simon987/antiword
1
0
Fork 0
mirror of https://github.com/simon987/antiword.git synced 2025-04-04 07:53:00 +00:00
Code Issues Projects Releases Wiki Activity

Add more bounds checking

Browse Source
This commit is contained in:
simon987 2022-03-17 15:07:32 -04:00
parent 62ae66db99
commit b9afdb0561
6 changed files with 1349 additions and 1313 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/antiword.h
View File

@ -253,7 +253,7 @@
#define BUF_AUC 1 #define BUF_AUC 1
extern void setBufferSize(ULONG size); extern void setBufferSize(ULONG size);
extern BOOL isOutOfBounds(ULONG offset); extern BOOL isOutOfBounds(ULONG offset, size_t size);
/* Prototypes */ /* Prototypes */

21
src/pdf.c
View File

@ -514,6 +514,7 @@ vMove2NextPage(diagram_type *pDiag, BOOL bNewSection)
vAddHeader(pDiag); vAddHeader(pDiag);
} /* end of vMove2NextPage */ } /* end of vMove2NextPage */
#define VMOVETO_MAX_DEPTH 300
/* /*
* vMoveTo - move to the specified X,Y coordinates * vMoveTo - move to the specified X,Y coordinates
* *
@ -527,7 +528,24 @@ vMoveTo(diagram_type *pDiag, long lLastVerticalMovement)
fail(pDiag->pOutFile == NULL); fail(pDiag->pOutFile == NULL);
if (pDiag->lYtop <= lFooterHeight + PS_BOTTOM_MARGIN && !bInFtrSpace) { if (pDiag->lYtop <= lFooterHeight + PS_BOTTOM_MARGIN && !bInFtrSpace) {
vMove2NextPage(pDiag, FALSE);
// NOTE: SIST2: only output the first page
vAddFooter(pDiag);
vEndPageObject(pDiag->pOutFile);
iObjectNumberCurr++;
vSetLocation(iObjectNumberCurr);
vFillNextPageObject();
vFPprintf(pDiag->pOutFile, "%d 0 obj\n", iObjectNumberCurr);
vFPprintf(pDiag->pOutFile, "<<\n");
vFPprintf(pDiag->pOutFile, "/Type /Page\n");
vFPprintf(pDiag->pOutFile, "/Parent 3 0 R\n");
vFPprintf(pDiag->pOutFile, "/Resources 17 0 R\n");
vFPprintf(pDiag->pOutFile, "/Contents %d 0 R\n", iObjectNumberCurr + 1);
vFPprintf(pDiag->pOutFile, ">>\n");
vFPprintf(pDiag->pOutFile, "endobj\n");
// ^^^
/* Repeat the last vertical movement on the new page */ /* Repeat the last vertical movement on the new page */
pDiag->lYtop -= lLastVerticalMovement; pDiag->lYtop -= lLastVerticalMovement;
} }
@ -978,6 +996,7 @@ static void
vPrintPDF(FILE *pFile, const char *szString, size_t tStringLength, vPrintPDF(FILE *pFile, const char *szString, size_t tStringLength,
USHORT usFontstyle) USHORT usFontstyle)
{ {
const UCHAR *aucBytes; const UCHAR *aucBytes;
double dMove; double dMove;
size_t tCount; size_t tCount;

2629
src/prop8.c
View File

File diff suppressed because it is too large Load Diff

2
src/propmod.c
View File

@ -63,7 +63,7 @@ vAdd2PropModList(const UCHAR *aucPropMod)
NO_DBG_DEC(tNextFree); NO_DBG_DEC(tNextFree);
tLen = 2 + (size_t)usGetWord(0, aucPropMod); tLen = 2 + (size_t)usGetWord(0, aucPropMod);
if (isOutOfBounds(tLen)) { if (isOutOfBounds(tLen, sizeof(short))) {
return; return;
} }
NO_DBG_HEX(tLen); NO_DBG_HEX(tLen);

4
src/sist2_hotfix.c
View File

@ -2,8 +2,8 @@
static __thread ULONG buffer; static __thread ULONG buffer;
BOOL isOutOfBounds(ULONG offset) { BOOL isOutOfBounds(ULONG offset, size_t size) {
return offset > buffer; return offset >= buffer - size;
} }
void setBufferSize(ULONG size) { void setBufferSize(ULONG size) {

4
src/summary.c
View File

@ -220,7 +220,7 @@ vAnalyseSummaryInfo(const UCHAR *aucBuffer)
ulOffset = ulGetLong(12 + tIndex * 8, aucBuffer); ulOffset = ulGetLong(12 + tIndex * 8, aucBuffer);
NO_DBG_DEC(tPropID); NO_DBG_DEC(tPropID);
NO_DBG_HEX(ulOffset); NO_DBG_HEX(ulOffset);
if (isOutOfBounds(ulOffset)) { if (isOutOfBounds(ulOffset, sizeof(long))) {
return FALSE; return FALSE;
} }
tPropType = (size_t)ulGetLong(ulOffset, aucBuffer); tPropType = (size_t)ulGetLong(ulOffset, aucBuffer);
@ -280,7 +280,7 @@ vAnalyseDocumentSummaryInfo(const UCHAR *aucBuffer)
ulOffset = ulGetLong(12 + tIndex * 8, aucBuffer); ulOffset = ulGetLong(12 + tIndex * 8, aucBuffer);
NO_DBG_DEC(tPropID); NO_DBG_DEC(tPropID);
NO_DBG_HEX(ulOffset); NO_DBG_HEX(ulOffset);
if (isOutOfBounds(ulOffset)) { if (isOutOfBounds(ulOffset, sizeof(long))) {
return; return;
} }
tPropType = (size_t)ulGetLong(ulOffset, aucBuffer); tPropType = (size_t)ulGetLong(ulOffset, aucBuffer);