18 lines
637 B
Plaintext
18 lines
637 B
Plaintext
Prevent overflow of atPPSlist[].szName[] (CVE-2014-8123)
|
|
http://seclists.org/oss-sec/2014/q4/870
|
|
|
|
--- wordole.c.orig Fri Aug 26 20:49:57 2005
|
|
+++ wordole.c Mon Dec 1 17:06:15 2014
|
|
@@ -259,6 +259,11 @@ bGetPPS(FILE *pFile,
|
|
}
|
|
tNameSize = (size_t)usGetWord(0x40, aucBytes);
|
|
tNameSize = (tNameSize + 1) / 2;
|
|
+ if (tNameSize >= sizeof(atPPSlist[0].szName)) {
|
|
+ werr(0, "PPS %d appears to be invalid.", iIndex);
|
|
+ atPPSlist = xfree(atPPSlist);
|
|
+ return FALSE;
|
|
+ }
|
|
vName2String(atPPSlist[iIndex].szName, aucBytes, tNameSize);
|
|
atPPSlist[iIndex].ucType = ucGetByte(0x42, aucBytes);
|
|
if (atPPSlist[iIndex].ucType == 5) {
|