Prevented possible overflow of struct elto_img_par.extract_size

This commit is contained in:
Thomas Schmitt 2024-04-02 20:11:08 +02:00
parent 4fe385baed
commit ffaa15ed53
2 changed files with 14 additions and 4 deletions

View File

@ -1810,7 +1810,8 @@ static int Xorriso_scan_report_lines(struct XorrisO *xorriso,
char *cat_path= ""; char *cat_path= "";
struct elto_img_par *et_imgs= NULL; struct elto_img_par *et_imgs= NULL;
int elto_count= 0; int elto_count= 0;
uint32_t mbr_parts_end= 0, extract_size; uint32_t mbr_parts_end= 0;
off_t extract_size;
struct FindjoB *job= NULL; struct FindjoB *job= NULL;
struct stat dir_stbuf; struct stat dir_stbuf;
IsoImage *image; IsoImage *image;
@ -2050,8 +2051,17 @@ static int Xorriso_scan_report_lines(struct XorrisO *xorriso,
et_imgs[idx].path= textpt; et_imgs[idx].path= textpt;
ret= Xorriso_iso_lstat(xorriso, et_imgs[idx].path, &dir_stbuf, 0); ret= Xorriso_iso_lstat(xorriso, et_imgs[idx].path, &dir_stbuf, 0);
if(ret == 0) { if(ret == 0) {
extract_size = (dir_stbuf.st_size + 2047) / 2048; extract_size = (dir_stbuf.st_size + (off_t) 2047) / (off_t) 2048;
if(extract_size > et_imgs[idx].extract_size) if(extract_size > (off_t) 0xffffffff) {
if(!(flag & 5)) {
sprintf(xorriso->info_text,
"Boot image size exceeds limit of 32-bit block count: ");
Text_shellsafe(et_imgs[idx].path, xorriso->info_text, 1);
Xorriso_msgs_submit(xorriso, 0, xorriso->info_text, 0, "SORRY", 0);
}
continue;
}
if(extract_size > (off_t) et_imgs[idx].extract_size)
et_imgs[idx].extract_size= extract_size; et_imgs[idx].extract_size= extract_size;
} }

View File

@ -1 +1 @@
#define Xorriso_timestamP "2024.03.28.144046" #define Xorriso_timestamP "2024.04.02.170748"