1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
|
From c4d4e047862649a75f6dba905c613aff0df81309 Mon Sep 17 00:00:00 2001
From: Konstanty Bialkowski <konstanty@ieee.org>
Date: Wed, 14 Aug 2013 14:15:27 +1000
Subject: [PATCH] CVE-2013-4233 Fix
Integer overflow in j variable
-- reported by Florian "Agix" Gaultier
---
libmodplug/src/load_abc.cpp | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/libmodplug/src/load_abc.cpp b/libmodplug/src/load_abc.cpp
index 9f4b328..ecb7b62 100644
--- a/libmodplug/src/load_abc.cpp
+++ b/libmodplug/src/load_abc.cpp
@@ -1814,7 +1814,7 @@ static int abc_extract_tempo(const char *p, int invoice)
static void abc_set_parts(char **d, char *p)
{
- int i,j,k,m,n;
+ int i,j,k,m,n,size;
char *q;
#ifdef NEWMIKMOD
static MM_ALLOC *h;
@@ -1852,10 +1852,11 @@ static void abc_set_parts(char **d, char *p)
i += n-1;
}
}
- q = (char *)_mm_calloc(h, j+1, sizeof(char)); // enough storage for the worst case
+ size = (j + 1) > 0 ? j+1 : j;
+ q = (char *)_mm_calloc(h, size, sizeof(char)); // enough storage for the worst case
// now copy bytes from p to *d, taking parens and digits in account
j = 0;
- for( i=0; p[i] && p[i] != '%'; i++ ) {
+ for( i=0; p[i] && p[i] != '%' && j < size; i++ ) {
if( isdigit(p[i]) || isupper(p[i]) || p[i] == '(' || p[i] == ')' ) {
if( p[i] == ')' ) {
for( n=j; n > 0 && q[n-1] != '('; n-- ) ; // find open paren in q
--
1.8.4
|