aboutsummaryrefslogblamecommitdiffstats
path: root/main/antiword/CVE-2014-8123.patch
blob: 48a752bb644fa9608bc79f69e2989e7db773e489 (plain) (tree)



























                                                                            
From a17e48746d7203f91a2c3bb1cdcbe9023c8d37a0 Mon Sep 17 00:00:00 2001
From: Fabian Keil <fk () fabiankeil de>
Date: Tue, 25 Nov 2014 18:58:52 +0100
Subject: [PATCH] bGetPPS(): Prevent overflow of atPPSlist[].szName[]

---
 wordole.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/wordole.c b/wordole.c
index 8a95fb9..7797d1f 100644
--- a/wordole.c
+++ b/wordole.c
@@ -259,6 +259,11 @@ bGetPPS(FILE *pFile,
 		}
 		tNameSize = (size_t)usGetWord(0x40, aucBytes);
 		tNameSize = (tNameSize + 1) / 2;
+		if (tNameSize >= sizeof(atPPSlist[0].szName)) {
+			werr(0, "PPS %d appears to be invalid.", iIndex);
+			atPPSlist = xfree(atPPSlist);
+			return FALSE;
+		}
 		vName2String(atPPSlist[iIndex].szName, aucBytes, tNameSize);
 		atPPSlist[iIndex].ucType = ucGetByte(0x42, aucBytes);
 		if (atPPSlist[iIndex].ucType == 5) {
-- 
2.1.2