[libgsf] msvba: fuzzed file fix.

From: Morten Welinder <mortenw src gnome org>
To: commits-list gnome org
Cc:
Subject: [libgsf] msvba: fuzzed file fix.
Date: Sat, 9 May 2015 20:14:08 +0000 (UTC)

commit 6ebf8e029f3bfddc4264b1251da03505baab88f3
Author: Morten Welinder <terra gnome org>
Date:   Sat May 9 16:13:38 2015 -0400

    msvba: fuzzed file fix.
    
    Don't cascade errors (and crash on top of that).

 ChangeLog              |    1 +
 NEWS                   |    2 +-
 gsf/gsf-infile-msvba.c |   13 +++++++------
 3 files changed, 9 insertions(+), 7 deletions(-)
---
diff --git a/ChangeLog b/ChangeLog
index 0212d59..e657b54 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,7 @@
 2015-05-09  Morten Welinder  <terra gnome org>
 
        * gsf/gsf-infile-msvba.c (vba_dir_read): Free only once.
+       (gsf_vba_inflate): Don't crash after error.  [#749169]
 
 2015-04-27  Morten Welinder  <terra gnome org>
 
diff --git a/NEWS b/NEWS
index c286009..7e4ef03 100644
--- a/NEWS
+++ b/NEWS
@@ -2,7 +2,7 @@ libgsf 1.14.34
 
 Morten:
        * Fix OLE2 property parsing problem.  [#748528]
-       * Fuzzed file fix.  [#749120]
+       * Fuzzed file fixes.  [#749120] [#749169]
 
 --------------------------------------------------------------------------
 libgsf 1.14.33
diff --git a/gsf/gsf-infile-msvba.c b/gsf/gsf-infile-msvba.c
index 9c8656c..6dbdea0 100644
--- a/gsf/gsf-infile-msvba.c
+++ b/gsf/gsf-infile-msvba.c
@@ -78,7 +78,6 @@ gsf_vba_inflate (GsfInput *input, gsf_off_t offset, int *size, gboolean add_null
        while (offset < length) {
                GsfInput *chunk;
                guint16 chunk_hdr;
-               GByteArray *tmpres;
                guint8 const *tmp;
 
                tmp = gsf_input_read (input, 2, NULL);
@@ -102,11 +101,13 @@ gsf_vba_inflate (GsfInput *input, gsf_off_t offset, int *size, gboolean add_null
                                offset += 4094;
                        }
                }
-               tmpres = gsf_msole_inflate (chunk, 0);
-               gsf_input_seek (input, offset, G_SEEK_CUR);
-               g_byte_array_append (res, tmpres->data, tmpres->len);
-               g_byte_array_free (tmpres, TRUE);
-               g_object_unref (chunk);
+               if (chunk) {
+                       GByteArray *tmpres = gsf_msole_inflate (chunk, 0);
+                       gsf_input_seek (input, offset, G_SEEK_CUR);
+                       g_byte_array_append (res, tmpres->data, tmpres->len);
+                       g_byte_array_free (tmpres, TRUE);
+                       g_object_unref (chunk);
+               }
        }
        
        if (res == NULL)

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]