34 lines
1.1 KiB
Diff
34 lines
1.1 KiB
Diff
From 435a2ca802358a3debb6d164d2c33049131df81c Mon Sep 17 00:00:00 2001
|
|
From: Phillip Hellewell <sshock@gmail.com>
|
|
Date: Sat, 10 Mar 2018 18:05:39 -0700
|
|
Subject: [PATCH 3/4] Sanity check size passed to malloc...
|
|
|
|
Add sanity check before calling malloc in af_get_page() function to
|
|
avoid undefined behavior (e.g., seg fault) when dealing with a corrupt
|
|
AFF image with an invalid pagesize.
|
|
|
|
Issue found by Luis Rocha (luiscrocha@gmail.com).
|
|
---
|
|
lib/afflib_pages.cpp | 5 +++++
|
|
1 file changed, 5 insertions(+)
|
|
|
|
diff --git a/lib/afflib_pages.cpp b/lib/afflib_pages.cpp
|
|
index 2569c2a..f8cf775 100644
|
|
--- a/lib/afflib_pages.cpp
|
|
+++ b/lib/afflib_pages.cpp
|
|
@@ -219,6 +219,11 @@ int af_get_page(AFFILE *af,int64_t pagenum,unsigned char *data,size_t *bytes)
|
|
return -3; // read error
|
|
}
|
|
|
|
+ /* Sanity check to avoid undefined behaviour when calling malloc below with pagesize from a corrupt AFF image. */
|
|
+ if(af->image_pagesize <= 0 || af->image_pagesize > 16*1024*1024)
|
|
+ return -1;
|
|
+
|
|
+
|
|
/* Now uncompress directly into the buffer provided by the caller, unless the caller didn't
|
|
* provide a buffer. If that happens, allocate our own...
|
|
*/
|
|
--
|
|
2.13.6
|
|
|