diff options
| author | Christian Grothoff <christian@grothoff.org> | 2017-10-15 19:59:51 +0200 |
|---|---|---|
| committer | Christian Grothoff <christian@grothoff.org> | 2017-10-15 19:59:51 +0200 |
| commit | 71aa4223b2770a9243ddc86457bcd2fdcf47d922 (patch) | |
| tree | f3cd03d9039c2c14687da741d6025ad598a225ae | |
| parent | b933ab4aa3447ed94701b8fb013f1c765f3375dc (diff) | |
| download | libextractor-71aa4223b2770a9243ddc86457bcd2fdcf47d922.tar.gz libextractor-71aa4223b2770a9243ddc86457bcd2fdcf47d922.zip | |
fix potential buffer underflow read in deb_extractor
| -rw-r--r-- | ChangeLog | 3 | ||||
| -rw-r--r-- | src/plugins/deb_extractor.c | 6 |
2 files changed, 7 insertions, 2 deletions
| @@ -3,7 +3,8 @@ Sun Oct 15 19:36:41 CEST 2017 | |||
| 3 | Fix potential assign-after-free (on IPC error handling path). | 3 | Fix potential assign-after-free (on IPC error handling path). |
| 4 | Make sure to only pass "unsigned char" to functions like isspace(). | 4 | Make sure to only pass "unsigned char" to functions like isspace(). |
| 5 | Avoid malloc(0) in DEB extractor under certain conditions. | 5 | Avoid malloc(0) in DEB extractor under certain conditions. |
| 6 | Properly initialize 'duration' in ffmpeg extractor. -CG | 6 | Properly initialize 'duration' in ffmpeg extractor. |
| 7 | Fix potential buffer underflow read in DEB extractor. -CG | ||
| 7 | 8 | ||
| 8 | Fri Oct 13 12:30:37 CEST 2017 | 9 | Fri Oct 13 12:30:37 CEST 2017 |
| 9 | Properly check read error in NSF plugin (from signedness confusion) found by Leon Zhao. -CG | 10 | Properly check read error in NSF plugin (from signedness confusion) found by Leon Zhao. -CG |
diff --git a/src/plugins/deb_extractor.c b/src/plugins/deb_extractor.c index afbe8bb..2eb0028 100644 --- a/src/plugins/deb_extractor.c +++ b/src/plugins/deb_extractor.c | |||
| @@ -365,6 +365,8 @@ processControlTGZ (struct EXTRACTOR_ExtractContext *ec, | |||
| 365 | return 0; | 365 | return 0; |
| 366 | if (0 == size) | 366 | if (0 == size) |
| 367 | return 0; | 367 | return 0; |
| 368 | if (size < 4) | ||
| 369 | return 0; | ||
| 368 | if (NULL == (cdata = malloc (size))) | 370 | if (NULL == (cdata = malloc (size))) |
| 369 | return 0; | 371 | return 0; |
| 370 | off = 0; | 372 | off = 0; |
| @@ -375,7 +377,9 @@ processControlTGZ (struct EXTRACTOR_ExtractContext *ec, | |||
| 375 | free (cdata); | 377 | free (cdata); |
| 376 | return 0; | 378 | return 0; |
| 377 | } | 379 | } |
| 378 | memcpy (&cdata[off], data, sret); | 380 | memcpy (&cdata[off], |
| 381 | data, | ||
| 382 | sret); | ||
| 379 | off += sret; | 383 | off += sret; |
| 380 | } | 384 | } |
| 381 | bufSize = cdata[size - 4] + (cdata[size - 3] << 8) + (cdata[size - 2] << 16) + (cdata[size - 1] << 24); | 385 | bufSize = cdata[size - 4] + (cdata[size - 3] << 8) + (cdata[size - 2] << 16) + (cdata[size - 1] << 24); |