summaryrefslogtreecommitdiff
path: root/patches/source/libwmf/libwmf-0.2.8.4-CVE-2016-9011.patch
blob: c6bd017c2f8f4c5672ecbc8c7d1b292692a4c95a (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
--- libwmf-0.2.8.4/src/player.c
+++ libwmf-0.2.8.4/src/player.c
@@ -139,8 +139,31 @@
 		WMF_DEBUG (API,"bailing...");
 		return (API->err);
 	}
-	
- 	P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)  ) * 2 * sizeof (unsigned char));
+
+	U32 nMaxRecordSize = (MAX_REC_SIZE(API)  ) * 2 * sizeof (unsigned char);
+	if (nMaxRecordSize)
+	{
+		//before allocating memory do a sanity check on size by seeking
+		//to claimed end to see if its possible. We're constrained here
+		//by the api and existing implementations to not simply seeking
+		//to SEEK_END. So use what we have to skip to the last byte and
+		//try and read it.
+		const long nPos = WMF_TELL (API);
+		WMF_SEEK (API, nPos + nMaxRecordSize - 1);
+		if (ERR (API))
+		{	WMF_DEBUG (API,"bailing...");
+			return (API->err);
+		}
+		int byte = WMF_READ (API);
+		if (byte == (-1))
+		{	WMF_ERROR (API,"Unexpected EOF!");
+		       	API->err = wmf_E_EOF;
+		       	return (API->err);
+		}
+		WMF_SEEK (API, nPos);
+	}
+
+ 	P->Parameters = (unsigned char*) wmf_malloc (API, nMaxRecordSize);
 
 	if (ERR (API))
 	{	WMF_DEBUG (API,"bailing...");