aboutsummaryrefslogtreecommitdiff
path: root/system/arj/patches/security-afl.patch
blob: ed2bf57717863fc845faecae7bdc3be36e48120d (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
Description: Fix buffer overflow causing an invalid pointer free().
Author: Guillem Jover <guillem@debian.org>
Origin: vendor
Bug-Debian: https://bugs.debian.org/774015
Forwarded: no
Last-Update: 2015-02-26

---
 decode.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/decode.c
+++ b/decode.c
@@ -255,7 +255,7 @@ void read_pt_len(int nn, int nbit, int i
    if(i==i_special)
    {
     c=getbits(2);
-    while(--c>=0)
+    while(--c>=0&&i<nn)
      pt_len[i++]=0;
    }
   }
@@ -314,10 +314,10 @@ void read_c_len()
      c=getbits(CBIT);
      c+=20;
     }
-    while(--c>=0)
+    while(--c>=0&&i<NC)
      c_len[i++]=0;
    }
-   else
+   else if (i<NC)
     c_len[i++]=(unsigned char)(c-2);
   }
   while(i<NC)