git-svn: trunk@3074
Trog authored on 2007/05/29 17:54:20... | ... |
@@ -942,8 +942,8 @@ static int add_vm_code(unpack_data_t *unpack_data, unsigned int first_byte, |
942 | 942 |
} |
943 | 943 |
if (new_filter) { |
944 | 944 |
vm_codesize = rarvm_read_data(&rarvm_input); |
945 |
- if (vm_codesize >= 0x1000 || vm_codesize == 0) { |
|
946 |
- cli_dbgmsg("ERROR: vm_codesize=0x%x\n", vm_codesize); |
|
945 |
+ if (vm_codesize >= 0x1000 || vm_codesize == 0 || (vm_codesize > rarvm_input.buf_size)) { |
|
946 |
+ cli_dbgmsg("ERROR: vm_codesize=0x%x buf_size=0x%x\n", vm_codesize, rarvm_input.buf_size); |
|
947 | 947 |
return FALSE; |
948 | 948 |
} |
949 | 949 |
vm_code = (unsigned char *) cli_malloc(vm_codesize); |
... | ... |
@@ -1015,6 +1015,10 @@ static int add_vm_code(unpack_data_t *unpack_data, unsigned int first_byte, |
1015 | 1015 |
} |
1016 | 1016 |
global_data = &stack_filter->prg.global_data[VM_FIXEDGLOBALSIZE]; |
1017 | 1017 |
for (i=0 ; i< data_size ; i++) { |
1018 |
+ if ((rarvm_input.in_addr+2) > rarvm_input.buf_size) { |
|
1019 |
+ cli_dbgmsg("Buffer truncated\n"); |
|
1020 |
+ return FALSE; |
|
1021 |
+ } |
|
1018 | 1022 |
global_data[i] = rarvm_getbits(&rarvm_input) >> 8; |
1019 | 1023 |
rar_dbgmsg("global_data[%d] = %d\n", i, global_data[i]); |
1020 | 1024 |
rarvm_addbits(&rarvm_input, 8); |