Skip to content
Permalink
Browse files Browse the repository at this point in the history
Added safety check for Compressed RTF Streams
You could potentially overflow the input pointer.

in response to #34
  • Loading branch information
Yeraze committed Feb 25, 2017
1 parent a34760f commit 22f8346
Show file tree
Hide file tree
Showing 2 changed files with 2 additions and 1 deletion.
1 change: 1 addition & 0 deletions ChangeLog
Expand Up @@ -3,6 +3,7 @@ v1.9.2 - February 23, 2017
Thanks to @hannob for finding some Out-of-bound exceptions in memory handline.
* [SECURITY] An invalid memory access (heap overrun) in handling LONG datatypes
* [SECURITY] Missing a check for fields of size 0
* [SECURITY] Potential buffer overrun on incoming Compressed RTF Streams

This version & the previous 1.9.1 resolves the following CVEs:
* CVE-2017-6306
Expand Down
2 changes: 1 addition & 1 deletion lib/ytnef.c
Expand Up @@ -1541,7 +1541,7 @@ BYTE *DecompressRTF(variableLength *p, int *size) {
ALLOCCHECK_CHAR(dst);
memcpy(dst, comp_Prebuf.data, comp_Prebuf.size);
out = comp_Prebuf.size;
while (out < (comp_Prebuf.size + uncompressedSize)) {
while ((out < (comp_Prebuf.size + uncompressedSize)) && (in < p->size)) {
// each flag byte flags 8 literals/references, 1 per bit
flags = (flagCount++ % 8 == 0) ? src[in++] : flags >> 1;
if ((flags & 1) == 1) { // each flag bit is 1 for reference, 0 for literal
Expand Down

0 comments on commit 22f8346

Please sign in to comment.