44 lines
1.4 KiB
Diff
44 lines
1.4 KiB
Diff
diff -ru libwmf-0.2.8.4.orig/src/player.c libwmf-0.2.8.4/src/player.c
|
|
--- libwmf-0.2.8.4.orig/src/player.c 2002-12-10 19:30:26.000000000 +0000
|
|
+++ libwmf-0.2.8.4/src/player.c 2006-07-11 10:27:19.000000000 +0100
|
|
@@ -42,6 +42,7 @@
|
|
#include "player/defaults.h" /* Provides: default settings */
|
|
#include "player/record.h" /* Provides: parameter mechanism */
|
|
#include "player/meta.h" /* Provides: record interpreters */
|
|
+#include <stdint.h>
|
|
|
|
/**
|
|
* @internal
|
|
@@ -124,7 +125,14 @@
|
|
}
|
|
|
|
if (API->File->wmfheader->NumOfObjects > 0)
|
|
- { P->objects = (wmfObject*) wmf_malloc (API,NUM_OBJECTS (API) * sizeof (wmfObject));
|
|
+ {
|
|
+ if (NUM_OBJECTS(API) > SIZE_MAX / sizeof (wmfObject))
|
|
+ {
|
|
+ WMF_DEBUG (API,"bailing...");
|
|
+ return (wmf_E_InsMem);
|
|
+ }
|
|
+
|
|
+ P->objects = (wmfObject*) wmf_malloc (API,NUM_OBJECTS (API) * sizeof (wmfObject));
|
|
|
|
if (ERR (API))
|
|
{ WMF_DEBUG (API,"bailing...");
|
|
@@ -132,8 +140,13 @@
|
|
}
|
|
}
|
|
|
|
-/* P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)-3) * 2 * sizeof (unsigned char));
|
|
- */ P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char));
|
|
+ if (MAX_REC_SIZE(API) > SIZE_MAX / 2)
|
|
+ {
|
|
+ WMF_DEBUG (API,"bailing...");
|
|
+ return (wmf_E_InsMem);
|
|
+ }
|
|
+
|
|
+ P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2);
|
|
|
|
if (ERR (API))
|
|
{ WMF_DEBUG (API,"bailing...");
|