Skip to content

Commit

Permalink
Fix dxfb_3dsolid heap-buffer-overflow with VALUE_BINARY (s, l)
Browse files Browse the repository at this point in the history 
Fixes GH #911
  • Loading branch information
@rurban
rurban committed Dec 31, 2023
1 parent e649e4f commit 8c467b2
Showing 1 changed file with 6 additions and 14 deletions.
20 changes: 6 additions & 14 deletions src/out_dxfb.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1402,30 +1402,22 @@ dxfb_3dsolid (Bit_Chain *restrict dat, const Dwg_Object *restrict obj,
for (i = 0; i < FIELD_VALUE (num_blocks); i++)
{
char *s = FIELD_VALUE (encr_sat_data[i]);
BITCODE_BL len = FIELD_VALUE (block_size[i]);
if ((BITCODE_BLd)len < 0)
{
LOG_ERROR ("Invalid %s.block_size[%u] " FORMAT_BL, obj->name,
(unsigned)i, len);
return DWG_ERR_VALUEOUTOFBOUNDS;
}
int len = FIELD_VALUE (block_size[i]);
// DXF 1 + 3 if >255
while (len > 0)
{
char *n = strchr (s, '\n');
int l = len > 255 ? 255 : len & 0xff;
if (n && ((long)(n - s) < (long)len))
l = n - s;
{
l = n - s;
}
if (l)
{
if (len < 255)
{
VALUE_BINARY (s, l, 1);
}
VALUE_BINARY (s, l, 1)
else
{
VALUE_BINARY (s, l, 3);
}
VALUE_BINARY (s, l, 3)
l++;
len -= l;
s += l;
Expand Down

0 comments on commit 8c467b2

Please sign in to comment.