Annotation of /trunk/libwmf/patches/libwmf-0.2.8.4-CVE-2016-9011.patch
Parent Directory
|
Revision Log
Revision 2938 -
(hide annotations)
(download)
Tue May 30 10:46:40 2017 UTC (7 years ago) by niro
File size: 1122 byte(s)
Tue May 30 10:46:40 2017 UTC (7 years ago) by niro
File size: 1122 byte(s)
-added a bunch of security patches
1 | niro | 2938 | --- libwmf-0.2.8.4/src/player.c |
2 | +++ libwmf-0.2.8.4/src/player.c | ||
3 | @@ -139,8 +139,31 @@ | ||
4 | WMF_DEBUG (API,"bailing..."); | ||
5 | return (API->err); | ||
6 | } | ||
7 | - | ||
8 | - P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char)); | ||
9 | + | ||
10 | + U32 nMaxRecordSize = (MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char); | ||
11 | + if (nMaxRecordSize) | ||
12 | + { | ||
13 | + //before allocating memory do a sanity check on size by seeking | ||
14 | + //to claimed end to see if its possible. We're constrained here | ||
15 | + //by the api and existing implementations to not simply seeking | ||
16 | + //to SEEK_END. So use what we have to skip to the last byte and | ||
17 | + //try and read it. | ||
18 | + const long nPos = WMF_TELL (API); | ||
19 | + WMF_SEEK (API, nPos + nMaxRecordSize - 1); | ||
20 | + if (ERR (API)) | ||
21 | + { WMF_DEBUG (API,"bailing..."); | ||
22 | + return (API->err); | ||
23 | + } | ||
24 | + int byte = WMF_READ (API); | ||
25 | + if (byte == (-1)) | ||
26 | + { WMF_ERROR (API,"Unexpected EOF!"); | ||
27 | + API->err = wmf_E_EOF; | ||
28 | + return (API->err); | ||
29 | + } | ||
30 | + WMF_SEEK (API, nPos); | ||
31 | + } | ||
32 | + | ||
33 | + P->Parameters = (unsigned char*) wmf_malloc (API, nMaxRecordSize); | ||
34 | |||
35 | if (ERR (API)) | ||
36 | { WMF_DEBUG (API,"bailing..."); |