blob: 1b81fdcbfcd4d3ed579d7994c8ca2a7fcb12ac02 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
From a83773682e856ad6529ba6db8d1792e6d515d7f1 Mon Sep 17 00:00:00 2001
From: Mickey Sola <msola@sourcefire.com>
Date: Wed, 29 Mar 2017 14:55:26 -0400
Subject: [PATCH] fixing potential OOB window write when unpacking chm files
---
libclamav/libmspack-0.5alpha/mspack/lzxd.c | 11 +++++++++--
libclamav/libmspack.c | 6 +++++-
2 files changed, 14 insertions(+), 3 deletions(-)
diff --git a/libclamav/libmspack-0.5alpha/mspack/lzxd.c b/libclamav/libmspack-0.5alpha/mspack/lzxd.c
index 2281e7b9d..45105a583 100644
--- a/mspack/lzxd.c
+++ b/mspack/lzxd.c
@@ -766,8 +766,13 @@ int lzxd_decompress(struct lzxd_stream *lzx, off_t out_bytes) {
case LZX_BLOCKTYPE_UNCOMPRESSED:
/* as this_run is limited not to wrap a frame, this also means it
* won't wrap the window (as the window is a multiple of 32k) */
+ if (window_posn + this_run > lzx->window_size) {
+ D(("match ran over window boundary"))
+ return lzx->error = MSPACK_ERR_DECRUNCH;
+ }
rundest = &window[window_posn];
window_posn += this_run;
+
while (this_run > 0) {
if ((i = i_end - i_ptr) == 0) {
READ_IF_NEEDED;
@@ -888,8 +893,10 @@ void lzxd_free(struct lzxd_stream *lzx) {
struct mspack_system *sys;
if (lzx) {
sys = lzx->sys;
- sys->free(lzx->inbuf);
- sys->free(lzx->window);
+ if(lzx->inbuf)
+ sys->free(lzx->inbuf);
+ if(lzx->window)
+ sys->free(lzx->window);
sys->free(lzx);
}
}
|
GitWeb
