mmcmp.c: add a sanity check to 16bit compressed blocks' decompression:

it would go past the end of the destination buffer with malformed files. fixes all five of the fuzzing crashers provided by Lionel Debroux. (id numbers 39, 41, 108, 109, and 110.)
sezero · Mar 25, 2017 · 98f1f0c · 98f1f0c
1 parent 2ee51c1
commit 98f1f0c
Showing 1 changed file with 6 additions and 3 deletions.
diff --git a/libmikmod/depackers/mmcmp.c b/libmikmod/depackers/mmcmp.c
@@ -139,7 +139,7 @@ static const ULONG MMCMP16BitFetch[16] =
 BOOL MMCMP_Unpack(MREADER* reader, void** out, long* outlen)
 {
 	ULONG srclen, destlen;
-	UBYTE *destbuf, *destptr;
+	UBYTE *destbuf, *destptr, *destend;
 	MMCMPHEADER mmh;
 	ULONG *pblk_table;
 	MMCMPSUBBLOCK *subblocks;
@@ -179,6 +179,7 @@ BOOL MMCMP_Unpack(MREADER* reader, void** out, long* outlen)
 	subblocks = (MMCMPSUBBLOCK*)MikMod_malloc(numsubs*sizeof(MMCMPSUBBLOCK));
 	if (!destbuf || !buf || !pblk_table || !subblocks)
 		goto err;
+	destend = destbuf + destlen;
 
 	_mm_fseek(reader,mmh.blktable,SEEK_SET);
 	for (blockidx = 0; blockidx < mmh.nblocks; blockidx++) {
@@ -327,8 +328,10 @@ BOOL MMCMP_Unpack(MREADER* reader, void** out, long* outlen)
 					{
 						newval ^= 0x8000;
 					}
-					destptr[pos++] = (UBYTE) (((UWORD)newval) & 0xff);
-					destptr[pos++] = (UBYTE) (((UWORD)newval) >> 8);
+					if (destend - destptr < 2) goto err;
+					pos += 2;
+					*destptr++ = (UBYTE) (((UWORD)newval) & 0xff);
+					*destptr++ = (UBYTE) (((UWORD)newval) >> 8);
 				}
 				if (pos >= size)
 				{