Fix NULL pointer dereference in outputSWF_TEXT_RECORD (CVE-2018-6315) #103
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In outputSWF_TEXT_RECORD, the array offset is stored in a signed int, while
(&(trec->GlyphEntries[i]))->GlyphIndex[0]
returns an unsigned 32 bit number.This may lead to an integer overflow when reading the offset from the
GlyphIndex
array, and further to a buffer overflow when doingbuffer[i]=fi->fontcodeptr[off]
with negative off.In this commit, we change the type of off to unsigned long so we are guaranteed to be able to store 32 unsigned integers.
This commit fixes CVE-2018-6315 (fixes #101).