Annotation of /trunk/libwmf/patches/libwmf-0.2.8.4-CVE-2016-9011.patch
Parent Directory
| 
Revision Log
Revision 2938 -
(hide annotations)
(download)
Tue May 30 10:46:40 2017 UTC (7 years ago) by niro
File size: 1122 byte(s)
Tue May 30 10:46:40 2017 UTC (7 years ago) by niro
File size: 1122 byte(s)
-added a bunch of security patches
| 1 | niro | 2938 | --- libwmf-0.2.8.4/src/player.c |
| 2 | +++ libwmf-0.2.8.4/src/player.c | ||
| 3 | @@ -139,8 +139,31 @@ | ||
| 4 | WMF_DEBUG (API,"bailing..."); | ||
| 5 | return (API->err); | ||
| 6 | } | ||
| 7 | - | ||
| 8 | - P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char)); | ||
| 9 | + | ||
| 10 | + U32 nMaxRecordSize = (MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char); | ||
| 11 | + if (nMaxRecordSize) | ||
| 12 | + { | ||
| 13 | + //before allocating memory do a sanity check on size by seeking | ||
| 14 | + //to claimed end to see if its possible. We're constrained here | ||
| 15 | + //by the api and existing implementations to not simply seeking | ||
| 16 | + //to SEEK_END. So use what we have to skip to the last byte and | ||
| 17 | + //try and read it. | ||
| 18 | + const long nPos = WMF_TELL (API); | ||
| 19 | + WMF_SEEK (API, nPos + nMaxRecordSize - 1); | ||
| 20 | + if (ERR (API)) | ||
| 21 | + { WMF_DEBUG (API,"bailing..."); | ||
| 22 | + return (API->err); | ||
| 23 | + } | ||
| 24 | + int byte = WMF_READ (API); | ||
| 25 | + if (byte == (-1)) | ||
| 26 | + { WMF_ERROR (API,"Unexpected EOF!"); | ||
| 27 | + API->err = wmf_E_EOF; | ||
| 28 | + return (API->err); | ||
| 29 | + } | ||
| 30 | + WMF_SEEK (API, nPos); | ||
| 31 | + } | ||
| 32 | + | ||
| 33 | + P->Parameters = (unsigned char*) wmf_malloc (API, nMaxRecordSize); | ||
| 34 | |||
| 35 | if (ERR (API)) | ||
| 36 | { WMF_DEBUG (API,"bailing..."); |