Browse code
Bug #521, #368
| ... | ... |
@@ -942,8 +942,8 @@ static int add_vm_code(unpack_data_t *unpack_data, unsigned int first_byte, |
| 942 | 942 |
} |
| 943 | 943 |
if (new_filter) {
|
| 944 | 944 |
vm_codesize = rarvm_read_data(&rarvm_input); |
| 945 |
- if (vm_codesize >= 0x1000 || vm_codesize == 0) {
|
|
| 946 |
- cli_dbgmsg("ERROR: vm_codesize=0x%x\n", vm_codesize);
|
|
| 945 |
+ if (vm_codesize >= 0x1000 || vm_codesize == 0 || (vm_codesize > rarvm_input.buf_size)) {
|
|
| 946 |
+ cli_dbgmsg("ERROR: vm_codesize=0x%x buf_size=0x%x\n", vm_codesize, rarvm_input.buf_size);
|
|
| 947 | 947 |
return FALSE; |
| 948 | 948 |
} |
| 949 | 949 |
vm_code = (unsigned char *) cli_malloc(vm_codesize); |
| ... | ... |
@@ -1015,6 +1015,10 @@ static int add_vm_code(unpack_data_t *unpack_data, unsigned int first_byte, |
| 1015 | 1015 |
} |
| 1016 | 1016 |
global_data = &stack_filter->prg.global_data[VM_FIXEDGLOBALSIZE]; |
| 1017 | 1017 |
for (i=0 ; i< data_size ; i++) {
|
| 1018 |
+ if ((rarvm_input.in_addr+2) > rarvm_input.buf_size) {
|
|
| 1019 |
+ cli_dbgmsg("Buffer truncated\n");
|
|
| 1020 |
+ return FALSE; |
|
| 1021 |
+ } |
|
| 1018 | 1022 |
global_data[i] = rarvm_getbits(&rarvm_input) >> 8; |
| 1019 | 1023 |
rar_dbgmsg("global_data[%d] = %d\n", i, global_data[i]);
|
| 1020 | 1024 |
rarvm_addbits(&rarvm_input, 8); |