From f3a66c6479d1191734b5ab57d5d7e0bd7525b1a7 Mon Sep 17 00:00:00 2001
From: Hugo Lefeuvre <hle@debian.org>
Date: Mon, 20 Nov 2017 10:48:36 +0100
Subject: [PATCH 22/29] Fix NULL pointer deref in outputSWF_TEXT_RECORD
fip and fip_current are static pointers to a linked list containing
fonts information. This list and the two pointers are initialized and
filled by saveFontInfo() (called by the outputSWF_DEFINEFONTxxxx()
functions when defining new fonts).
In the case where no font is defined, saveFontInfo() is never called
and the two list pointers are NULL.
This situation may trigger a NULL pointer dereference in
outputSWF_TEXT_RECORD. In this patch, we check for !fip_current
before dereferencing it. In the == NULL case, we print a warning and
continue.
This commit addresses CVE-2017-16883 (fixes #77).
---
util/outputscript.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/util/outputscript.c b/util/outputscript.c
index 8479ab6a..ee168744 100644
--- a/util/outputscript.c
+++ b/util/outputscript.c
@@ -1426,7 +1426,11 @@ outputSWF_TEXT_RECORD (SWF_TEXTRECORD *trec, int level,char *tname,char *buffer,
if (!trec->StyleFlagHasFont) /* always check flag before use data */
{
fi = fip_current; /* so cont w current font */
- id = fi->fontcodeID; /* trigger next if */
+
+ if (!fi)
+ SWF_warn("outputSWF_TEXT_RECORD: can't process text record: fonts information list is NULL\n");
+ else
+ id = fi->fontcodeID; /* trigger next if */
}
while (fi)
{
--
2.14.3
distrib
>
Mageia
>
6
>
armv7hl
>
media
>
core-updates-src
>
by-pkgid
>
e292cda8ad33284786d7f1384ee2e82d
>
files
>
13
