Browse code
fuzz - 12528 - fixing left shift issue with OLE2 and utf16 to ascii decoding
Mickey Sola authored on 2019/01/24 05:58:49Showing 2 changed files
| ... | ... |
@@ -399,9 +399,14 @@ ole2_read_block(ole2_header_t * hdr, void *buff, unsigned int size, int32_t bloc |
| 399 | 399 |
return FALSE; |
| 400 | 400 |
} |
| 401 | 401 |
/* other methods: (blockno+1) * 512 or (blockno * block_size) + 512; */ |
| 402 |
+ if ((uint64_t) blockno << hdr->log2_big_block_size < INT32_MAX) {
|
|
| 402 | 403 |
offset = (blockno << hdr->log2_big_block_size) + MAX(512, 1 << hdr->log2_big_block_size); /* 512 is header size */ |
| 403 |
- |
|
| 404 | 404 |
offend = offset + size; |
| 405 |
+ } else {
|
|
| 406 |
+ offset = INT32_MAX - size; |
|
| 407 |
+ offend = INT32_MAX; |
|
| 408 |
+ } |
|
| 409 |
+ |
|
| 405 | 410 |
if ((offend <= 0) || (offset < 0) || (offset >= hdr->m_length)) {
|
| 406 | 411 |
return FALSE; |
| 407 | 412 |
} else if (offend > hdr->m_length) {
|
| ... | ... |
@@ -268,7 +268,7 @@ char *cli_utf16toascii(const char *str, unsigned int length) |
| 268 | 268 |
return NULL; |
| 269 | 269 |
|
| 270 | 270 |
for(i = 0, j = 0; i < length; i += 2, j++) {
|
| 271 |
- decoded[j] = str[i + 1] << 4; |
|
| 271 |
+ decoded[j] = ((unsigned char) str[i + 1]) << 4; |
|
| 272 | 272 |
decoded[j] += str[i]; |
| 273 | 273 |
} |
| 274 | 274 |
|