mirror/clamav
1
0
Fork 0
mirror of https://github.com/Cisco-Talos/clamav.git synced 2026-05-07 23:26:27 -04:00
Code Issues Packages Projects Releases Wiki Activity

bb #6712: safer SWF tag length handling

Browse Source
This commit is contained in:
David Raynor
2013-02-04 16:32:50 -05:00
parent 7dfcf6e2df
commit 60e36cd653
1 changed files with 11 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
libclamav/swf.c
View File

@@ -205,7 +205,7 @@ static int scancws(cli_ctx *ctx, struct swf_file_hdr *hdr)
} while(zret == Z_OK);
if((zret != Z_STREAM_END && zret != Z_OK) || (zret = inflateEnd(&stream)) != Z_OK) {
cli_errmsg("scancws: Error decompressing SWF file\n");
cli_infomsg(ctx, "scancws: Error decompressing SWF file\n");
close(fd);
if(cli_unlink(tmpname)) {
free(tmpname);
@@ -246,7 +246,8 @@ int cli_scanswf(cli_ctx *ctx)
unsigned int bitpos, bitbuf, getbits_n, nbits, getword_1, getword_2, getdword_1, getdword_2;
const char *pt;
char get_c;
unsigned int val, foo, offset = 0, tag_hdr, tag_type, tag_len;
size_t offset = 0;
unsigned int val, foo, tag_hdr, tag_type, tag_len;
unsigned long int bits;
cli_dbgmsg("in cli_scanswf()\n");
@@ -294,6 +295,14 @@ int cli_scanswf(cli_ctx *ctx)
pt = tagname(tag_type);
cli_dbgmsg("SWF: %s\n", pt ? pt : "UNKNOWN TAG");
cli_dbgmsg("SWF: Tag length: %u\n", tag_len);
if (tag_len > map->len) {
cli_warnmsg("SWF: Invalid tag length.\n");
return CL_EFORMAT;
}
if ((offset + tag_len) < offset) {
cli_warnmsg("SWF: Tag length too large.\n");
break;
}
if(!pt) {
offset += tag_len;
continue;