From ea70414984f297958684acee0bb037ac11fb30b8 Mon Sep 17 00:00:00 2001
From: Sandro Santilli <strk@kbt.io>
Date: Tue, 21 Mar 2017 17:30:59 +0100
Subject: [PATCH] Fix heap overflows in parser.c
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Patch by Marcel Böhme
Closes https://github.com/libming/libming/issues/68
---
util/parser.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/util/parser.c b/util/parser.c
index 96b1232..6a70bb0 100644
--- a/util/parser.c
+++ b/util/parser.c
@@ -439,6 +439,7 @@ parseSWF_FOCALGRADIENT (FILE * f, struct SWF_FOCALGRADIENT *gradient, int level)
gradient->NumGradients = readBits (f, 4);
if(gradient->NumGradients > 15) {
fprintf(stderr, "%d gradients in SWF_FOCALGRADIENT, expected a max of 15\n", gradient->NumGradients );
+ gradient->NumGradients = 15;
/*exit(1);*/
}
@@ -457,7 +458,7 @@ parseSWF_GRADIENT (FILE * f, struct SWF_GRADIENT *gradient, int level)
gradient->NumGradients = readBits (f, 4);
if((gradient->NumGradients > 8 && level < 4) || (gradient->NumGradients > 15 && level == 4)) {
fprintf(stderr, "%d gradients in SWF_GRADiENT, expected a max of %d\n", gradient->NumGradients, level<4 ? 8 : 15 );
- /*exit(1);*/
+ gradient->NumGradients = 8;
}
for (i = 0; i < gradient->NumGradients; i++)
@@ -780,7 +781,7 @@ parseSWF_MORPHGRADIENT (FILE * f, struct SWF_MORPHGRADIENT *gradient)
gradient->NumGradients = readUInt8 (f);
if( gradient->NumGradients > 8 ) {
fprintf(stderr, "%d gradients in SWF_MORPHGRADiENT, expected a max of 8", gradient->NumGradients);
- /*exit(1);*/
+ gradient->NumGradients = 8;
}
for (i = 0; i < gradient->NumGradients; i++)
parseSWF_MORPHGRADIENTRECORD (f, &(gradient->GradientRecords[i]));
distrib
>
Mageia
>
6
>
armv7hl
>
media
>
core-updates-src
>
by-pkgid
>
e292cda8ad33284786d7f1384ee2e82d
>
files
>
27
