Browse code
fix boundary checks
| ... | ... |
@@ -1,3 +1,7 @@ |
| 1 |
+Thu Nov 3 22:36:11 CET 2005 (tk) |
|
| 2 |
+--------------------------------- |
|
| 3 |
+ * libclamav/petite.c: fix boundary checks, patch by aCaB |
|
| 4 |
+ |
|
| 1 | 5 |
Thu Nov 3 22:33:20 CET 2005 (tk) |
| 2 | 6 |
--------------------------------- |
| 3 | 7 |
* libclamav/fsg.c: fix buffer size calculation in unfsg_133 |
| ... | ... |
@@ -258,7 +258,7 @@ int petite_inflate2x_1to9(char *buf, uint32_t minrva, int bufsz, struct pe_image |
| 258 | 258 |
ssrc = adjbuf + cli_readint32(packed+4) - (size-1)*4; |
| 259 | 259 |
ddst = adjbuf + cli_readint32(packed+8) - (size-1)*4; |
| 260 | 260 |
|
| 261 |
- if ( ssrc < buf || ssrc + size*4 >= buf + bufsz || ddst < buf || ddst + size*4 >= buf + bufsz ) {
|
|
| 261 |
+ if ( ssrc < buf || size*4 >= buf + bufsz - ssrc || ddst < buf || size*4 >= buf + bufsz - ddst ) {
|
|
| 262 | 262 |
if (usects) |
| 263 | 263 |
free(usects); |
| 264 | 264 |
return -1; |
| ... | ... |
@@ -437,7 +437,7 @@ int petite_inflate2x_1to9(char *buf, uint32_t minrva, int bufsz, struct pe_image |
| 437 | 437 |
} |
| 438 | 438 |
backsize+=addsize; |
| 439 | 439 |
size-=backsize; |
| 440 |
- if ( ddst<buf || ddst+backsize>=buf+bufsz || ddst+backbytes<buf || ddst+backbytes+backsize>=buf+bufsz ) {
|
|
| 440 |
+ if(backsize < 0 || backbytes >= 0 || (buf - ddst > backbytes - backsize) || (ddst - buf >= bufsz - backsize)) {
|
|
| 441 | 441 |
free(usects); |
| 442 | 442 |
return -1; |
| 443 | 443 |
} |