Preventing buffer overflow with AAIP AL entry of insufficient size. Debian bug 872545. Thanks Jakub Wilk and American Fuzzy Lop.

This commit is contained in:
Thomas Schmitt 2017-08-18 14:56:50 +02:00
parent 16bde11076
commit 661b68ce8c

View File

@ -482,24 +482,27 @@ int read_aaip_AA(struct susp_sys_user_entry *sue,
if (*is_done) { if (*is_done) {
/* To coexist with Apple ISO : /* To coexist with Apple ISO :
Gracefully react on eventually trailing Apple AA Gracefully react on possibly trailing Apple AA
*/ */
if (sue->version[0] != 1 || sue->len_sue[0] == 7) if (sue->version[0] != 1 || sue->len_sue[0] == 7)
return ISO_SUCCESS; return ISO_SUCCESS;
return ISO_WRONG_RR; return ISO_WRONG_RR;
} }
/* Eventually create or grow storage */
if (*aa_size == 0 || *aa_string == NULL) { if (*aa_size == 0 || *aa_string == NULL) {
/* Gracefully react on possibly leading Apple AA
/* Gracefully react on eventually leading Apple AA
*/ */
if (sue->version[0] != 1 || sue->len_sue[0] < 9) { if (sue->version[0] != 1 || sue->len_sue[0] < 9)
return ISO_SUCCESS; return ISO_SUCCESS;
} }
/* A valid AAIP AA entry has 5 header bytes and at least 1 component byte
*/
if (sue->len_sue[0] < 6)
return ISO_WRONG_RR;
/* Possibly create or grow storage */
if (*aa_size == 0 || *aa_string == NULL) {
*aa_size = *aa_len + sue->len_sue[0]; *aa_size = *aa_len + sue->len_sue[0];
*aa_string = calloc(*aa_size, 1); *aa_string = calloc(*aa_size, 1);
*aa_len = 0; *aa_len = 0;
@ -555,7 +558,12 @@ int read_aaip_AL(struct susp_sys_user_entry *sue,
if (sue->version[0] != 1) if (sue->version[0] != 1)
return ISO_WRONG_RR; return ISO_WRONG_RR;
/* Eventually create or grow storage */ /* A valid AL entry has 5 header bytes and at least 1 component byte
*/
if (sue->len_sue[0] < 6)
return ISO_WRONG_RR;
/* Possibly create or grow storage */
if (*aa_size == 0 || *aa_string == NULL) { if (*aa_size == 0 || *aa_string == NULL) {
*aa_size = *aa_len + sue->len_sue[0]; *aa_size = *aa_len + sue->len_sue[0];
*aa_string = calloc(*aa_size, 1); *aa_string = calloc(*aa_size, 1);