Fixed oob read in clear_decompress_subcode_rlex

Fixed length checks before stream read.
Thanks to hac425 CVE-2020-11040
This commit is contained in:
akallabeth 2020-04-21 10:35:17 +02:00
parent 2215fef975
commit 363d7046df
1 changed files with 7 additions and 2 deletions

View File

@ -130,7 +130,7 @@ static BOOL clear_decompress_subcode_rlex(wStream* s, UINT32 bitmapDataByteCount
UINT32 i;
UINT32 pixelCount;
UINT32 bitmapDataOffset;
UINT32 pixelIndex;
size_t pixelIndex;
UINT32 numBits;
BYTE startIndex;
BYTE stopIndex;
@ -146,6 +146,8 @@ static BOOL clear_decompress_subcode_rlex(wStream* s, UINT32 bitmapDataByteCount
return FALSE;
}
if (Stream_GetRemainingLength(s) < 1)
return FALSE;
Stream_Read_UINT8(s, paletteCount);
bitmapDataOffset = 1 + (paletteCount * 3);
@ -155,6 +157,9 @@ static BOOL clear_decompress_subcode_rlex(wStream* s, UINT32 bitmapDataByteCount
return FALSE;
}
if (Stream_GetRemainingLength(s) < 3ULL * paletteCount)
return FALSE;
for (i = 0; i < paletteCount; i++)
{
BYTE r, g, b;
@ -299,7 +304,7 @@ static BOOL clear_decompress_subcode_rlex(wStream* s, UINT32 bitmapDataByteCount
if (pixelIndex != pixelCount)
{
WLog_ERR(TAG, "pixelIndex %" PRIu32 " != pixelCount %" PRIu32 "", pixelIndex, pixelCount);
WLog_ERR(TAG, "pixelIndex %" PRIdz " != pixelCount %" PRIu32 "", pixelIndex, pixelCount);
return FALSE;
}