git Service of IN-Ulm e.V. Explore Help
Sign In
cbiedl
/
file
1
0
Fork 0
Files Pull Requests 0 Wiki
Tree: 8245714c8a
Branches Tags
file
/
debian
/
patches
/
cherry-pick.FILE5_30-18-g4e4e7609.pr-599-out-of-bounds-read-in-cdf-files.patch

cherry-pick.FILE5_30-18-g4e4e7609.pr-599-out-of-bounds-read-in-cdf-files.patch 949 B
History Raw

123456789101112131415161718192021222324252627282930313233343536373839 
  1. Subject: PR/599: Out of bounds read in cdf files
    2. 

  2. Origin: FILE5_30-18-g4e4e7609
    3. 

  3. Upstream-Author: Christos Zoulas <christos@zoulas.com>
    4. 

  4. Date: Fri Mar 17 19:50:22 2017 +0000
    5. 

  5. 

  6. --- a/src/cdf.c
    7. 

  7. +++ b/src/cdf.c
    8. 

  8. @@ -982,19 +982,26 @@
    9. 

  9.  			for (j = 0; j < nelements && i < sh.sh_properties;
    10. 

  10.  			    j++, i++)
    11. 

  11.  			{
    12. 

  12. -				uint32_t l = CDF_GETUINT32(q, o);
    13. 

  13. +				uint32_t l;
    14. 

  14. +
    15. 

  15. +				o4 += sizeof(uint32_t);
    16. 

  16. +				if (q + o >= e || q + o4 >= e)
    17. 

  17. +					goto out;
    18. 

  18. +
    19. 

  19. +				l = CDF_GETUINT32(q, o);
    20. 

  20.  				inp[i].pi_str.s_len = l;
    21. 

  21. -				inp[i].pi_str.s_buf = (const char *)
    22. 

  22. -				    (const void *)(&q[o4 + sizeof(l)]);
    23. 

  23. +				inp[i].pi_str.s_buf = CAST(const char *,
    24. 

  24. +				    CAST(const void *, &q[o4]));
    25. 

  25. +
    26. 

  26.  				DPRINTF(("l = %d, r = %" SIZE_T_FORMAT
    27. 

  27.  				    "u, s = %s\n", l,
    28. 

  28.  				    CDF_ROUND(l, sizeof(l)),
    29. 

  29.  				    inp[i].pi_str.s_buf));
    30. 

  30. +
    31. 

  31.  				if (l & 1)
    32. 

  32.  					l++;
    33. 

  33. +
    34. 

  34.  				o += l >> 1;
    35. 

  35. -				if (q + o >= e)
    36. 

  36. -					goto out;
    37. 

  37.  				o4 = o * sizeof(uint32_t);
    38. 

  38.  			}
    39. 

  39.  			i--;
    40.