commit ffab889c1710c7646af9ed360c796a2a0a619efc
parent 1ff778f387d22d9f18d4e2a25e193d027498c598
Author: Christian Grothoff <christian@grothoff.org>
Date: Fri, 13 Oct 2017 12:27:31 +0200
fix looping in nsfe extractor for problematic chunksize in input file
Diffstat:
2 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,6 @@
+Fri Oct 13 12:27:38 CEST 2017
+ Protect against problematic integer offset in NSFE plugin found by Leon Zhao. -CG
+
Fri Oct 13 12:15:35 CEST 2017
Protect against integer overflows in PNG plugin found by Leon Zhao. -CG
diff --git a/src/plugins/nsfe_extractor.c b/src/plugins/nsfe_extractor.c
@@ -373,9 +373,9 @@ EXTRACTOR_nsfe_extract_method (struct EXTRACTOR_ExtractContext *ec)
8))
break;
chunksize = nsfeuint (data);
- if (off + chunksize + 8 <= off)
+ if (off + chunksize + 8LLU <= off)
break; /* protect against looping */
- off += 8 + chunksize;
+ off += 8LLU + chunksize;
if (0 == memcmp (data + 4, "INFO", 4))
ret = info_extract (ec, chunksize);
else if (0 == memcmp (data + 4, "auth", 4))
