51 lines
1.0 KiB
C
51 lines
1.0 KiB
C
// Contributed by Alexandre Oliva <aoliva@redhat.com>
|
|
// From Red Hat case 106165.
|
|
|
|
typedef struct s1
|
|
{
|
|
unsigned short v1;
|
|
unsigned char *v2;
|
|
} S1;
|
|
|
|
extern void bar(const struct s1 *const hdb);
|
|
extern unsigned char* foo ();
|
|
|
|
unsigned int sn;
|
|
S1 *hdb;
|
|
S1 *pb;
|
|
unsigned short len;
|
|
|
|
unsigned int crashIt()
|
|
{
|
|
unsigned char *p;
|
|
unsigned int nsn;
|
|
unsigned short cnt;
|
|
|
|
if (sn != 0) return 1;
|
|
|
|
if ((len < 12) || ((p = (((pb->v1) >= 8) ? pb->v2 : foo() )) == 0))
|
|
return 1;
|
|
|
|
nsn = (
|
|
(((*(unsigned int*)p) & 0x000000ff) << 24) |
|
|
(((*(unsigned int*)p) & 0x0000ff00) << 8) |
|
|
(((*(unsigned int*)p) & 0x00ff0000) >> 8) |
|
|
(((*(unsigned int*)p) & 0xff000000) >> 24) );
|
|
p += 4;
|
|
|
|
cnt = (unsigned short) ((
|
|
(((*(unsigned int*)p) & 0x000000ff) << 24) |
|
|
(((*(unsigned int*)p) & 0x0000ff00) << 8) |
|
|
(((*(unsigned int*)p) & 0x00ff0000) >> 8) |
|
|
(((*(unsigned int*)p) & 0xff000000) >> 24) ) &
|
|
0xffff);
|
|
|
|
if ((len != 12 + (cnt * 56)) || (nsn == 0))
|
|
{
|
|
bar(hdb);
|
|
return 1;
|
|
}
|
|
|
|
return 0;
|
|
}
|