29 lines
842 B
Diff
29 lines
842 B
Diff
From a17e48746d7203f91a2c3bb1cdcbe9023c8d37a0 Mon Sep 17 00:00:00 2001
|
|
From: Fabian Keil <fk () fabiankeil de>
|
|
Date: Tue, 25 Nov 2014 18:58:52 +0100
|
|
Subject: [PATCH] bGetPPS(): Prevent overflow of atPPSlist[].szName[]
|
|
|
|
---
|
|
wordole.c | 5 +++++
|
|
1 file changed, 5 insertions(+)
|
|
|
|
diff --git a/wordole.c b/wordole.c
|
|
index 8a95fb9..7797d1f 100644
|
|
--- a/wordole.c
|
|
+++ b/wordole.c
|
|
@@ -259,6 +259,11 @@ bGetPPS(FILE *pFile,
|
|
}
|
|
tNameSize = (size_t)usGetWord(0x40, aucBytes);
|
|
tNameSize = (tNameSize + 1) / 2;
|
|
+ if (tNameSize >= sizeof(atPPSlist[0].szName)) {
|
|
+ werr(0, "PPS %d appears to be invalid.", iIndex);
|
|
+ atPPSlist = xfree(atPPSlist);
|
|
+ return FALSE;
|
|
+ }
|
|
vName2String(atPPSlist[iIndex].szName, aucBytes, tNameSize);
|
|
atPPSlist[iIndex].ucType = ucGetByte(0x42, aucBytes);
|
|
if (atPPSlist[iIndex].ucType == 5) {
|
|
--
|
|
2.1.2
|
|
|