From 1a1d2704cb19f2d3299f042bb3a4783c960b0a9a Mon Sep 17 00:00:00 2001
From: Hugo Lefeuvre <hle@debian.org>
Date: Fri, 13 Oct 2017 11:07:17 +0200
Subject: [PATCH 17/29] Change type of size variable in readBytes
size should have type unsigned long instead of int in order
to avoid overflows and lossy casts when passing U30 integers.
This commit fixes CVE-2017-9989 (fixes #86).
---
util/read.c | 6 +++---
util/read.h | 2 +-
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/util/read.c b/util/read.c
index 97e78d9e..80399ca0 100644
--- a/util/read.c
+++ b/util/read.c
@@ -224,17 +224,17 @@ float readFloat(FILE *f)
}
-char *readBytes(FILE *f,int size)
+char *readBytes(FILE *f, unsigned long size)
{
if (size < 1) {
#if DEBUG
- SWF_warn("readBytes: want to read %i < 1 bytes: Handling a 0\n", size);
+ SWF_warn("readBytes: want to read %lu < 1 bytes: Handling a 0\n", size);
#endif
size = 0;
}
- int i;
+ unsigned long i;
char *buf;
buf = (char *)malloc(sizeof(char)*size);
diff --git a/util/read.h b/util/read.h
index e8d485fd..70a47717 100644
--- a/util/read.h
+++ b/util/read.h
@@ -20,7 +20,7 @@ long readSInt32(FILE *f);
unsigned long readEncUInt32(FILE *f);
unsigned long readEncUInt30(FILE *f);
long readEncSInt32(FILE *f);
-char *readBytes(FILE *f,int size);
+char *readBytes(FILE *f,unsigned long size);
char *readString(FILE *f);
char *readSizedString(FILE *f,int size);
double readDouble(FILE *f);
--
2.14.3
distrib
>
Mageia
>
6
>
armv7hl
>
media
>
core-updates-src
>
by-pkgid
>
e292cda8ad33284786d7f1384ee2e82d
>
files
>
8
