| 123456789101112131415161718192021222324252627282930313233 |
- Subject: The cdf_check_stream_offset function in relies on incorrect sector-size
- ID: CVE-2014-3479
- Author: Christos Zoulas <christos@zoulas.com>
- Date: Wed Jun 4 17:26:07 2014 +0000
- Origin:
- commit 36fadd29849b8087af9f4586f89dbf74ea45be67
- Debian-Author: Holger Levsen <holger@debian.org>
- Reviewed-By: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
- Last-Update: 2014-09-07
- Use the proper sector size when checking stream offsets (Francisco Alonso and
- Jan Kaluza at RedHat)
- --- a/src/cdf.c
- +++ b/src/cdf.c
- @@ -267,13 +267,15 @@
- {
- const char *b = (const char *)sst->sst_tab;
- const char *e = ((const char *)p) + tail;
- + size_t ss = sst->sst_dirlen < h->h_min_size_standard_stream ?
- + CDF_SHORT_SEC_SIZE(h) : CDF_SEC_SIZE(h);
- (void)&line;
- - if (e >= b && (size_t)(e - b) < CDF_SEC_SIZE(h) * sst->sst_len)
- + if (e >= b && (size_t)(e - b) < ss * sst->sst_len)
- return 0;
- DPRINTF(("%d: offset begin %p end %p %" SIZE_T_FORMAT "u"
- " >= %" SIZE_T_FORMAT "u [%" SIZE_T_FORMAT "u %"
- SIZE_T_FORMAT "u]\n", line, b, e, (size_t)(e - b),
- - CDF_SEC_SIZE(h) * sst->sst_len, CDF_SEC_SIZE(h), sst->sst_len));
- + ss * sst->sst_len, ss, sst->sst_len));
- errno = EFTYPE;
- return -1;
- }
|
