Preventing use of zero sized SUSP CE entry which causes SIGSEGV. Debian bug 872590. Thanks Jakub Wilk and American Fuzzy Lop.

2017-08-19 11:08:02 +02:00 · 2017-08-19 11:08:02 +02:00 · 91490d5f34
commit 91490d5f34
parent 661b68ce8c
3 changed files with 8 additions and 1 deletions
--- a/libisofs/libisofs.h
+++ b/libisofs/libisofs.h
@ -8883,6 +8883,9 @@ int iso_conv_name_chars(IsoWriteOpts *opts, char *name, size_t name_len,
 /** Unable to obtain root directory                       (FATAL,HIGH, -418) */
 #define ISO_NO_ROOT_DIR             0xF030FE5E

+/** Zero sized or oversized SUSP CE area found         (FAILURE, HIGH, -419) */
+#define ISO_SUSP_WRONG_CE_SIZE      0xE830FE5D
+

 /* Internal developer note: 
   Place new error codes directly above this comment. 
--- a/libisofs/messages.c
+++ b/libisofs/messages.c
@ -549,6 +549,8 @@ const char *iso_error_to_msg(int errcode)
        return "Unrecognized GPT disk GUID setup mode";
    case ISO_NO_ROOT_DIR:
        return "Unable to obtain root directory";
+    case ISO_SUSP_WRONG_CE_SIZE:
+        return "Zero sized or oversized SUSP CE area found";
    default:
        return "Unknown error";
    }
--- a/libisofs/rockridge_read.c
+++ b/libisofs/rockridge_read.c
@ -97,8 +97,10 @@ int susp_iter_next(SuspIterator *iter, struct susp_sys_user_entry **sue,
        if (iter->ce_len) {
            uint32_t block, nblocks;

-            /* A CE has found, there is another continuation area */
+            /* A CE was found, there is another continuation area */
            nblocks = DIV_UP(iter->ce_off + iter->ce_len, BLOCK_SIZE);
+            if (nblocks <= 0)
+                return ISO_SUSP_WRONG_CE_SIZE;
            iter->buffer = realloc(iter->buffer, nblocks * BLOCK_SIZE);

            /* read all blocks needed to cache the full CE */