Dominik Mierzejewski
1 year ago
parent
3ed16b4d62
commit
6202225dd0
@ -0,0 +1,31 @@
|
||||
diff -up libebml-1.3.9/src/MemIOCallback.cpp.cve-2023-52339 libebml-1.3.9/src/MemIOCallback.cpp
|
||||
--- libebml-1.3.9/src/MemIOCallback.cpp.cve-2023-52339 2024-02-02 13:48:28.626522658 +0100
|
||||
+++ libebml-1.3.9/src/MemIOCallback.cpp 2024-02-02 13:49:59.620078963 +0100
|
||||
@@ -68,7 +68,8 @@ uint32 MemIOCallback::read(void *Buffer,
|
||||
if (Buffer == NULL || Size < 1)
|
||||
return 0;
|
||||
//If the size is larger than than the amount left in the buffer
|
||||
- if (Size + dataBufferPos > dataBufferTotalSize) {
|
||||
+ if (Size + dataBufferPos < Size || // overflow, reading too much
|
||||
+ Size + dataBufferPos > dataBufferTotalSize) {
|
||||
//We will only return the remaining data
|
||||
memcpy(Buffer, dataBuffer + dataBufferPos, dataBufferTotalSize - dataBufferPos);
|
||||
uint64 oldDataPos = dataBufferPos;
|
||||
@@ -95,6 +96,8 @@ void MemIOCallback::setFilePointer(int64
|
||||
|
||||
size_t MemIOCallback::write(const void *Buffer, size_t Size)
|
||||
{
|
||||
+ if (dataBufferPos + Size < Size) // overflow, we can't hold that much
|
||||
+ return 0;
|
||||
if (dataBufferMemorySize < dataBufferPos + Size) {
|
||||
//We need more memory!
|
||||
dataBuffer = (binary *)realloc((void *)dataBuffer, dataBufferPos + Size);
|
||||
@@ -109,6 +112,8 @@ size_t MemIOCallback::write(const void *
|
||||
|
||||
uint32 MemIOCallback::write(IOCallback & IOToRead, size_t Size)
|
||||
{
|
||||
+ if (dataBufferPos + Size < Size) // overflow, we can't hold that much
|
||||
+ return 0;
|
||||
if (dataBufferMemorySize < dataBufferPos + Size) {
|
||||
//We need more memory!
|
||||
dataBuffer = (binary *)realloc((void *)dataBuffer, dataBufferPos + Size);
|
||||
Loading…
Reference in new issue