From 661b68ce8cfb77eabc2ce441fb306d7fb68e1bd0 Mon Sep 17 00:00:00 2001 From: Thomas Schmitt Date: Fri, 18 Aug 2017 14:56:50 +0200 Subject: [PATCH] Preventing buffer overflow with AAIP AL entry of insufficient size. Debian bug 872545. Thanks Jakub Wilk and American Fuzzy Lop. --- libisofs/rockridge_read.c | 26 +++++++++++++++++--------- 1 file changed, 17 insertions(+), 9 deletions(-) diff --git a/libisofs/rockridge_read.c b/libisofs/rockridge_read.c index bd92ceb..ce9db93 100644 --- a/libisofs/rockridge_read.c +++ b/libisofs/rockridge_read.c @@ -482,24 +482,27 @@ int read_aaip_AA(struct susp_sys_user_entry *sue, if (*is_done) { /* To coexist with Apple ISO : - Gracefully react on eventually trailing Apple AA + Gracefully react on possibly trailing Apple AA */ if (sue->version[0] != 1 || sue->len_sue[0] == 7) return ISO_SUCCESS; return ISO_WRONG_RR; } - - - /* Eventually create or grow storage */ if (*aa_size == 0 || *aa_string == NULL) { - - /* Gracefully react on eventually leading Apple AA + /* Gracefully react on possibly leading Apple AA */ - if (sue->version[0] != 1 || sue->len_sue[0] < 9) { + if (sue->version[0] != 1 || sue->len_sue[0] < 9) return ISO_SUCCESS; - } + } + /* A valid AAIP AA entry has 5 header bytes and at least 1 component byte + */ + if (sue->len_sue[0] < 6) + return ISO_WRONG_RR; + + /* Possibly create or grow storage */ + if (*aa_size == 0 || *aa_string == NULL) { *aa_size = *aa_len + sue->len_sue[0]; *aa_string = calloc(*aa_size, 1); *aa_len = 0; @@ -555,7 +558,12 @@ int read_aaip_AL(struct susp_sys_user_entry *sue, if (sue->version[0] != 1) return ISO_WRONG_RR; - /* Eventually create or grow storage */ + /* A valid AL entry has 5 header bytes and at least 1 component byte + */ + if (sue->len_sue[0] < 6) + return ISO_WRONG_RR; + + /* Possibly create or grow storage */ if (*aa_size == 0 || *aa_string == NULL) { *aa_size = *aa_len + sue->len_sue[0]; *aa_string = calloc(*aa_size, 1);