shithub: dumb

Download patch

ref: 566c9876c74f170ee0fdb1e0eb33147581f3d490
parent: 23e78e17f4970638108f8a740a8d82d043d8b185
author: Chris Moeller <kode54@gmail.com>
date: Fri Oct 9 13:59:30 EDT 2015

Fix issue #15 / CVE-2006-3668

--- a/dumb/src/it/itread.c
+++ b/dumb/src/it/itread.c
@@ -290,12 +290,15 @@
 
 	envelope->flags = dumbfile_getc(f);
 	envelope->n_nodes = dumbfile_getc(f);
+	if(envelope->n_nodes > 25) {
+		TRACE("IT error: wrong number of envelope nodes (%d)\n", envelope->n_nodes);
+		envelope->n_nodes = 0;
+		return -1;
+	}
 	envelope->loop_start = dumbfile_getc(f);
 	envelope->loop_end = dumbfile_getc(f);
 	envelope->sus_loop_start = dumbfile_getc(f);
 	envelope->sus_loop_end = dumbfile_getc(f);
-	if (envelope->n_nodes > 25)
-		envelope->n_nodes = 25;
 	for (n = 0; n < envelope->n_nodes; n++) {
 		envelope->node_y[n] = dumbfile_getc(f);
 		envelope->node_t[n] = dumbfile_igetw(f);