...
|
...
|
@@ -205,7 +205,7 @@ static int scancws(cli_ctx *ctx, struct swf_file_hdr *hdr)
|
205
|
205
|
} while(zret == Z_OK);
|
206
|
206
|
|
207
|
207
|
if((zret != Z_STREAM_END && zret != Z_OK) || (zret = inflateEnd(&stream)) != Z_OK) {
|
208
|
|
- cli_errmsg("scancws: Error decompressing SWF file\n");
|
|
208
|
+ cli_infomsg(ctx, "scancws: Error decompressing SWF file\n");
|
209
|
209
|
close(fd);
|
210
|
210
|
if(cli_unlink(tmpname)) {
|
211
|
211
|
free(tmpname);
|
...
|
...
|
@@ -246,7 +246,8 @@ int cli_scanswf(cli_ctx *ctx)
|
246
|
246
|
unsigned int bitpos, bitbuf, getbits_n, nbits, getword_1, getword_2, getdword_1, getdword_2;
|
247
|
247
|
const char *pt;
|
248
|
248
|
char get_c;
|
249
|
|
- unsigned int val, foo, offset = 0, tag_hdr, tag_type, tag_len;
|
|
249
|
+ size_t offset = 0;
|
|
250
|
+ unsigned int val, foo, tag_hdr, tag_type, tag_len;
|
250
|
251
|
unsigned long int bits;
|
251
|
252
|
|
252
|
253
|
cli_dbgmsg("in cli_scanswf()\n");
|
...
|
...
|
@@ -294,6 +295,14 @@ int cli_scanswf(cli_ctx *ctx)
|
294
|
294
|
pt = tagname(tag_type);
|
295
|
295
|
cli_dbgmsg("SWF: %s\n", pt ? pt : "UNKNOWN TAG");
|
296
|
296
|
cli_dbgmsg("SWF: Tag length: %u\n", tag_len);
|
|
297
|
+ if (tag_len > map->len) {
|
|
298
|
+ cli_warnmsg("SWF: Invalid tag length.\n");
|
|
299
|
+ return CL_EFORMAT;
|
|
300
|
+ }
|
|
301
|
+ if ((offset + tag_len) < offset) {
|
|
302
|
+ cli_warnmsg("SWF: Tag length too large.\n");
|
|
303
|
+ break;
|
|
304
|
+ }
|
297
|
305
|
if(!pt) {
|
298
|
306
|
offset += tag_len;
|
299
|
307
|
continue;
|