From 91490d5f34422d514b042a9e597be8d614a3a1ea Mon Sep 17 00:00:00 2001 From: Thomas Schmitt Date: Sat, 19 Aug 2017 11:08:02 +0200 Subject: [PATCH] Preventing use of zero sized SUSP CE entry which causes SIGSEGV. Debian bug 872590. Thanks Jakub Wilk and American Fuzzy Lop. --- libisofs/libisofs.h | 3 +++ libisofs/messages.c | 2 ++ libisofs/rockridge_read.c | 4 +++- 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/libisofs/libisofs.h b/libisofs/libisofs.h index 3c47793..95a9a7b 100644 --- a/libisofs/libisofs.h +++ b/libisofs/libisofs.h @@ -8883,6 +8883,9 @@ int iso_conv_name_chars(IsoWriteOpts *opts, char *name, size_t name_len, /** Unable to obtain root directory (FATAL,HIGH, -418) */ #define ISO_NO_ROOT_DIR 0xF030FE5E +/** Zero sized or oversized SUSP CE area found (FAILURE, HIGH, -419) */ +#define ISO_SUSP_WRONG_CE_SIZE 0xE830FE5D + /* Internal developer note: Place new error codes directly above this comment. diff --git a/libisofs/messages.c b/libisofs/messages.c index f97e2ba..6ff0a36 100644 --- a/libisofs/messages.c +++ b/libisofs/messages.c @@ -549,6 +549,8 @@ const char *iso_error_to_msg(int errcode) return "Unrecognized GPT disk GUID setup mode"; case ISO_NO_ROOT_DIR: return "Unable to obtain root directory"; + case ISO_SUSP_WRONG_CE_SIZE: + return "Zero sized or oversized SUSP CE area found"; default: return "Unknown error"; } diff --git a/libisofs/rockridge_read.c b/libisofs/rockridge_read.c index ce9db93..5ab0387 100644 --- a/libisofs/rockridge_read.c +++ b/libisofs/rockridge_read.c @@ -97,8 +97,10 @@ int susp_iter_next(SuspIterator *iter, struct susp_sys_user_entry **sue, if (iter->ce_len) { uint32_t block, nblocks; - /* A CE has found, there is another continuation area */ + /* A CE was found, there is another continuation area */ nblocks = DIV_UP(iter->ce_off + iter->ce_len, BLOCK_SIZE); + if (nblocks <= 0) + return ISO_SUSP_WRONG_CE_SIZE; iter->buffer = realloc(iter->buffer, nblocks * BLOCK_SIZE); /* read all blocks needed to cache the full CE */