From ffaa15ed53a8bd3784c3082b6b271abdb957bf2d Mon Sep 17 00:00:00 2001 From: Thomas Schmitt Date: Tue, 2 Apr 2024 20:11:08 +0200 Subject: [PATCH] Prevented possible overflow of struct elto_img_par.extract_size --- xorriso/iso_img.c | 16 +++++++++++++--- xorriso/xorriso_timestamp.h | 2 +- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/xorriso/iso_img.c b/xorriso/iso_img.c index aba3072e..84890a81 100644 --- a/xorriso/iso_img.c +++ b/xorriso/iso_img.c @@ -1810,7 +1810,8 @@ static int Xorriso_scan_report_lines(struct XorrisO *xorriso, char *cat_path= ""; struct elto_img_par *et_imgs= NULL; int elto_count= 0; - uint32_t mbr_parts_end= 0, extract_size; + uint32_t mbr_parts_end= 0; + off_t extract_size; struct FindjoB *job= NULL; struct stat dir_stbuf; IsoImage *image; @@ -2050,8 +2051,17 @@ static int Xorriso_scan_report_lines(struct XorrisO *xorriso, et_imgs[idx].path= textpt; ret= Xorriso_iso_lstat(xorriso, et_imgs[idx].path, &dir_stbuf, 0); if(ret == 0) { - extract_size = (dir_stbuf.st_size + 2047) / 2048; - if(extract_size > et_imgs[idx].extract_size) + extract_size = (dir_stbuf.st_size + (off_t) 2047) / (off_t) 2048; + if(extract_size > (off_t) 0xffffffff) { + if(!(flag & 5)) { + sprintf(xorriso->info_text, + "Boot image size exceeds limit of 32-bit block count: "); + Text_shellsafe(et_imgs[idx].path, xorriso->info_text, 1); + Xorriso_msgs_submit(xorriso, 0, xorriso->info_text, 0, "SORRY", 0); + } + continue; + } + if(extract_size > (off_t) et_imgs[idx].extract_size) et_imgs[idx].extract_size= extract_size; } diff --git a/xorriso/xorriso_timestamp.h b/xorriso/xorriso_timestamp.h index 5fb1d589..bb228cea 100644 --- a/xorriso/xorriso_timestamp.h +++ b/xorriso/xorriso_timestamp.h @@ -1 +1 @@ -#define Xorriso_timestamP "2024.03.28.144046" +#define Xorriso_timestamP "2024.04.02.170748"