shithub: dumb

Download patch

ref: 0948d27028784538d6c5da6937e40f11fa7bacd2
parent: 98f6464a85a41fb0c4801df589c825011506fb76
author: Christopher Snowhill <[email protected]>
date: Tue Sep 12 12:29:58 EDT 2017

A bit of hardening.

--- a/src/it/readpsm.c
+++ b/src/it/readpsm.c
@@ -461,7 +461,7 @@
 	PSMCHUNK *chunk;
 	int n_chunks = 0;
 
-	PSMCHUNK *songchunk;
+	PSMCHUNK *songchunk = 0;
 	int n_song_chunks = 0;
 
 	PSMEVENT *event = 0;
@@ -491,6 +491,7 @@
 	chunk = calloc(768, sizeof(*chunk));
 
 	while (length >= 8) {
+		if (n_chunks >= 768) goto error_fc;
 		chunk[n_chunks].id = dumbfile_mgetl(f);
 		n = dumbfile_igetl(f);
 		length -= 8;
@@ -584,13 +585,14 @@
 			ptr += 11;
 			songchunk = 0;
 			if (length >= 8) {
-				songchunk = malloc(128 * sizeof(*songchunk));
+				songchunk = malloc(256 * sizeof(*songchunk));
 				if (!songchunk) goto error_usd;
 				while (length >= 8) {
+					if (n_song_chunks >= 256) goto error_sc;
 					songchunk[n_song_chunks].id = DUMB_ID(ptr[0], ptr[1], ptr[2], ptr[3]);
 					n = ptr[4] | (ptr[5] << 8) | (ptr[6] << 16) | (ptr[7] << 24);
 					length -= 8;
-					if (n > length) goto error_sc;
+					if (n < 0 || n > length) goto error_sc;
 					songchunk[n_song_chunks].len = n;
 					songchunk[n_song_chunks].data = ptr + 8;
 					n_song_chunks++;