mirror of
https://git.in.rschanz.org/ryan77627/guix.git
synced 2024-11-16 03:45:24 -05:00
22 lines
880 B
Diff
22 lines
880 B
Diff
|
Description: Add check for buffer overflow with malformed input files
|
||
|
This was later re-found and became CVE-2014-8123.
|
||
|
Author: <eriks@debian.org>
|
||
|
Bug-Debian: http://bugs.debian.org/407015
|
||
|
Bug-Debian: https://bugs.debian.org/771768
|
||
|
Forwarded: http://seclists.org/oss-sec/2014/q4/870
|
||
|
Last-Update: 2016-01-11
|
||
|
|
||
|
--- antiword-0.37~/wordole.c 2005-08-26 21:49:57.000000000 +0200
|
||
|
+++ antiword-0.37/wordole.c 2009-06-03 22:31:15.948014682 +0200
|
||
|
@@ -259,6 +259,10 @@
|
||
|
}
|
||
|
tNameSize = (size_t)usGetWord(0x40, aucBytes);
|
||
|
tNameSize = (tNameSize + 1) / 2;
|
||
|
+ if ( tNameSize > sizeof(atPPSlist[iIndex].szName)) {
|
||
|
+ werr(0, "Name Size of PPS %d is too large", iIndex);
|
||
|
+ tNameSize = sizeof(atPPSlist[iIndex].szName);
|
||
|
+ }
|
||
|
vName2String(atPPSlist[iIndex].szName, aucBytes, tNameSize);
|
||
|
atPPSlist[iIndex].ucType = ucGetByte(0x42, aucBytes);
|
||
|
if (atPPSlist[iIndex].ucType == 5) {
|