From 447821c5cf76f6abfb2d3a397b5983417f29ee9b Mon Sep 17 00:00:00 2001 From: Hugo Lefeuvre <hle@debian.org> Date: Wed, 11 Oct 2017 16:16:31 +0200 Subject: [PATCH 16/29] Avoid NULL pointer dereference in util/parser.c. Make sure that nsset->NS isn't dereferenced if malloc failed. In this case, report error and abort. This commit fixes CVE-2017-9988 (fixes #85). --- util/parser.c | 4 ++++ 1 files changed, 4 insertions(+) diff --git a/util/parser.c b/util/parser.c index 6a70bb0c..1dcc9e76 100644 --- a/util/parser.c +++ b/util/parser.c @@ -3079,6 +3079,10 @@ void parseABC_NS_SET_INFO(struct ABC_NS_SET_INFO *nsset, FILE *f) int i; nsset->Count = readEncUInt30(f); nsset->NS = malloc(sizeof(U30) * nsset->Count); + if (nsset->NS == NULL) { + SWF_error("parseABC_NS_SET_INFO: Failed to allocate %lu bytes", sizeof(U30) * nsset->Count); + return; + } for(i = 0; i < nsset->Count; i++) nsset->NS[i] = readEncUInt30(f); } -- 2.14.3