Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix multiple heap-based buffer overflows in CmtkLoader::load()
Changes in src/mtk.cpp for loading files: * Fail early if the (decompressed) size is too small to hold mtkdata minus patterns. That avoids attempts to copy data from beyond allocated memory. * In the data decompression section, there are multiple cases where the code actually has checks for available space before copying data, but the size of the copy is increased after the check, so a buffer overflow is still possible (issue #90). Fix that by moving the check after the size computation, and also check for a valid source offset where applicable. * Also add several checks whether source data is exhausted during decompession, so * When copying the patterns, don't copy more data than the "pattern" array can hold. In src/mtk.h, method getinstrument(), check for valid instrument number to avoid accessing the array with an invalid index. This commit fixes CVE-2019-14734. Fixes: #90
- Loading branch information
1 parent
cb71517
commit 8342139
Showing
2 changed files
with
18 additions
and
8 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters