Blame antiword-bGetPPS-Prevent-buffer-overflow-of-atPPSlist-_szName.diff
|
 |
6d3ae14 |
From a17e48746d7203f91a2c3bb1cdcbe9023c8d37a0 Mon Sep 17 00:00:00 2001
|
|
|
6d3ae14 |
From: Fabian Keil <fk () fabiankeil de>
|
|
|
6d3ae14 |
Date: Tue, 25 Nov 2014 18:58:52 +0100
|
|
|
6d3ae14 |
Subject: [PATCH] bGetPPS(): Prevent overflow of atPPSlist[].szName[]
|
|
|
6d3ae14 |
|
|
|
6d3ae14 |
---
|
|
|
6d3ae14 |
wordole.c | 5 +++++
|
|
|
6d3ae14 |
1 file changed, 5 insertions(+)
|
|
|
6d3ae14 |
|
|
|
6d3ae14 |
diff --git a/wordole.c b/wordole.c
|
|
|
6d3ae14 |
index 8a95fb9..7797d1f 100644
|
|
|
6d3ae14 |
--- a/wordole.c
|
|
|
6d3ae14 |
+++ b/wordole.c
|
|
|
6d3ae14 |
@@ -259,6 +259,11 @@ bGetPPS(FILE *pFile,
|
|
|
6d3ae14 |
}
|
|
|
6d3ae14 |
tNameSize = (size_t)usGetWord(0x40, aucBytes);
|
|
|
6d3ae14 |
tNameSize = (tNameSize + 1) / 2;
|
|
|
6d3ae14 |
+ if (tNameSize >= sizeof(atPPSlist[0].szName)) {
|
|
|
6d3ae14 |
+ werr(0, "PPS %d appears to be invalid.", iIndex);
|
|
|
6d3ae14 |
+ atPPSlist = xfree(atPPSlist);
|
|
|
6d3ae14 |
+ return FALSE;
|
|
|
6d3ae14 |
+ }
|
|
|
6d3ae14 |
vName2String(atPPSlist[iIndex].szName, aucBytes, tNameSize);
|
|
|
6d3ae14 |
atPPSlist[iIndex].ucType = ucGetByte(0x42, aucBytes);
|
|
|
6d3ae14 |
if (atPPSlist[iIndex].ucType == 5) {
|
|
|
6d3ae14 |
--
|
|
|
6d3ae14 |
2.1.2
|
|
|
6d3ae14 |
|