git Service of IN-Ulm e.V. Explore Help
Sign In
cbiedl
/
file
1
0
Fork 0
Files Pull Requests 0 Wiki
Tree: b873d01ff5
Branches Tags
file
/
debian
/
patches
/
cherry-pick.FILE5_30-34-g22067c96.simplify-the-property-info-copy-function-and-check-for-bounds.patch

cherry-pick.FILE5_30-34-g22067c96.simplify-the-property-info-copy-function-and-check-for-bounds.patch 3.1 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125 
  1. Subject: Simplify the property info copy function and check for bounds
    2. 

  2. Origin: FILE5_30-34-g22067c96
    3. 

  3. Upstream-Author: Christos Zoulas <christos@zoulas.com>
    4. 

  4. Date: Wed Mar 29 19:45:22 2017 +0000
    5. 

  5. 

  6.     Found by oss-fuzz.
    7. 

  7. 

  8. --- a/src/cdf.c
    9. 

  9. +++ b/src/cdf.c
    10. 

  10. @@ -878,6 +878,34 @@
    11. 

  11.  	return NULL;
    12. 

  12.  }
    13. 

  13.  
    14. 

  14. +static int
    15. 

  15. +cdf_copy_info(cdf_property_info_t *inp, const void *p, const void *e,
    16. 

  16. +    size_t len)
    17. 

  17. +{
    18. 

  18. +	if (inp->pi_type & CDF_VECTOR)
    19. 

  19. +		return 0;
    20. 

  20. +
    21. 

  21. +	if ((size_t)(CAST(const char *, e) - CAST(const char *, p)) < len)
    22. 

  22. +		return 0;
    23. 

  23. +
    24. 

  24. +	(void)memcpy(&inp->pi_val, p, len);
    25. 

  25. +
    26. 

  26. +	switch (len) {
    27. 

  27. +	case 2:
    28. 

  28. +		inp->pi_u16 = CDF_TOLE2(inp->pi_u16);
    29. 

  29. +		break;
    30. 

  30. +	case 4:
    31. 

  31. +		inp->pi_u32 = CDF_TOLE4(inp->pi_u32);
    32. 

  32. +		break;
    33. 

  33. +	case 8:
    34. 

  34. +		inp->pi_u64 = CDF_TOLE8(inp->pi_u64);
    35. 

  35. +		break;
    36. 

  36. +	default:
    37. 

  37. +		abort();
    38. 

  38. +	}
    39. 

  39. +	return 1;
    40. 

  40. +}
    41. 

  41. +
    42. 

  42.  int
    43. 

  43.  cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
    44. 

  44.      uint32_t offs, cdf_property_info_t **info, size_t *count, size_t *maxcount)
    45. 

  45. @@ -885,12 +913,6 @@
    46. 

  46.  	const cdf_section_header_t *shp;
    47. 

  47.  	cdf_section_header_t sh;
    48. 

  48.  	const uint8_t *p, *q, *e;
    49. 

  49. -	int16_t s16;
    50. 

  50. -	int32_t s32;
    51. 

  51. -	uint32_t u32;
    52. 

  52. -	int64_t s64;
    53. 

  53. -	uint64_t u64;
    54. 

  54. -	cdf_timestamp_t tp;
    55. 

  55.  	size_t i, o4, nelements, j, slen, left;
    56. 

  56.  	cdf_property_info_t *inp;
    57. 

  57.  
    58. 

  58. @@ -953,49 +975,22 @@
    59. 

  59.  		case CDF_EMPTY:
    60. 

  60.  			break;
    61. 

  61.  		case CDF_SIGNED16:
    62. 

  62. -			if (inp[i].pi_type & CDF_VECTOR)
    63. 

  63. +			if (!cdf_copy_info(&inp[i], &q[o4], e, sizeof(int16_t)))
    64. 

  64.  				goto unknown;
    65. 

  65. -			(void)memcpy(&s16, &q[o4], sizeof(s16));
    66. 

  66. -			inp[i].pi_s16 = CDF_TOLE2(s16);
    67. 

  67.  			break;
    68. 

  68.  		case CDF_SIGNED32:
    69. 

  69. -			if (inp[i].pi_type & CDF_VECTOR)
    70. 

  70. -				goto unknown;
    71. 

  71. -			(void)memcpy(&s32, &q[o4], sizeof(s32));
    72. 

  72. -			inp[i].pi_s32 = CDF_TOLE4((uint32_t)s32);
    73. 

  73. -			break;
    74. 

  74.  		case CDF_BOOL:
    75. 

  75.  		case CDF_UNSIGNED32:
    76. 

  76. -			if (inp[i].pi_type & CDF_VECTOR)
    77. 

  77. +		case CDF_FLOAT:
    78. 

  78. +			if (!cdf_copy_info(&inp[i], &q[o4], e, sizeof(int32_t)))
    79. 

  79.  				goto unknown;
    80. 

  80. -			(void)memcpy(&u32, &q[o4], sizeof(u32));
    81. 

  81. -			inp[i].pi_u32 = CDF_TOLE4(u32);
    82. 

  82.  			break;
    83. 

  83.  		case CDF_SIGNED64:
    84. 

  84. -			if (inp[i].pi_type & CDF_VECTOR)
    85. 

  85. -				goto unknown;
    86. 

  86. -			(void)memcpy(&s64, &q[o4], sizeof(s64));
    87. 

  87. -			inp[i].pi_s64 = CDF_TOLE8((uint64_t)s64);
    88. 

  88. -			break;
    89. 

  89.  		case CDF_UNSIGNED64:
    90. 

  90. -			if (inp[i].pi_type & CDF_VECTOR)
    91. 

  91. -				goto unknown;
    92. 

  92. -			(void)memcpy(&u64, &q[o4], sizeof(u64));
    93. 

  93. -			inp[i].pi_u64 = CDF_TOLE8((uint64_t)u64);
    94. 

  94. -			break;
    95. 

  95. -		case CDF_FLOAT:
    96. 

  96. -			if (inp[i].pi_type & CDF_VECTOR)
    97. 

  97. -				goto unknown;
    98. 

  98. -			(void)memcpy(&u32, &q[o4], sizeof(u32));
    99. 

  99. -			u32 = CDF_TOLE4(u32);
    100. 

  100. -			memcpy(&inp[i].pi_f, &u32, sizeof(inp[i].pi_f));
    101. 

  101. -			break;
    102. 

  102.  		case CDF_DOUBLE:
    103. 

  103. -			if (inp[i].pi_type & CDF_VECTOR)
    104. 

  104. +		case CDF_FILETIME:
    105. 

  105. +			if (!cdf_copy_info(&inp[i], &q[o4], e, sizeof(int64_t)))
    106. 

  106.  				goto unknown;
    107. 

  107. -			(void)memcpy(&u64, &q[o4], sizeof(u64));
    108. 

  108. -			u64 = CDF_TOLE8((uint64_t)u64);
    109. 

  109. -			memcpy(&inp[i].pi_d, &u64, sizeof(inp[i].pi_d));
    110. 

  110.  			break;
    111. 

  111.  		case CDF_LENGTH32_STRING:
    112. 

  112.  		case CDF_LENGTH32_WSTRING:
    113. 

  113. @@ -1038,12 +1033,6 @@
    114. 

  114.  			}
    115. 

  115.  			i--;
    116. 

  116.  			break;
    117. 

  117. -		case CDF_FILETIME:
    118. 

  118. -			if (inp[i].pi_type & CDF_VECTOR)
    119. 

  119. -				goto unknown;
    120. 

  120. -			(void)memcpy(&tp, &q[o4], sizeof(tp));
    121. 

  121. -			inp[i].pi_tp = CDF_TOLE8((uint64_t)tp);
    122. 

  122. -			break;
    123. 

  123.  		case CDF_CLIPBOARD:
    124. 

  124.  			if (inp[i].pi_type & CDF_VECTOR)
    125. 

  125.  				goto unknown;
    126.