git-svn: trunk@1741
Tomasz Kojm authored on 2005/11/04 06:37:32... | ... |
@@ -1,3 +1,7 @@ |
1 |
+Thu Nov 3 22:36:11 CET 2005 (tk) |
|
2 |
+--------------------------------- |
|
3 |
+ * libclamav/petite.c: fix boundary checks, patch by aCaB |
|
4 |
+ |
|
1 | 5 |
Thu Nov 3 22:33:20 CET 2005 (tk) |
2 | 6 |
--------------------------------- |
3 | 7 |
* libclamav/fsg.c: fix buffer size calculation in unfsg_133 |
... | ... |
@@ -258,7 +258,7 @@ int petite_inflate2x_1to9(char *buf, uint32_t minrva, int bufsz, struct pe_image |
258 | 258 |
ssrc = adjbuf + cli_readint32(packed+4) - (size-1)*4; |
259 | 259 |
ddst = adjbuf + cli_readint32(packed+8) - (size-1)*4; |
260 | 260 |
|
261 |
- if ( ssrc < buf || ssrc + size*4 >= buf + bufsz || ddst < buf || ddst + size*4 >= buf + bufsz ) { |
|
261 |
+ if ( ssrc < buf || size*4 >= buf + bufsz - ssrc || ddst < buf || size*4 >= buf + bufsz - ddst ) { |
|
262 | 262 |
if (usects) |
263 | 263 |
free(usects); |
264 | 264 |
return -1; |
... | ... |
@@ -437,7 +437,7 @@ int petite_inflate2x_1to9(char *buf, uint32_t minrva, int bufsz, struct pe_image |
437 | 437 |
} |
438 | 438 |
backsize+=addsize; |
439 | 439 |
size-=backsize; |
440 |
- if ( ddst<buf || ddst+backsize>=buf+bufsz || ddst+backbytes<buf || ddst+backbytes+backsize>=buf+bufsz ) { |
|
440 |
+ if(backsize < 0 || backbytes >= 0 || (buf - ddst > backbytes - backsize) || (ddst - buf >= bufsz - backsize)) { |
|
441 | 441 |
free(usects); |
442 | 442 |
return -1; |
443 | 443 |
} |