blob: 48a752bb644fa9608bc79f69e2989e7db773e489 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
From a17e48746d7203f91a2c3bb1cdcbe9023c8d37a0 Mon Sep 17 00:00:00 2001
From: Fabian Keil <fk () fabiankeil de>
Date: Tue, 25 Nov 2014 18:58:52 +0100
Subject: [PATCH] bGetPPS(): Prevent overflow of atPPSlist[].szName[]
---
wordole.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/wordole.c b/wordole.c
index 8a95fb9..7797d1f 100644
--- a/wordole.c
+++ b/wordole.c
@@ -259,6 +259,11 @@ bGetPPS(FILE *pFile,
}
tNameSize = (size_t)usGetWord(0x40, aucBytes);
tNameSize = (tNameSize + 1) / 2;
+ if (tNameSize >= sizeof(atPPSlist[0].szName)) {
+ werr(0, "PPS %d appears to be invalid.", iIndex);
+ atPPSlist = xfree(atPPSlist);
+ return FALSE;
+ }
vName2String(atPPSlist[iIndex].szName, aucBytes, tNameSize);
atPPSlist[iIndex].ucType = ucGetByte(0x42, aucBytes);
if (atPPSlist[iIndex].ucType == 5) {
--
2.1.2
|