File tree 2 files changed +2
-1
lines changed
2 files changed +2
-1
lines changed Original file line number Diff line number Diff line change @@ -3,6 +3,7 @@ v1.9.2 - February 23, 2017
33Thanks to @hannob for finding some Out-of-bound exceptions in memory handline.
44* [SECURITY] An invalid memory access (heap overrun) in handling LONG datatypes
55* [SECURITY] Missing a check for fields of size 0
6+ * [SECURITY] Potential buffer overrun on incoming Compressed RTF Streams
67
78This version & the previous 1.9.1 resolves the following CVEs:
89* CVE-2017-6306
Original file line number Diff line number Diff line change @@ -1541,7 +1541,7 @@ BYTE *DecompressRTF(variableLength *p, int *size) {
15411541 ALLOCCHECK_CHAR (dst );
15421542 memcpy (dst , comp_Prebuf .data , comp_Prebuf .size );
15431543 out = comp_Prebuf .size ;
1544- while (out < (comp_Prebuf .size + uncompressedSize )) {
1544+ while (( out < (comp_Prebuf .size + uncompressedSize )) && ( in < p -> size )) {
15451545 // each flag byte flags 8 literals/references, 1 per bit
15461546 flags = (flagCount ++ % 8 == 0 ) ? src [in ++ ] : flags >> 1 ;
15471547 if ((flags & 1 ) == 1 ) { // each flag bit is 1 for reference, 0 for literal
You can’t perform that action at this time.
0 commit comments