diff options
author | Christian Grothoff <christian@grothoff.org> | 2017-10-17 08:50:26 +0200 |
---|---|---|
committer | Christian Grothoff <christian@grothoff.org> | 2017-10-17 08:50:26 +0200 |
commit | d4d488b0e5ab13dda241d688d87a07816368f117 (patch) | |
tree | 0f53107b8689cf1da4d98ac296523b1839dd19af | |
parent | bc2a59d25b35b0e88dab8895cf70b4d18d2844fc (diff) | |
download | libextractor-d4d488b0e5ab13dda241d688d87a07816368f117.tar.gz libextractor-d4d488b0e5ab13dda241d688d87a07816368f117.zip |
detect integer overflow in DVI extractor
-rw-r--r-- | ChangeLog | 4 | ||||
-rw-r--r-- | src/plugins/dvi_extractor.c | 20 |
2 files changed, 17 insertions, 7 deletions
@@ -1,3 +1,7 @@ | |||
1 | Tue Oct 17 08:49:31 CEST 2017 | ||
2 | Fix integer overflows in DVI extractor found by Leon Zhao, which | ||
3 | could cause SEGVs (read-only). -CG | ||
4 | |||
1 | Sun Oct 15 19:36:41 CEST 2017 | 5 | Sun Oct 15 19:36:41 CEST 2017 |
2 | Fix potential file descriptor leak (on error handling path). | 6 | Fix potential file descriptor leak (on error handling path). |
3 | Fix potential assign-after-free (on IPC error handling path). | 7 | Fix potential assign-after-free (on IPC error handling path). |
diff --git a/src/plugins/dvi_extractor.c b/src/plugins/dvi_extractor.c index 1f42497..268b48c 100644 --- a/src/plugins/dvi_extractor.c +++ b/src/plugins/dvi_extractor.c | |||
@@ -1,6 +1,6 @@ | |||
1 | /* | 1 | /* |
2 | This file is part of libextractor. | 2 | This file is part of libextractor. |
3 | Copyright (C) 2002, 2003, 2004, 2012 Vidyut Samanta and Christian Grothoff | 3 | Copyright (C) 2002, 2003, 2004, 2012, 2017 Vidyut Samanta and Christian Grothoff |
4 | 4 | ||
5 | libextractor is free software; you can redistribute it and/or modify | 5 | libextractor is free software; you can redistribute it and/or modify |
6 | it under the terms of the GNU General Public License as published | 6 | it under the terms of the GNU General Public License as published |
@@ -175,7 +175,8 @@ EXTRACTOR_dvi_extract_method (struct EXTRACTOR_ExtractContext *ec) | |||
175 | if (40 >= (iret = ec->read (ec->cls, &buf, 1024))) | 175 | if (40 >= (iret = ec->read (ec->cls, &buf, 1024))) |
176 | return; | 176 | return; |
177 | data = buf; | 177 | data = buf; |
178 | if ((data[0] != 247) || (data[1] != 2)) | 178 | if ( (data[0] != 247) || |
179 | (data[1] != 2) ) | ||
179 | return; /* cannot be DVI or unsupported version */ | 180 | return; /* cannot be DVI or unsupported version */ |
180 | klen = data[14]; | 181 | klen = data[14]; |
181 | size = ec->get_size (ec->cls); | 182 | size = ec->get_size (ec->cls); |
@@ -196,9 +197,11 @@ EXTRACTOR_dvi_extract_method (struct EXTRACTOR_ExtractContext *ec) | |||
196 | off += iret; | 197 | off += iret; |
197 | } | 198 | } |
198 | pos = size - 1; | 199 | pos = size - 1; |
199 | while ((223 == data[pos]) && (pos > 0)) | 200 | while ( (223 == data[pos]) && |
201 | (pos > 0) ) | ||
200 | pos--; | 202 | pos--; |
201 | if ((2 != data[pos]) || (pos < 40)) | 203 | if ( (2 != data[pos]) || |
204 | (pos < 40) ) | ||
202 | goto CLEANUP; | 205 | goto CLEANUP; |
203 | pos--; | 206 | pos--; |
204 | pos -= 4; | 207 | pos -= 4; |
@@ -207,7 +210,8 @@ EXTRACTOR_dvi_extract_method (struct EXTRACTOR_ExtractContext *ec) | |||
207 | goto CLEANUP; | 210 | goto CLEANUP; |
208 | opos = pos; | 211 | opos = pos; |
209 | pos = getIntAt (&data[opos + 1]); | 212 | pos = getIntAt (&data[opos + 1]); |
210 | if (pos + 25 > size) | 213 | if ( (pos + 25 > size) || |
214 | (pos + 25 < pos) ) | ||
211 | goto CLEANUP; | 215 | goto CLEANUP; |
212 | /* assert pos at 'post' command */ | 216 | /* assert pos at 'post' command */ |
213 | if (data[pos] != 248) | 217 | if (data[pos] != 248) |
@@ -219,7 +223,8 @@ EXTRACTOR_dvi_extract_method (struct EXTRACTOR_ExtractContext *ec) | |||
219 | { | 223 | { |
220 | if (UINT32_MAX == pos) | 224 | if (UINT32_MAX == pos) |
221 | break; | 225 | break; |
222 | if (pos + 45 > size) | 226 | if ( (pos + 45 > size) || |
227 | (pos + 45 < pos) ) | ||
223 | goto CLEANUP; | 228 | goto CLEANUP; |
224 | if (data[pos] != 139) /* expect 'bop' */ | 229 | if (data[pos] != 139) /* expect 'bop' */ |
225 | goto CLEANUP; | 230 | goto CLEANUP; |
@@ -268,7 +273,8 @@ EXTRACTOR_dvi_extract_method (struct EXTRACTOR_ExtractContext *ec) | |||
268 | } | 273 | } |
269 | /* try to find PDF/ps special */ | 274 | /* try to find PDF/ps special */ |
270 | pos = opos; | 275 | pos = opos; |
271 | while (pos < size - 100) | 276 | while ( (size >= 100) && |
277 | (pos < size - 100) ) | ||
272 | { | 278 | { |
273 | switch (data[pos]) | 279 | switch (data[pos]) |
274 | { | 280 | { |