35 lines
1.5 KiB
Plaintext
35 lines
1.5 KiB
Plaintext
$OpenBSD: patch-src_load_med_cpp,v 1.1 2011/05/05 21:25:48 jasper Exp $
|
|
|
|
Fixed various possible integer overflows in CSoundFile::ReadMed()
|
|
From upstream git: ce87da55599421e851a5b13492b753defba17349
|
|
|
|
--- src/load_med.cpp.orig Mon May 11 10:21:30 2009
|
|
+++ src/load_med.cpp Thu May 5 23:21:15 2011
|
|
@@ -664,7 +664,7 @@ BOOL CSoundFile::ReadMed(const BYTE *lpStream, DWORD d
|
|
const MMD2PLAYSEQ *pmps = (MMD2PLAYSEQ *)(lpStream + pseq);
|
|
if (!m_szNames[0][0]) memcpy(m_szNames[0], pmps->name, 31);
|
|
UINT n = bswapBE16(pmps->length);
|
|
- if (pseq+n <= dwMemLength)
|
|
+ if (n < (dwMemLength - (pseq + sizeof(*pmps)) + sizeof(pmps->seq)) / sizeof(pmps->seq[0]))
|
|
{
|
|
for (UINT i=0; i<n; i++)
|
|
{
|
|
@@ -745,7 +745,7 @@ BOOL CSoundFile::ReadMed(const BYTE *lpStream, DWORD d
|
|
DWORD trktagofs = bswapBE32(ptrktags[i]);
|
|
if (trktagofs)
|
|
{
|
|
- while (trktagofs+8 < dwMemLength)
|
|
+ while (trktagofs < dwMemLength - 8)
|
|
{
|
|
DWORD ntag = bswapBE32(*(DWORD *)(lpStream + trktagofs));
|
|
if (ntag == MMDTAG_END) break;
|
|
@@ -758,7 +758,7 @@ BOOL CSoundFile::ReadMed(const BYTE *lpStream, DWORD d
|
|
trktagofs += 8;
|
|
}
|
|
if (trknamelen > MAX_CHANNELNAME) trknamelen = MAX_CHANNELNAME;
|
|
- if ((trknameofs) && (trknameofs + trknamelen < dwMemLength))
|
|
+ if ((trknameofs) && (trknamelen < dwMemLength) && (trknameofs < dwMemLength - trknamelen))
|
|
{
|
|
lstrcpyn(ChnSettings[i].szName, (LPCSTR)(lpStream+trknameofs), MAX_CHANNELNAME);
|
|
ChnSettings[i].szName[MAX_CHANNELNAME-1] = '\0';
|