Preventing buffer overflow with AAIP AL entry of insufficient size. Debian bug 872545. Thanks Jakub Wilk and American Fuzzy Lop.
This commit is contained in:
parent
16bde11076
commit
661b68ce8c
@ -482,24 +482,27 @@ int read_aaip_AA(struct susp_sys_user_entry *sue,
|
|||||||
if (*is_done) {
|
if (*is_done) {
|
||||||
|
|
||||||
/* To coexist with Apple ISO :
|
/* To coexist with Apple ISO :
|
||||||
Gracefully react on eventually trailing Apple AA
|
Gracefully react on possibly trailing Apple AA
|
||||||
*/
|
*/
|
||||||
if (sue->version[0] != 1 || sue->len_sue[0] == 7)
|
if (sue->version[0] != 1 || sue->len_sue[0] == 7)
|
||||||
return ISO_SUCCESS;
|
return ISO_SUCCESS;
|
||||||
|
|
||||||
return ISO_WRONG_RR;
|
return ISO_WRONG_RR;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
/* Eventually create or grow storage */
|
|
||||||
if (*aa_size == 0 || *aa_string == NULL) {
|
if (*aa_size == 0 || *aa_string == NULL) {
|
||||||
|
/* Gracefully react on possibly leading Apple AA
|
||||||
/* Gracefully react on eventually leading Apple AA
|
|
||||||
*/
|
*/
|
||||||
if (sue->version[0] != 1 || sue->len_sue[0] < 9) {
|
if (sue->version[0] != 1 || sue->len_sue[0] < 9)
|
||||||
return ISO_SUCCESS;
|
return ISO_SUCCESS;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* A valid AAIP AA entry has 5 header bytes and at least 1 component byte
|
||||||
|
*/
|
||||||
|
if (sue->len_sue[0] < 6)
|
||||||
|
return ISO_WRONG_RR;
|
||||||
|
|
||||||
|
/* Possibly create or grow storage */
|
||||||
|
if (*aa_size == 0 || *aa_string == NULL) {
|
||||||
*aa_size = *aa_len + sue->len_sue[0];
|
*aa_size = *aa_len + sue->len_sue[0];
|
||||||
*aa_string = calloc(*aa_size, 1);
|
*aa_string = calloc(*aa_size, 1);
|
||||||
*aa_len = 0;
|
*aa_len = 0;
|
||||||
@ -555,7 +558,12 @@ int read_aaip_AL(struct susp_sys_user_entry *sue,
|
|||||||
if (sue->version[0] != 1)
|
if (sue->version[0] != 1)
|
||||||
return ISO_WRONG_RR;
|
return ISO_WRONG_RR;
|
||||||
|
|
||||||
/* Eventually create or grow storage */
|
/* A valid AL entry has 5 header bytes and at least 1 component byte
|
||||||
|
*/
|
||||||
|
if (sue->len_sue[0] < 6)
|
||||||
|
return ISO_WRONG_RR;
|
||||||
|
|
||||||
|
/* Possibly create or grow storage */
|
||||||
if (*aa_size == 0 || *aa_string == NULL) {
|
if (*aa_size == 0 || *aa_string == NULL) {
|
||||||
*aa_size = *aa_len + sue->len_sue[0];
|
*aa_size = *aa_len + sue->len_sue[0];
|
||||||
*aa_string = calloc(*aa_size, 1);
|
*aa_string = calloc(*aa_size, 1);
|
||||||
|
Loading…
Reference in New Issue
Block a user