From 2027b24f403a859016a70bbdc79a8da1d6f128eb Mon Sep 17 00:00:00 2001
From: Hugo Lefeuvre <hle@debian.org>
Date: Fri, 6 Oct 2017 08:59:32 +0200
Subject: [PATCH 13/29] Fix various overflows in OpCode and readBytes
* OpCode: Add a check to avoid reading the stack when n < 1
In this case, print a debug warning and return error code -998
* readBytes: When size < 0, set it to zero (don't read anything)
This commit fixes CVE-2017-11728 (Fixes #82), CVE-2017-11729 (Fixes #79),
CVE-2017-11730 (Fixes #81) and CVE-2017-11731 (Fixes #84).
---
util/decompile.c | 8 +++++++-
util/read.c | 8 ++++++++
2 files changed, 15 insertions(+), 1 deletion(-)
diff --git a/util/decompile.c b/util/decompile.c
index 60785e29..1c58c8d9 100644
--- a/util/decompile.c
+++ b/util/decompile.c
@@ -864,7 +864,13 @@ static inline int OpCode(SWF_ACTION *actions, int n, int maxn)
SWF_warn("OpCode: want %i, max %i\n", n, maxn);
#endif
return -999;
- }
+ } else if (n < 1) {
+
+#if DEBUG
+ SWF_warn("OpCode: want %i < 1\n", n);
+#endif
+ return -998;
+ }
return actions[n].SWF_ACTIONRECORD.ActionCode;
}
diff --git a/util/read.c b/util/read.c
index 1cd0a0f8..97e78d9e 100644
--- a/util/read.c
+++ b/util/read.c
@@ -226,6 +226,14 @@ float readFloat(FILE *f)
char *readBytes(FILE *f,int size)
{
+
+ if (size < 1) {
+#if DEBUG
+ SWF_warn("readBytes: want to read %i < 1 bytes: Handling a 0\n", size);
+#endif
+ size = 0;
+ }
+
int i;
char *buf;
--
2.14.3
distrib
>
Mageia
>
6
>
armv7hl
>
media
>
core-updates-src
>
by-pkgid
>
e292cda8ad33284786d7f1384ee2e82d
>
files
>
5
