Fix/improve buffer overflow in MSG_ReadBits/MSG_WriteBits
Prevent reading past end of message in MSG_ReadBits. If read past end of msg->data buffer (16348 bytes) the engine could SEGFAULT. Make MSG_WriteBits use an exact buffer overflow check instead of possibly failing with a few bytes left.
This commit is contained in:
Zack Middleton
parent
2d6171f44c
commit
d2b1d124d4
3 changed files with 56 additions and 17 deletions
|
|
@ -279,9 +279,14 @@ int Huff_Receive (node_t *node, int *ch, byte *fin) {
|
|||
}
|
||||
|
||||
/* Get a symbol */
|
||||
void Huff_offsetReceive (node_t *node, int *ch, byte *fin, int *offset) {
|
||||
void Huff_offsetReceive (node_t *node, int *ch, byte *fin, int *offset, int maxoffset) {
|
||||
bloc = *offset;
|
||||
while (node && node->symbol == INTERNAL_NODE) {
|
||||
if (bloc >= maxoffset) {
|
||||
*ch = 0;
|
||||
*offset = maxoffset + 1;
|
||||
return;
|
||||
}
|
||||
if (get_bit(fin)) {
|
||||
node = node->right;
|
||||
} else {
|
||||
|
|
@ -298,11 +303,15 @@ void Huff_offsetReceive (node_t *node, int *ch, byte *fin, int *offset) {
|
|||
}
|
||||
|
||||
/* Send the prefix code for this node */
|
||||
static void send(node_t *node, node_t *child, byte *fout) {
|
||||
static void send(node_t *node, node_t *child, byte *fout, int maxoffset) {
|
||||
if (node->parent) {
|
||||
send(node->parent, node, fout);
|
||||
send(node->parent, node, fout, maxoffset);
|
||||
}
|
||||
if (child) {
|
||||
if (bloc >= maxoffset) {
|
||||
bloc = maxoffset + 1;
|
||||
return;
|
||||
}
|
||||
if (node->right == child) {
|
||||
add_bit(1, fout);
|
||||
} else {
|
||||
|
|
@ -312,22 +321,22 @@ static void send(node_t *node, node_t *child, byte *fout) {
|
|||
}
|
||||
|
||||
/* Send a symbol */
|
||||
void Huff_transmit (huff_t *huff, int ch, byte *fout) {
|
||||
void Huff_transmit (huff_t *huff, int ch, byte *fout, int maxoffset) {
|
||||
int i;
|
||||
if (huff->loc[ch] == NULL) {
|
||||
/* node_t hasn't been transmitted, send a NYT, then the symbol */
|
||||
Huff_transmit(huff, NYT, fout);
|
||||
Huff_transmit(huff, NYT, fout, maxoffset);
|
||||
for (i = 7; i >= 0; i--) {
|
||||
add_bit((char)((ch >> i) & 0x1), fout);
|
||||
}
|
||||
} else {
|
||||
send(huff->loc[ch], NULL, fout);
|
||||
send(huff->loc[ch], NULL, fout, maxoffset);
|
||||
}
|
||||
}
|
||||
|
||||
void Huff_offsetTransmit (huff_t *huff, int ch, byte *fout, int *offset) {
|
||||
void Huff_offsetTransmit (huff_t *huff, int ch, byte *fout, int *offset, int maxoffset) {
|
||||
bloc = *offset;
|
||||
send(huff->loc[ch], NULL, fout);
|
||||
send(huff->loc[ch], NULL, fout, maxoffset);
|
||||
*offset = bloc;
|
||||
}
|
||||
|
||||
|
|
@ -413,7 +422,7 @@ void Huff_Compress(msg_t *mbuf, int offset) {
|
|||
|
||||
for (i=0; i<size; i++ ) {
|
||||
ch = buffer[i];
|
||||
Huff_transmit(&huff, ch, seq); /* Transmit symbol */
|
||||
Huff_transmit(&huff, ch, seq, size<<3); /* Transmit symbol */
|
||||
Huff_addRef(&huff, (byte)ch); /* Do update */
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue