[libgsf] ole: fuzzed file fix re properties

From: Morten Welinder <mortenw src gnome org>
To: commits-list gnome org
Cc:
Subject: [libgsf] ole: fuzzed file fix re properties
Date: Fri, 12 Jun 2015 00:36:25 +0000 (UTC)

commit 8050e14920903d414e9bc8643ea7a92c694b3565
Author: Morten Welinder <terra gnome org>
Date:   Thu Jun 11 20:36:34 2015 -0400

    ole: fuzzed file fix re properties

 ChangeLog             |    5 +++++
 NEWS                  |    2 +-
 gsf/gsf-msole-utils.c |    7 +++++--
 3 files changed, 11 insertions(+), 3 deletions(-)
---
diff --git a/ChangeLog b/ChangeLog
index ef8d9dc..11fd92c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2015-06-11  Morten Welinder  <terra gnome org>
+
+       * gsf/gsf-msole-utils.c (msole_prop_read): Fuzzed file fix.
+       Fixes #750809.
+
 2015-05-15  Morten Welinder  <terra gnome org>
 
        * gsf/gsf-outfile-zip.c (zip_dirent_write): Fix portability issue.
diff --git a/NEWS b/NEWS
index ea7cb8f..e6ce7dc 100644
--- a/NEWS
+++ b/NEWS
@@ -2,7 +2,7 @@ libgsf 1.14.34
 
 Morten:
        * Fix OLE2 property parsing problem.  [#748528]
-       * Fuzzed file fixes.  [#749120] [#749169] [#749183]
+       * Fuzzed file fixes.  [#749120] [#749169] [#749183] [#750809]
 
 --------------------------------------------------------------------------
 libgsf 1.14.33
diff --git a/gsf/gsf-msole-utils.c b/gsf/gsf-msole-utils.c
index ea0c620..8f74c08 100644
--- a/gsf/gsf-msole-utils.c
+++ b/gsf/gsf-msole-utils.c
@@ -1006,6 +1006,7 @@ msole_prop_read (GsfInput *in,
                gsize gslen;
                char *name;
                guint8 const *start = data;
+               guint8 const *end = start + (size - 4);
 
                g_return_val_if_fail (section->dict == NULL, FALSE);
 
@@ -1015,12 +1016,14 @@ msole_prop_read (GsfInput *in,
 
                d ({ g_print ("Dictionary = \n"); gsf_mem_dump (data-4, size); });
                n = type;
-               for (j = 0 ; j < n ; j++) {
+               for (j = 0; j < n; j++) {
+                       g_return_val_if_fail (end - data >= 8, FALSE);
+
                        id = GSF_LE_GET_GUINT32 (data);
                        len = GSF_LE_GET_GUINT32 (data + 4);
 
                        g_return_val_if_fail (len < 0x10000, FALSE);
-                       g_return_val_if_fail (len <= size - (data - start), FALSE);
+                       g_return_val_if_fail (len <= end - data + 8, FALSE);
 
                        gslen = 0;
                        name = g_convert_with_iconv (data + 8,

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]