[libgsf] vba: catch lookback beyond buffer.

From: Morten Welinder <mortenw src gnome org>
To: commits-list gnome org
Cc:
Subject: [libgsf] vba: catch lookback beyond buffer.
Date: Sat, 1 Nov 2014 17:25:31 +0000 (UTC)

commit ce4348f632622a5064c5e4df7adb7ee3e669a405
Author: Morten Welinder <terra gnome org>
Date:   Sat Nov 1 13:24:15 2014 -0400

    vba: catch lookback beyond buffer.
    
    The buffer is used in a wrap-around way, but we should not allow lookbacks
    to go beyond the initial window.

 ChangeLog             |    3 +++
 gsf/gsf-msole-utils.c |    5 +++++
 2 files changed, 8 insertions(+), 0 deletions(-)
---
diff --git a/ChangeLog b/ChangeLog
index 1dd525a..f1e3a91 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,8 @@
 2014-11-01  Morten Welinder  <terra gnome org>
 
+       * gsf/gsf-msole-utils.c (gsf_msole_inflate): Don't place
+       uninitialized values into the output even for corrupted files.
+
        * gsf/gsf-input-memory.c (gsf_input_mmap_new): Plug leak.
 
        * gsf/gsf-infile-msvba.c (vba_dir_read): Plug leak.
diff --git a/gsf/gsf-msole-utils.c b/gsf/gsf-msole-utils.c
index 562d6ab..0ff5b8c 100644
--- a/gsf/gsf-msole-utils.c
+++ b/gsf/gsf-msole-utils.c
@@ -2524,6 +2524,11 @@ gsf_msole_inflate (GsfInput *input, gsf_off_t offset)
 /*                             fprintf (stderr, "Shift %d, token len %d, distance %d bytes %.2x %.2x\n",
                                shift, len, distance, (token & 0xff), (token >> 8)); */
 
+                               if (distance >= pos) {
+                                       g_warning ("Corrupted compressed stream");
+                                       break;
+                               }
+
                                for (i = 0; i < len; i++) {
                                        unsigned srcpos = (pos - distance - 1) % VBA_COMPRESSION_WINDOW;
                                        guint8 c = buffer [srcpos];

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]