From 1f5976337d2cf02d5f709cb1d0dac479976e5f94 Mon Sep 17 00:00:00 2001
From: Hugo Lefeuvre <hle@debian.org>
Date: Fri, 6 Oct 2017 13:35:33 +0200
Subject: [PATCH 15/29] Fix heap buffer overflow in decompileCALLFUNCTION

Make sure that n > 0 before checking for the previous action in the
actions array, otherwise an overflow may occur.

This commit fixes CVE-2017-11734 (fixes #83).
---
 util/decompile.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/util/decompile.c b/util/decompile.c
index 1c58c8d9..5f52d768 100644
--- a/util/decompile.c
+++ b/util/decompile.c
@@ -2873,7 +2873,7 @@ decompileCALLFUNCTION(int n, SWF_ACTION *actions, int maxn)
 	struct SWF_ACTIONPUSHPARAM *meth, *nparam;
 
 	SanityCheck(SWF_CALLMETHOD,
-		actions[n-1].SWF_ACTIONRECORD.ActionCode == SWFACTION_PUSH,
+		n > 0 && actions[n-1].SWF_ACTIONRECORD.ActionCode == SWFACTION_PUSH,
 		"CALLMETHOD not preceeded by PUSH")
 
 	meth=pop();
-- 
2.14.3