1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
| | Fix CVE-2016-9011:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9011
https://blogs.gentoo.org/ago/2016/10/18/libwmf-memory-allocation-failure-in-wmf_malloc-api-c/
Patch copied from Fedora:
https://src.fedoraproject.org/cgit/rpms/libwmf.git/commit/?id=9a43f910abce9940f07843e7186646ad46b686d6
--- libwmf-0.2.8.4/src/player.c
+++ libwmf-0.2.8.4/src/player.c
@@ -139,8 +139,31 @@
WMF_DEBUG (API,"bailing...");
return (API->err);
}
-
- P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char));
+
+ U32 nMaxRecordSize = (MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char);
+ if (nMaxRecordSize)
+ {
+ //before allocating memory do a sanity check on size by seeking
+ //to claimed end to see if its possible. We're constrained here
+ //by the api and existing implementations to not simply seeking
+ //to SEEK_END. So use what we have to skip to the last byte and
+ //try and read it.
+ const long nPos = WMF_TELL (API);
+ WMF_SEEK (API, nPos + nMaxRecordSize - 1);
+ if (ERR (API))
+ { WMF_DEBUG (API,"bailing...");
+ return (API->err);
+ }
+ int byte = WMF_READ (API);
+ if (byte == (-1))
+ { WMF_ERROR (API,"Unexpected EOF!");
+ API->err = wmf_E_EOF;
+ return (API->err);
+ }
+ WMF_SEEK (API, nPos);
+ }
+
+ P->Parameters = (unsigned char*) wmf_malloc (API, nMaxRecordSize);
if (ERR (API))
{ WMF_DEBUG (API,"bailing...");
|