Index: lfo.c =================================================================== --- lfo.c.orig +++ lfo.c @@ -23,6 +23,7 @@ #include #include +#include #include "wv.h" /* @@ -32,6 +33,16 @@ one has (LFO.clfolvl), and writes out, i followed by its corresponding LVL structure (if LFOLVL.fFormatting is set). */ +static int +multiplication_will_overflow(U32 a, U32 b) +{ + if((a > 0) && (b > 0) && (UINT_MAX / a) >= b) { + return 0; + } + + return 1; +} + int wvGetLFO_records (LFO ** lfo, LFOLVL ** lfolvl, LVL ** lvl, U32 * nolfo, U32 * nooflvl, U32 offset, U32 len, wvStream * fd) @@ -49,7 +60,9 @@ wvGetLFO_records (LFO ** lfo, LFOLVL ** wvTrace (("pos %x %d\n", wvStream_tell (fd), *nooflvl)); wvTrace (("nolfo is %d nooflvl is %d\n", *nolfo, *nooflvl)); - if (*nooflvl == 0) + if ((*nooflvl == 0) || + multiplication_will_overflow(sizeof (LFOLVL), *nooflvl) || + multiplication_will_overflow(sizeof (LVL), *nooflvl)) { *lfolvl = NULL; *lvl = NULL; @@ -101,16 +114,22 @@ wvGetLFO_PLF (LFO ** lfo, U32 * nolfo, U *nolfo = read_32ubit (fd); wvTrace (("%d\n", *nolfo)); - *lfo = (LFO *) wvMalloc (*nolfo * sizeof (LFO)); - if (*lfo == NULL) - { - wvError ( - ("NO MEM 1, failed to alloc %d bytes\n", + /* check for integer overflow */ + if (multiplication_will_overflow(*nolfo, sizeof(LFO))) { + wvError (("Malicious document!\n")); + *nolfo = 0; + return (1); + } else { + *lfo = (LFO *) wvMalloc (*nolfo * sizeof(LFO)); + if (*lfo == NULL) + { + wvError (("NO MEM 1, failed to alloc %d bytes\n", *nolfo * sizeof (LFO))); return (1); - } - for (i = 0; i < *nolfo; i++) + } + for (i = 0; i < *nolfo; i++) wvGetLFO (&((*lfo)[i]), fd); + } } return (0); }