42 lines
1.4 KiB
Diff
42 lines
1.4 KiB
Diff
From c4d4e047862649a75f6dba905c613aff0df81309 Mon Sep 17 00:00:00 2001
|
|
From: Konstanty Bialkowski <konstanty@ieee.org>
|
|
Date: Wed, 14 Aug 2013 14:15:27 +1000
|
|
Subject: [PATCH] CVE-2013-4233 Fix
|
|
|
|
Integer overflow in j variable
|
|
|
|
-- reported by Florian "Agix" Gaultier
|
|
---
|
|
libmodplug/src/load_abc.cpp | 7 ++++---
|
|
1 file changed, 4 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/libmodplug/src/load_abc.cpp b/libmodplug/src/load_abc.cpp
|
|
index 9f4b328..ecb7b62 100644
|
|
--- a/libmodplug/src/load_abc.cpp
|
|
+++ b/libmodplug/src/load_abc.cpp
|
|
@@ -1814,7 +1814,7 @@ static int abc_extract_tempo(const char *p, int invoice)
|
|
|
|
static void abc_set_parts(char **d, char *p)
|
|
{
|
|
- int i,j,k,m,n;
|
|
+ int i,j,k,m,n,size;
|
|
char *q;
|
|
#ifdef NEWMIKMOD
|
|
static MM_ALLOC *h;
|
|
@@ -1852,10 +1852,11 @@ static void abc_set_parts(char **d, char *p)
|
|
i += n-1;
|
|
}
|
|
}
|
|
- q = (char *)_mm_calloc(h, j+1, sizeof(char)); // enough storage for the worst case
|
|
+ size = (j + 1) > 0 ? j+1 : j;
|
|
+ q = (char *)_mm_calloc(h, size, sizeof(char)); // enough storage for the worst case
|
|
// now copy bytes from p to *d, taking parens and digits in account
|
|
j = 0;
|
|
- for( i=0; p[i] && p[i] != '%'; i++ ) {
|
|
+ for( i=0; p[i] && p[i] != '%' && j < size; i++ ) {
|
|
if( isdigit(p[i]) || isupper(p[i]) || p[i] == '(' || p[i] == ')' ) {
|
|
if( p[i] == ')' ) {
|
|
for( n=j; n > 0 && q[n-1] != '('; n-- ) ; // find open paren in q
|
|
--
|
|
1.8.4
|