It looks like this buffer overflow is the consequence of an earlier buffer
overflow in the GetNextCodeCompat macro:
> #define GetNextCodeCompat(sp, bp, code) { \
> nextdata |= (unsigned long) *(bp)++ << nextbits; \
> nextbits += 8; \
> if (nextbits < nbits) { \
> nextdata |= (unsigned long) *(bp)++ << nextbits;\
> nextbits += 8; \
> } \
> code = (hcode_t)(nextdata & nbitsmask); \
> nextdata >>= nbits; \
> nextbits -= nbits; \
> }
The raw data buffer is read using the bp pointer without proper bound checking.
At some point, we start to read garbage, store it into the code variable which
is later used to create the codep. This invalid codep later triggers the second
overflow.
So now the question is: Why is this first buffer overflow happening ?
My guess is that the sample is declaring more strips than actually available, or
declares strips with incorrect size. I still have to check that however.
Regards,
Hugo
--
Hugo Lefeuvre (hle) | www.owl.eu.com
4096/ 9C4F C8BF A4B0 8FC5 48EB 56B8 1962 765B B9A8 BACA
Attachment:
signature.asc
Description: PGP signature