Fixed oob read in clear_decompress_subcode_rlex
Fixed length checks before stream read. Thanks to hac425 CVE-2020-11040
This commit is contained in:
parent
2215fef975
commit
363d7046df
@ -130,7 +130,7 @@ static BOOL clear_decompress_subcode_rlex(wStream* s, UINT32 bitmapDataByteCount
|
||||
UINT32 i;
|
||||
UINT32 pixelCount;
|
||||
UINT32 bitmapDataOffset;
|
||||
UINT32 pixelIndex;
|
||||
size_t pixelIndex;
|
||||
UINT32 numBits;
|
||||
BYTE startIndex;
|
||||
BYTE stopIndex;
|
||||
@ -146,6 +146,8 @@ static BOOL clear_decompress_subcode_rlex(wStream* s, UINT32 bitmapDataByteCount
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
if (Stream_GetRemainingLength(s) < 1)
|
||||
return FALSE;
|
||||
Stream_Read_UINT8(s, paletteCount);
|
||||
bitmapDataOffset = 1 + (paletteCount * 3);
|
||||
|
||||
@ -155,6 +157,9 @@ static BOOL clear_decompress_subcode_rlex(wStream* s, UINT32 bitmapDataByteCount
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
if (Stream_GetRemainingLength(s) < 3ULL * paletteCount)
|
||||
return FALSE;
|
||||
|
||||
for (i = 0; i < paletteCount; i++)
|
||||
{
|
||||
BYTE r, g, b;
|
||||
@ -299,7 +304,7 @@ static BOOL clear_decompress_subcode_rlex(wStream* s, UINT32 bitmapDataByteCount
|
||||
|
||||
if (pixelIndex != pixelCount)
|
||||
{
|
||||
WLog_ERR(TAG, "pixelIndex %" PRIu32 " != pixelCount %" PRIu32 "", pixelIndex, pixelCount);
|
||||
WLog_ERR(TAG, "pixelIndex %" PRIdz " != pixelCount %" PRIu32 "", pixelIndex, pixelCount);
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user