys_fontmap_file);
 		}

-----------------------------------------------------------------------------

Security Fix (CVE-2006-3376)

Integer overflow allowing remote attackers to execute arbitrary code
via the MaxRecordSize header field in a WMF file.

Index: src/player.c
--- src/player.c.orig	2002-12-10 20:30:26 +0100
+++ src/player.c	2006-11-04 19:50:32 +0100
@@ -132,6 +132,14 @@
 		}
 	}
 
+#define WMF_SIZE_MAX ((size_t)(~((size_t)0))) /* portable version of SIZE_MAX */
+	if (MAX_REC_SIZE(API) > WMF_SIZE_MAX / 2)
+	{
+		API->err = wmf_E_InsMem;
+		WMF_DEBUG (API,"bailing...");
+		return (API->err);
+	}
+
 /*	P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)-3) * 2 * sizeof (unsigned char));
  */	P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)  ) * 2 * sizeof (unsigned char));