blob: f8954725ba37a03eead3a650b98ba60a491da00b (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
|
Description: Fix CVE-2010-1028: WOFF heap corruption due to integer overflow
Origin: mozilla-central, https://hg.mozilla.org/releases/mozilla-1.9.2/rev/827a6883442f
Last-Update: 2013-04-09
--- a/woff.c
+++ b/woff.c
@@ -626,7 +626,7 @@
const woffHeader * header;
uint16_t numTables, i;
const woffDirEntry * dirEntry;
- uint32_t tableTotal = 0;
+ uint64_t tableTotal = 0;
if (!woffData || !woffLen) {
return eWOFF_bad_parameter;
@@ -652,17 +652,17 @@
dirEntry = (const woffDirEntry *) (woffData + sizeof(woffHeader));
for (i = 0; i < numTables; ++i) {
- uint32_t offs = READ32BE(dirEntry->offset);
- uint32_t orig = READ32BE(dirEntry->origLen);
- uint32_t comp = READ32BE(dirEntry->compLen);
+ uint64_t offs = READ32BE(dirEntry->offset);
+ uint64_t orig = READ32BE(dirEntry->origLen);
+ uint64_t comp = READ32BE(dirEntry->compLen);
if (comp > orig || comp > woffLen || offs > woffLen - comp) {
return eWOFF_invalid;
}
orig = (orig + 3) & ~3;
- if (tableTotal > 0xffffffffU - orig) {
+ tableTotal += orig;
+ if (tableTotal > 0xffffffffU) {
return eWOFF_invalid;
}
- tableTotal += orig;
++dirEntry;
}
--- a/woff.h
+++ b/woff.h
@@ -48,6 +48,7 @@
typedef unsigned char uint8_t;
typedef unsigned short uint16_t;
typedef unsigned int uint32_t;
+typedef unsigned __int64 uint64_t;
#else
#include <inttypes.h>
#endif
|