From f3a66c6479d1191734b5ab57d5d7e0bd7525b1a7 Mon Sep 17 00:00:00 2001 From: Hugo Lefeuvre <hle@debian.org> Date: Mon, 20 Nov 2017 10:48:36 +0100 Subject: [PATCH 22/29] Fix NULL pointer deref in outputSWF_TEXT_RECORD fip and fip_current are static pointers to a linked list containing fonts information. This list and the two pointers are initialized and filled by saveFontInfo() (called by the outputSWF_DEFINEFONTxxxx() functions when defining new fonts). In the case where no font is defined, saveFontInfo() is never called and the two list pointers are NULL. This situation may trigger a NULL pointer dereference in outputSWF_TEXT_RECORD. In this patch, we check for !fip_current before dereferencing it. In the == NULL case, we print a warning and continue. This commit addresses CVE-2017-16883 (fixes #77). --- util/outputscript.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/util/outputscript.c b/util/outputscript.c index 8479ab6a..ee168744 100644 --- a/util/outputscript.c +++ b/util/outputscript.c @@ -1426,7 +1426,11 @@ outputSWF_TEXT_RECORD (SWF_TEXTRECORD *trec, int level,char *tname,char *buffer, if (!trec->StyleFlagHasFont) /* always check flag before use data */ { fi = fip_current; /* so cont w current font */ - id = fi->fontcodeID; /* trigger next if */ + + if (!fi) + SWF_warn("outputSWF_TEXT_RECORD: can't process text record: fonts information list is NULL\n"); + else + id = fi->fontcodeID; /* trigger next if */ } while (fi) { -- 2.14.3