Date: Wed, 10 Jun 2026 13:52:30 +0000 From: John Baldwin <jhb@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: 0492dbe9212e - main - cd9660: Don't parse RRIP records whose length overflows the sector boundary Message-ID: <6a296c1e.1f802.270eebf0@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch main has been updated by jhb: URL: https://cgit.FreeBSD.org/src/commit/?id=0492dbe9212ee0172e8003c487f256015478edd6 commit 0492dbe9212ee0172e8003c487f256015478edd6 Author: John Baldwin <jhb@FreeBSD.org> AuthorDate: 2026-06-10 13:44:10 +0000 Commit: John Baldwin <jhb@FreeBSD.org> CommitDate: 2026-06-10 13:44:10 +0000 cd9660: Don't parse RRIP records whose length overflows the sector boundary PR: 272896 Reported by: Robert Morris <rtm@lcs.mit.edu> Reviewed by: des, emaste Differential Revision: https://reviews.freebsd.org/D57135 --- sys/fs/cd9660/cd9660_rrip.c | 26 ++++++++++++++++++-------- 1 file changed, 18 insertions(+), 8 deletions(-) diff --git a/sys/fs/cd9660/cd9660_rrip.c b/sys/fs/cd9660/cd9660_rrip.c index 9bc8ef655368..db87f6d1223e 100644 --- a/sys/fs/cd9660/cd9660_rrip.c +++ b/sys/fs/cd9660/cd9660_rrip.c @@ -464,6 +464,7 @@ cd9660_rrip_loop(struct iso_directory_record *isodir, ISO_RRIP_ANALYZE *ana, RRIP_TABLE *ptable; ISO_SUSP_HEADER *phead; ISO_SUSP_HEADER *pend; + ISO_SUSP_HEADER *pnext; struct buf *bp = NULL; char *pwhead; u_short c; @@ -495,6 +496,21 @@ cd9660_rrip_loop(struct iso_directory_record *isodir, ISO_RRIP_ANALYZE *ana, * Note: "pend" should be more than one SUSP header */ while (pend >= phead + 1) { + /* Validate length. */ + if (isonum_711(phead->length) < sizeof(*phead)) + break; + + /* + * Next SUSP + * Hopefully this works with newer versions, too + */ + pnext = (ISO_SUSP_HEADER *)((char *)phead + + isonum_711(phead->length)); + + /* If the record doesn't fit, break out of the loop. */ + if (pnext > pend) + break; + if (isonum_711(phead->version) == 1) { for (ptable = table; ptable->func; ptable++) { if (phead->type[0] == ptable->type[0] && @@ -510,14 +526,8 @@ cd9660_rrip_loop(struct iso_directory_record *isodir, ISO_RRIP_ANALYZE *ana, result &= ~ISO_SUSP_STOP; break; } - /* plausibility check */ - if (isonum_711(phead->length) < sizeof(*phead)) - break; - /* - * move to next SUSP - * Hopefully this works with newer versions, too - */ - phead = (ISO_SUSP_HEADER *)((char *)phead + isonum_711(phead->length)); + + phead = pnext; } if (ana->fields && ana->iso_ce_len) {home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6a296c1e.1f802.270eebf0>