From 3120f1cdae0c5232a4fb15e5ce42b8c455b43379 Mon Sep 17 00:00:00 2001 From: Hugo Lefeuvre <hle@debian.org> Date: Thu, 25 Jan 2018 10:33:06 +0100 Subject: [PATCH 27/29] Fix NULL pointer deref in outputSWF_TEXT_RECORD In outputSWF_TEXT_RECORD, the array offset is stored in a signed int, while (&(trec->GlyphEntries[i]))->GlyphIndex[0] returns an unsigned 32 bit number. This may lead to an integer overflow when reading the offset from the GlyphIndex array, and further to a buffer overflow when doing buffer[i]=fi->fontcodeptr[off] with negative off. In this commit, we change the type of off to unsigned long so we are guaranteed to be able to store 32 unsigned integers. This commit fixes CVE-2018-6315 (fixes #101). --- util/outputscript.c | 2 +- 1 file changed, 1 insertions(+), 1 deletion(-) diff --git a/util/outputscript.c b/util/outputscript.c index ee168744..f90e5e76 100644 --- a/util/outputscript.c +++ b/util/outputscript.c @@ -1439,7 +1439,7 @@ outputSWF_TEXT_RECORD (SWF_TEXTRECORD *trec, int level,char *tname,char *buffer, fip_current=fi; /* set current font */ for(i=0;i<trec->GlyphCount && i<bsize-1 ;i++) /* byte n-1 will be terminator '\0' */ { - int off=(&(trec->GlyphEntries[i]))->GlyphIndex[0]; + unsigned long off=(&(trec->GlyphEntries[i]))->GlyphIndex[0]; if (off<fi->fontcodearrsize) buffer[i]=fi->fontcodeptr[off]; else -- 2.14.3