git Service of IN-Ulm e.V. Explore Help
Sign In
cbiedl
/
file
1
0
Fork 0
Files Pull Requests 0 Wiki
Tree: b873d01ff5
Branches Tags
file
/
debian
/
patches
/
cherry-pick.FILE5_30-46-g1fa18af6.check-read-bounds-for-vector-before-reading.patch

cherry-pick.FILE5_30-46-g1fa18af6.check-read-bounds-for-vector-before-reading.patch 899 B
History Raw

12345678910111213141516171819202122232425262728 
  1. Subject: Check read bounds for vector before reading. Found by oss-fuzz
    2. 

  2. Origin: FILE5_30-46-g1fa18af6
    3. 

  3. Upstream-Author: Christos Zoulas <christos@zoulas.com>
    4. 

  4. Date: Wed Apr 12 14:57:22 2017 +0000
    5. 

  5. 

  6. --- a/src/cdf.c
    7. 

  7. +++ b/src/cdf.c
    8. 

  8. @@ -959,7 +959,12 @@
    9. 

  9.  		inp[i].pi_type = CDF_GETUINT32(q, 0);
    10. 

  10.  		DPRINTF(("%" SIZE_T_FORMAT "u) id=%x type=%x offs=0x%tx,0x%x\n",
    11. 

  11.  		    i, inp[i].pi_id, inp[i].pi_type, q - p, offs));
    12. 

  12. +		left = CAST(size_t, e - q);
    13. 

  13.  		if (inp[i].pi_type & CDF_VECTOR) {
    14. 

  14. +			if (left < sizeof(uint32_t)) {
    15. 

  15. +				DPRINTF(("missing CDF_VECTOR length\n"));
    16. 

  16. +				goto out;
    17. 

  17. +			}
    18. 

  18.  			nelements = CDF_GETUINT32(q, 1);
    19. 

  19.  			if (nelements == 0) {
    20. 

  20.  				DPRINTF(("CDF_VECTOR with nelements == 0\n"));
    21. 

  21. @@ -970,7 +975,6 @@
    22. 

  22.  			nelements = 1;
    23. 

  23.  			slen = 1;
    24. 

  24.  		}
    25. 

  25. -		left = CAST(size_t, e - q);
    26. 

  26.  		o4 = slen * sizeof(uint32_t);
    27. 

  27.  		if (inp[i].pi_type & (CDF_ARRAY|CDF_BYREF|CDF_RESERVED))
    28. 

  28.  			goto unknown;
    29.