Browse code
bb #6712: safer SWF tag length handling
David Raynor authored on 2013/02/05 06:32:50Showing 1 changed files
| ... | ... |
@@ -205,7 +205,7 @@ static int scancws(cli_ctx *ctx, struct swf_file_hdr *hdr) |
| 205 | 205 |
} while(zret == Z_OK); |
| 206 | 206 |
|
| 207 | 207 |
if((zret != Z_STREAM_END && zret != Z_OK) || (zret = inflateEnd(&stream)) != Z_OK) {
|
| 208 |
- cli_errmsg("scancws: Error decompressing SWF file\n");
|
|
| 208 |
+ cli_infomsg(ctx, "scancws: Error decompressing SWF file\n"); |
|
| 209 | 209 |
close(fd); |
| 210 | 210 |
if(cli_unlink(tmpname)) {
|
| 211 | 211 |
free(tmpname); |
| ... | ... |
@@ -246,7 +246,8 @@ int cli_scanswf(cli_ctx *ctx) |
| 246 | 246 |
unsigned int bitpos, bitbuf, getbits_n, nbits, getword_1, getword_2, getdword_1, getdword_2; |
| 247 | 247 |
const char *pt; |
| 248 | 248 |
char get_c; |
| 249 |
- unsigned int val, foo, offset = 0, tag_hdr, tag_type, tag_len; |
|
| 249 |
+ size_t offset = 0; |
|
| 250 |
+ unsigned int val, foo, tag_hdr, tag_type, tag_len; |
|
| 250 | 251 |
unsigned long int bits; |
| 251 | 252 |
|
| 252 | 253 |
cli_dbgmsg("in cli_scanswf()\n");
|
| ... | ... |
@@ -294,6 +295,14 @@ int cli_scanswf(cli_ctx *ctx) |
| 294 | 294 |
pt = tagname(tag_type); |
| 295 | 295 |
cli_dbgmsg("SWF: %s\n", pt ? pt : "UNKNOWN TAG");
|
| 296 | 296 |
cli_dbgmsg("SWF: Tag length: %u\n", tag_len);
|
| 297 |
+ if (tag_len > map->len) {
|
|
| 298 |
+ cli_warnmsg("SWF: Invalid tag length.\n");
|
|
| 299 |
+ return CL_EFORMAT; |
|
| 300 |
+ } |
|
| 301 |
+ if ((offset + tag_len) < offset) {
|
|
| 302 |
+ cli_warnmsg("SWF: Tag length too large.\n");
|
|
| 303 |
+ break; |
|
| 304 |
+ } |
|
| 297 | 305 |
if(!pt) {
|
| 298 | 306 |
offset += tag_len; |
| 299 | 307 |
continue; |