TheCloud/dwarfs
1
0
Fork 0
mirror of https://github.com/mhx/dwarfs.git synced 2025-09-12 13:59:46 -04:00
Code Issues Packages Projects Releases Wiki Activity

Check against overflow due to corrupted length field

Browse Source
This commit is contained in:
Marcus Holland-Moritz 2021-03-28 23:06:27 +02:00
parent dff559bc3f
commit 3cf157421d
1 changed files with 9 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
src/dwarfs/filesystem_v2.cpp
View File

@ -98,11 +98,18 @@ class filesystem_parser {
auto sh = mm.as<section_header_v2>(pos); auto sh = mm.as<section_header_v2>(pos);
if (sh->number == 0) { if (sh->number == 0) {
if (pos + 2 * sizeof(section_header_v2) + sh->length >= mm.size()) { auto endpos = pos + sh->length + 2 * sizeof(section_header_v2);
if (endpos < sh->length) {
// overflow
break; break;
} }
ps = mm.as<void>(pos + sizeof(section_header_v2) + sh->length); if (endpos >= mm.size()) {
break;
}
ps = mm.as<void>(pos + sh->length + sizeof(section_header_v2));
if (::memcmp(ps, magic.data(), magic.size()) == 0 and if (::memcmp(ps, magic.data(), magic.size()) == 0 and
reinterpret_cast<section_header_v2 const*>(ps)->number == 1) { reinterpret_cast<section_header_v2 const*>(ps)->number == 1) {