From: Philippe Antoine <pantoine@oisf.net>
Date: Thu, 30 Oct 2025 10:27:22 +0000 (+0100)
Subject: [PATCH] util/swf: move allocation from stack to heap
X-Git-Tag: archive/raspbian/1%7.0.10-1+rpi1+deb13u2^2~3
X-Git-Url: https://dgit.raspbian.org/%22http://www.example.com/cgi/%22/%22http:/www.example.com/cgi/%22?a=commitdiff_plain;h=f858b4ace56521e339f924310c2623f325cd35a6;p=suricata.git

[PATCH] util/swf: move allocation from stack to heap

As it can overflow the stack

Ticket: 8055
(cherry picked from commit a84addb771846f6d4d55ec535a4591f58369e49c)

Origin: upstream, https://github.com/OISF/suricata/commit/f67d72702a2601d0a86ac1450686e70d7176f629.patch
Bug: https://redmine.openinfosecfoundation.org/issues/8055
Subject: Upstream fix for CVE-2025-64332

Gbp-Pq: Name CVE-2025-64332.patch
---

diff --git a/src/util-file-decompression.c b/src/util-file-decompression.c
index dfafdc87..bf65b0b7 100644
--- a/src/util-file-decompression.c
+++ b/src/util-file-decompression.c
@@ -169,7 +169,10 @@ int FileSwfDecompression(const uint8_t *buffer, uint32_t buffer_len,
          * | LZMA properties | Uncompressed length | Compressed data |
          */
         compressed_data_len += 13;
-        uint8_t compressed_data[compressed_data_len];
+        uint8_t *compressed_data = SCCalloc(1, compressed_data_len);
+        if (compressed_data == NULL) {
+            goto error;
+        }
         /* put lzma properties */
         memcpy(compressed_data, buffer + 12, 5);
         /* put lzma end marker */
@@ -183,6 +186,7 @@ int FileSwfDecompression(const uint8_t *buffer, uint32_t buffer_len,
         r = FileSwfLzmaDecompression(det_ctx,
                                      compressed_data, compressed_data_len,
                                      out_buffer->buf + 8, out_buffer->len - 8);
+        SCFree(compressed_data);
         if (r == 0)
             goto error;
     } else {