diff options
author | Christian Grothoff <christian@grothoff.org> | 2017-10-15 19:59:51 +0200 |
---|---|---|
committer | Christian Grothoff <christian@grothoff.org> | 2017-10-15 19:59:51 +0200 |
commit | 71aa4223b2770a9243ddc86457bcd2fdcf47d922 (patch) | |
tree | f3cd03d9039c2c14687da741d6025ad598a225ae | |
parent | b933ab4aa3447ed94701b8fb013f1c765f3375dc (diff) | |
download | libextractor-71aa4223b2770a9243ddc86457bcd2fdcf47d922.tar.gz libextractor-71aa4223b2770a9243ddc86457bcd2fdcf47d922.zip |
fix potential buffer underflow read in deb_extractor
-rw-r--r-- | ChangeLog | 3 | ||||
-rw-r--r-- | src/plugins/deb_extractor.c | 6 |
2 files changed, 7 insertions, 2 deletions
@@ -3,7 +3,8 @@ Sun Oct 15 19:36:41 CEST 2017 | |||
3 | Fix potential assign-after-free (on IPC error handling path). | 3 | Fix potential assign-after-free (on IPC error handling path). |
4 | Make sure to only pass "unsigned char" to functions like isspace(). | 4 | Make sure to only pass "unsigned char" to functions like isspace(). |
5 | Avoid malloc(0) in DEB extractor under certain conditions. | 5 | Avoid malloc(0) in DEB extractor under certain conditions. |
6 | Properly initialize 'duration' in ffmpeg extractor. -CG | 6 | Properly initialize 'duration' in ffmpeg extractor. |
7 | Fix potential buffer underflow read in DEB extractor. -CG | ||
7 | 8 | ||
8 | Fri Oct 13 12:30:37 CEST 2017 | 9 | Fri Oct 13 12:30:37 CEST 2017 |
9 | Properly check read error in NSF plugin (from signedness confusion) found by Leon Zhao. -CG | 10 | Properly check read error in NSF plugin (from signedness confusion) found by Leon Zhao. -CG |
diff --git a/src/plugins/deb_extractor.c b/src/plugins/deb_extractor.c index afbe8bb..2eb0028 100644 --- a/src/plugins/deb_extractor.c +++ b/src/plugins/deb_extractor.c | |||
@@ -365,6 +365,8 @@ processControlTGZ (struct EXTRACTOR_ExtractContext *ec, | |||
365 | return 0; | 365 | return 0; |
366 | if (0 == size) | 366 | if (0 == size) |
367 | return 0; | 367 | return 0; |
368 | if (size < 4) | ||
369 | return 0; | ||
368 | if (NULL == (cdata = malloc (size))) | 370 | if (NULL == (cdata = malloc (size))) |
369 | return 0; | 371 | return 0; |
370 | off = 0; | 372 | off = 0; |
@@ -375,7 +377,9 @@ processControlTGZ (struct EXTRACTOR_ExtractContext *ec, | |||
375 | free (cdata); | 377 | free (cdata); |
376 | return 0; | 378 | return 0; |
377 | } | 379 | } |
378 | memcpy (&cdata[off], data, sret); | 380 | memcpy (&cdata[off], |
381 | data, | ||
382 | sret); | ||
379 | off += sret; | 383 | off += sret; |
380 | } | 384 | } |
381 | bufSize = cdata[size - 4] + (cdata[size - 3] << 8) + (cdata[size - 2] << 16) + (cdata[size - 1] << 24); | 385 | bufSize = cdata[size - 4] + (cdata[size - 3] << 8) + (cdata[size - 2] << 16) + (cdata[size - 1] << 24); |