kumquat-buildroot/package/file/0001-Detect-multiplication-overflow-when-computing-sector.patch

69 lines
1.8 KiB
Diff
Raw Normal View History

From 06de62c022138f63de9bcd04074491945eaa8662 Mon Sep 17 00:00:00 2001
From: Christos Zoulas <christos@zoulas.com>
Date: Fri, 23 Aug 2019 14:29:14 +0000
Subject: [PATCH] Detect multiplication overflow when computing sector position
(found by oss-fuzz)
Fixes CVE-2019-18218
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
src/cdf.c | 20 +++++++++++++++++---
1 file changed, 17 insertions(+), 3 deletions(-)
diff --git a/src/cdf.c b/src/cdf.c
index 556a3ff8..9d639674 100644
--- a/src/cdf.c
+++ b/src/cdf.c
@@ -35,7 +35,7 @@
#include "file.h"
#ifndef lint
-FILE_RCSID("@(#)$File: cdf.c,v 1.114 2019/02/20 02:35:27 christos Exp $")
+FILE_RCSID("@(#)$File: cdf.c,v 1.115 2019/08/23 14:29:14 christos Exp $")
#endif
#include <assert.h>
@@ -53,6 +53,10 @@ FILE_RCSID("@(#)$File: cdf.c,v 1.114 2019/02/20 02:35:27 christos Exp $")
#define EFTYPE EINVAL
#endif
+#ifndef SIZE_T_MAX
+#define SIZE_T_MAX CAST(size_t, ~0ULL)
+#endif
+
#include "cdf.h"
#ifdef CDF_DEBUG
@@ -405,7 +409,12 @@ cdf_read_sector(const cdf_info_t *info, void *buf, size_t offs, size_t len,
const cdf_header_t *h, cdf_secid_t id)
{
size_t ss = CDF_SEC_SIZE(h);
- size_t pos = CDF_SEC_POS(h, id);
+ size_t pos;
+
+ if (SIZE_T_MAX / ss < CAST(size_t, id))
+ return -1;
+
+ pos = CDF_SEC_POS(h, id);
assert(ss == len);
return cdf_read(info, CAST(off_t, pos), RCAST(char *, buf) + offs, len);
}
@@ -415,7 +424,12 @@ cdf_read_short_sector(const cdf_stream_t *sst, void *buf, size_t offs,
size_t len, const cdf_header_t *h, cdf_secid_t id)
{
size_t ss = CDF_SHORT_SEC_SIZE(h);
- size_t pos = CDF_SHORT_SEC_POS(h, id);
+ size_t pos;
+
+ if (SIZE_T_MAX / ss < CAST(size_t, id))
+ return -1;
+
+ pos = CDF_SHORT_SEC_POS(h, id);
assert(ss == len);
if (pos + len > CDF_SEC_SIZE(h) * sst->sst_len) {
DPRINTF(("Out of bounds read %" SIZE_T_FORMAT "u > %"
--
2.20.1