Browse code
fix end of buffer calculation (bb#464, patch from aCaB)
| ... | ... |
@@ -1,3 +1,7 @@ |
| 1 |
+Tue May 29 21:28:40 CEST 2007 (tk) |
|
| 2 |
+---------------------------------- |
|
| 3 |
+ * libclamav/unsp.c: fix end of buffer calculation (bb#464, patch from aCaB) |
|
| 4 |
+ |
|
| 1 | 5 |
Tue May 29 21:21:09 CEST 2007 (tk) |
| 2 | 6 |
---------------------------------- |
| 3 | 7 |
* libclamav/others.c: use strict permissions (0600) for temporary files |
| ... | ... |
@@ -151,7 +151,11 @@ uint32_t unspack(char *start_of_stuff, char *dest, cli_ctx *ctx, uint32_t rva, u |
| 151 | 151 |
|
| 152 | 152 |
dsize = cli_readint32(start_of_stuff+9); |
| 153 | 153 |
ssize = cli_readint32(start_of_stuff+5); |
| 154 |
- |
|
| 154 |
+ if (ssize <= 13) {
|
|
| 155 |
+ free(table); |
|
| 156 |
+ return 1 |
|
| 157 |
+ } |
|
| 158 |
+ |
|
| 155 | 159 |
tre = very_real_unpack(table,tablesz,tre,allocsz,firstbyte,src,ssize,dst,dsize); |
| 156 | 160 |
free(table); |
| 157 | 161 |
if (tre) return 1; |
| ... | ... |
@@ -194,7 +198,7 @@ uint32_t very_real_unpack(uint16_t *table, uint32_t tablesz, uint32_t tre, uint3 |
| 194 | 194 |
read_struct.oldval = 0; |
| 195 | 195 |
read_struct.src_curr = src; |
| 196 | 196 |
read_struct.bitmap = 0xffffffff; |
| 197 |
- read_struct.src_end = src + ssize; |
|
| 197 |
+ read_struct.src_end = src + ssize - 13; |
|
| 198 | 198 |
read_struct.table = (char *)table; |
| 199 | 199 |
read_struct.tablesz = tablesz; |
| 200 | 200 |
|