CR: Bug #177588 - Potential Memory Corruption Exploit (Additional Fix)

Note:

Only one bug was filed for numerous media files, all with different modifications (which all resulted in unique crash cases).  This fix is for the same bug number as the previous one, even though it is a different fix entirely.

 

Synopsis:

There is a possible buffer overflow exploit in the playback of modified rm files.  The issue is that size values are read from the media, then used as the bounds of a “for” loop. ; The loop then indexes an array of data, but if the bounds of the “for” loop aren’;t right, then a buffer overflow will occur when it indexes past the end of the array.  This CR is to fix the crash that occurs in the memcorruption.rm media file linked from the bug report.

 

Fix:

Need to add bounds checking before entering the “for” loop.  The value read is the current stream number, and we already know the maximum number of streams available.  We can compare and determine if the read value is greater than the true number of streams.

 

Files Modified:

rarvcode-formprot/fileformat/intrstrm.cpp

 

Branch:

Head, Thxclient_1_2_1_neptune

 

Platforms and Profiles Build Verified:

Win32

 

Thanks,

Todd