Skip to content

Commit 22f8346

Browse files
committed
Added safety check for Compressed RTF Streams
You could potentially overflow the input pointer. in response to #34
1 parent a34760f commit 22f8346

File tree

2 files changed

+2
-1
lines changed

2 files changed

+2
-1
lines changed

Diff for: ChangeLog

+1
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@ v1.9.2 - February 23, 2017
33
Thanks to @hannob for finding some Out-of-bound exceptions in memory handline.
44
* [SECURITY] An invalid memory access (heap overrun) in handling LONG datatypes
55
* [SECURITY] Missing a check for fields of size 0
6+
* [SECURITY] Potential buffer overrun on incoming Compressed RTF Streams
67

78
This version & the previous 1.9.1 resolves the following CVEs:
89
* CVE-2017-6306

Diff for: lib/ytnef.c

+1-1
Original file line numberDiff line numberDiff line change
@@ -1541,7 +1541,7 @@ BYTE *DecompressRTF(variableLength *p, int *size) {
15411541
ALLOCCHECK_CHAR(dst);
15421542
memcpy(dst, comp_Prebuf.data, comp_Prebuf.size);
15431543
out = comp_Prebuf.size;
1544-
while (out < (comp_Prebuf.size + uncompressedSize)) {
1544+
while ((out < (comp_Prebuf.size + uncompressedSize)) && (in < p->size)) {
15451545
// each flag byte flags 8 literals/references, 1 per bit
15461546
flags = (flagCount++ % 8 == 0) ? src[in++] : flags >> 1;
15471547
if ((flags & 1) == 1) { // each flag bit is 1 for reference, 0 for literal

0 commit comments

Comments
 (0)