Hi,
On 22.12.2014 22:52, Sebastian Andrzej Siewior wrote:
On 2014-12-22 02:52:02 [+0100], Marc Dequènes (duck) wrote:
I can upload this simple fix quickly, nevertheless i did not have time to
proofread it. Any comment?
I plan to add the following patch to clamav. I added a small comment
why we have the busy loop there. So far it looks like a good idea. The
only problem is that we need off_t beeing 64bit (LFS) or it won't work
on 32bit. No problem on Debian side…
I think there is a better way than changing the type of frame_end to off_t.
It is possible to avoid the overflow by reordering the code:
--- libmspack-0.4.orig/mspack/qtmd.c
+++ libmspack-0.4/mspack/qtmd.c
@@ -296,10 +296,12 @@ int qtmd_decompress(struct qtmd_stream *
/* decode more, up to the number of bytes needed, the frame boundary,
* or the window boundary, whichever comes first */
- frame_end = window_posn + (out_bytes - (qtm->o_end - qtm->o_ptr));
- if ((window_posn + frame_todo) < frame_end) {
+ if (frame_todo < (out_bytes - (qtm->o_end - qtm->o_ptr))) {
frame_end = window_posn + frame_todo;
}
+ else {
+ frame_end = window_posn + (out_bytes - (qtm->o_end - qtm->o_ptr));
+ }
if (frame_end > qtm->window_size) {
frame_end = qtm->window_size;
}
This works, because frame_todo is at most QTM_FRAME_SIZE = 32768.
Merry Christmas,
Andreas
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
