Skip to content

Commit a837736

Browse files
author
Mickey Sola
committed
fixing potential OOB window write when unpacking chm files
1 parent 7e83eea commit a837736

File tree

2 files changed

+14
-3
lines changed

2 files changed

+14
-3
lines changed

Diff for: libclamav/libmspack-0.5alpha/mspack/lzxd.c

+9-2
Original file line numberDiff line numberDiff line change
@@ -766,8 +766,13 @@ int lzxd_decompress(struct lzxd_stream *lzx, off_t out_bytes) {
766766
case LZX_BLOCKTYPE_UNCOMPRESSED:
767767
/* as this_run is limited not to wrap a frame, this also means it
768768
* won't wrap the window (as the window is a multiple of 32k) */
769+
if (window_posn + this_run > lzx->window_size) {
770+
D(("match ran over window boundary"))
771+
return lzx->error = MSPACK_ERR_DECRUNCH;
772+
}
769773
rundest = &window[window_posn];
770774
window_posn += this_run;
775+
771776
while (this_run > 0) {
772777
if ((i = i_end - i_ptr) == 0) {
773778
READ_IF_NEEDED;
@@ -888,8 +893,10 @@ void lzxd_free(struct lzxd_stream *lzx) {
888893
struct mspack_system *sys;
889894
if (lzx) {
890895
sys = lzx->sys;
891-
sys->free(lzx->inbuf);
892-
sys->free(lzx->window);
896+
if(lzx->inbuf)
897+
sys->free(lzx->inbuf);
898+
if(lzx->window)
899+
sys->free(lzx->window);
893900
sys->free(lzx);
894901
}
895902
}

Diff for: libclamav/libmspack.c

+5-1
Original file line numberDiff line numberDiff line change
@@ -264,7 +264,11 @@ static void *mspack_fmap_alloc(struct mspack_system *self, size_t num)
264264

265265
static void mspack_fmap_free(void *mem)
266266
{
267-
free(mem);
267+
if(mem) {
268+
free(mem);
269+
mem = NULL;
270+
}
271+
return;
268272
}
269273

270274
static void mspack_fmap_copy(void *src, void *dst, size_t num)

0 commit comments

Comments
 (0)