cd9b331d9f
CVEs fixed: - CVE-2006-3376 - CVE-2009-1364 - CVE-2015-0848 - CVE-2015-4588 - CVE-2015-4695 - CVE-2015-4696 - CVE-2016-9011
34 lines
1 KiB
Diff
34 lines
1 KiB
Diff
--- src/player.c
|
|
+++ src/player.c
|
|
@@ -140,7 +140,30 @@
|
|
return (API->err);
|
|
}
|
|
|
|
- P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char));
|
|
+ U32 nMaxRecordSize = (MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char);
|
|
+ if (nMaxRecordSize)
|
|
+ {
|
|
+ //before allocating memory do a sanity check on size by seeking
|
|
+ //to claimed end to see if its possible. We're constrained here
|
|
+ //by the api and existing implementations to not simply seeking
|
|
+ //to SEEK_END. So use what we have to skip to the last byte and
|
|
+ //try and read it.
|
|
+ const long nPos = WMF_TELL (API);
|
|
+ WMF_SEEK (API, nPos + nMaxRecordSize - 1);
|
|
+ if (ERR (API))
|
|
+ { WMF_DEBUG (API,"bailing...");
|
|
+ return (API->err);
|
|
+ }
|
|
+ int byte = WMF_READ (API);
|
|
+ if (byte == (-1))
|
|
+ { WMF_ERROR (API,"Unexpected EOF!");
|
|
+ API->err = wmf_E_EOF;
|
|
+ return (API->err);
|
|
+ }
|
|
+ WMF_SEEK (API, nPos);
|
|
+ }
|
|
+
|
|
+ P->Parameters = (unsigned char*) wmf_malloc (API, nMaxRecordSize);
|
|
|
|
if (ERR (API))
|
|
{ WMF_DEBUG (API,"bailing...");
|