Contents of /trunk/libwmf/patches/libwmf-0.2.8.4-CVE-2016-9011.patch
Parent Directory
| 
Revision Log
Revision 2938 -
(show annotations)
(download)
Tue May 30 10:46:40 2017 UTC (6 years, 11 months ago) by niro
File size: 1122 byte(s)
Tue May 30 10:46:40 2017 UTC (6 years, 11 months ago) by niro
File size: 1122 byte(s)
-added a bunch of security patches
| 1 | --- libwmf-0.2.8.4/src/player.c |
| 2 | +++ libwmf-0.2.8.4/src/player.c |
| 3 | @@ -139,8 +139,31 @@ |
| 4 | WMF_DEBUG (API,"bailing..."); |
| 5 | return (API->err); |
| 6 | } |
| 7 | - |
| 8 | - P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char)); |
| 9 | + |
| 10 | + U32 nMaxRecordSize = (MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char); |
| 11 | + if (nMaxRecordSize) |
| 12 | + { |
| 13 | + //before allocating memory do a sanity check on size by seeking |
| 14 | + //to claimed end to see if its possible. We're constrained here |
| 15 | + //by the api and existing implementations to not simply seeking |
| 16 | + //to SEEK_END. So use what we have to skip to the last byte and |
| 17 | + //try and read it. |
| 18 | + const long nPos = WMF_TELL (API); |
| 19 | + WMF_SEEK (API, nPos + nMaxRecordSize - 1); |
| 20 | + if (ERR (API)) |
| 21 | + { WMF_DEBUG (API,"bailing..."); |
| 22 | + return (API->err); |
| 23 | + } |
| 24 | + int byte = WMF_READ (API); |
| 25 | + if (byte == (-1)) |
| 26 | + { WMF_ERROR (API,"Unexpected EOF!"); |
| 27 | + API->err = wmf_E_EOF; |
| 28 | + return (API->err); |
| 29 | + } |
| 30 | + WMF_SEEK (API, nPos); |
| 31 | + } |
| 32 | + |
| 33 | + P->Parameters = (unsigned char*) wmf_malloc (API, nMaxRecordSize); |
| 34 | |
| 35 | if (ERR (API)) |
| 36 | { WMF_DEBUG (API,"bailing..."); |