Date: Mon, 18 Nov 2019 04:22:05 +0000 (UTC) From: Xin LI <delphij@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r354802 - head/contrib/file/src Message-ID: <201911180422.xAI4M50F043290@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: delphij Date: Mon Nov 18 04:22:04 2019 New Revision: 354802 URL: https://svnweb.freebsd.org/changeset/base/354802 Log: MFV r354798: Apply vendor fixes: 06de62c Detect multiplication overflow when computing sector position 46a8443 Limit the number of elements in a vector (found by oss-fuzz) Requested by: wen MFC after: 3 days Security: CVE-2019-18218 Modified: head/contrib/file/src/cdf.c head/contrib/file/src/cdf.h Directory Properties: head/contrib/file/ (props changed) Modified: head/contrib/file/src/cdf.c ============================================================================== --- head/contrib/file/src/cdf.c Mon Nov 18 04:03:11 2019 (r354801) +++ head/contrib/file/src/cdf.c Mon Nov 18 04:22:04 2019 (r354802) @@ -35,7 +35,7 @@ #include "file.h" #ifndef lint -FILE_RCSID("@(#)$File: cdf.c,v 1.114 2019/02/20 02:35:27 christos Exp $") +FILE_RCSID("@(#)$File: cdf.c,v 1.116 2019/08/26 14:31:39 christos Exp $") #endif #include <assert.h> @@ -53,6 +53,10 @@ FILE_RCSID("@(#)$File: cdf.c,v 1.114 2019/02/20 02:35: #define EFTYPE EINVAL #endif +#ifndef SIZE_T_MAX +#define SIZE_T_MAX CAST(size_t, ~0ULL) +#endif + #include "cdf.h" #ifdef CDF_DEBUG @@ -405,7 +409,12 @@ cdf_read_sector(const cdf_info_t *info, void *buf, siz const cdf_header_t *h, cdf_secid_t id) { size_t ss = CDF_SEC_SIZE(h); - size_t pos = CDF_SEC_POS(h, id); + size_t pos; + + if (SIZE_T_MAX / ss < CAST(size_t, id)) + return -1; + + pos = CDF_SEC_POS(h, id); assert(ss == len); return cdf_read(info, CAST(off_t, pos), RCAST(char *, buf) + offs, len); } @@ -415,7 +424,12 @@ cdf_read_short_sector(const cdf_stream_t *sst, void *b size_t len, const cdf_header_t *h, cdf_secid_t id) { size_t ss = CDF_SHORT_SEC_SIZE(h); - size_t pos = CDF_SHORT_SEC_POS(h, id); + size_t pos; + + if (SIZE_T_MAX / ss < CAST(size_t, id)) + return -1; + + pos = CDF_SHORT_SEC_POS(h, id); assert(ss == len); if (pos + len > CDF_SEC_SIZE(h) * sst->sst_len) { DPRINTF(("Out of bounds read %" SIZE_T_FORMAT "u > %" @@ -1013,8 +1027,9 @@ cdf_read_property_info(const cdf_stream_t *sst, const goto out; } nelements = CDF_GETUINT32(q, 1); - if (nelements == 0) { - DPRINTF(("CDF_VECTOR with nelements == 0\n")); + if (nelements > CDF_ELEMENT_LIMIT || nelements == 0) { + DPRINTF(("CDF_VECTOR with nelements == %" + SIZE_T_FORMAT "u\n", nelements)); goto out; } slen = 2; @@ -1056,8 +1071,6 @@ cdf_read_property_info(const cdf_stream_t *sst, const goto out; inp += nelem; } - DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n", - nelements)); for (j = 0; j < nelements && i < sh.sh_properties; j++, i++) { Modified: head/contrib/file/src/cdf.h ============================================================================== --- head/contrib/file/src/cdf.h Mon Nov 18 04:03:11 2019 (r354801) +++ head/contrib/file/src/cdf.h Mon Nov 18 04:22:04 2019 (r354802) @@ -48,6 +48,7 @@ typedef int32_t cdf_secid_t; #define CDF_LOOP_LIMIT 10000 +#define CDF_ELEMENT_LIMIT 100000 #define CDF_SECID_NULL 0 #define CDF_SECID_FREE -1
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201911180422.xAI4M50F043290>