Contents of /trunk/libwmf/patches/libwmf-0.2.8.4-CVE-2016-9011.patch
Parent Directory | Revision Log
Revision 2938 -
(show annotations)
(download)
Tue May 30 10:46:40 2017 UTC (7 years, 3 months ago) by niro
File size: 1122 byte(s)
Tue May 30 10:46:40 2017 UTC (7 years, 3 months ago) by niro
File size: 1122 byte(s)
-added a bunch of security patches
1 | --- libwmf-0.2.8.4/src/player.c |
2 | +++ libwmf-0.2.8.4/src/player.c |
3 | @@ -139,8 +139,31 @@ |
4 | WMF_DEBUG (API,"bailing..."); |
5 | return (API->err); |
6 | } |
7 | - |
8 | - P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char)); |
9 | + |
10 | + U32 nMaxRecordSize = (MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char); |
11 | + if (nMaxRecordSize) |
12 | + { |
13 | + //before allocating memory do a sanity check on size by seeking |
14 | + //to claimed end to see if its possible. We're constrained here |
15 | + //by the api and existing implementations to not simply seeking |
16 | + //to SEEK_END. So use what we have to skip to the last byte and |
17 | + //try and read it. |
18 | + const long nPos = WMF_TELL (API); |
19 | + WMF_SEEK (API, nPos + nMaxRecordSize - 1); |
20 | + if (ERR (API)) |
21 | + { WMF_DEBUG (API,"bailing..."); |
22 | + return (API->err); |
23 | + } |
24 | + int byte = WMF_READ (API); |
25 | + if (byte == (-1)) |
26 | + { WMF_ERROR (API,"Unexpected EOF!"); |
27 | + API->err = wmf_E_EOF; |
28 | + return (API->err); |
29 | + } |
30 | + WMF_SEEK (API, nPos); |
31 | + } |
32 | + |
33 | + P->Parameters = (unsigned char*) wmf_malloc (API, nMaxRecordSize); |
34 | |
35 | if (ERR (API)) |
36 | { WMF_DEBUG (API,"bailing..."); |