Skip to content

Commit

Permalink
Fixed ASAN heap-buffer-overflow when reading frame metalayers. Simila…
Browse files Browse the repository at this point in the history 
…r to #279. Variable header_pos is used for checking boundaries when reading name/offsets. Don't need to increase header_pos when seeking to another offset in the header to read metadata.

https://oss-fuzz.com/testcase-detail/5361858753200128
  • Loading branch information
@nmoinvaz @FrancescAlted
nmoinvaz authored and FrancescAlted committed May 10, 2021
1 parent 4d25107 commit 8a058b7
Showing 1 changed file with 4 additions and 6 deletions.
10 changes: 4 additions & 6 deletions blosc/frame.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1285,25 +1285,23 @@ static int get_meta_from_header(blosc2_frame_s* frame, blosc2_schunk* schunk, ui
}
// Go to offset and see if we have the correct marker
uint8_t* content_marker = header + offset;
if (header_len < offset + 1 + 4) {
return BLOSC2_ERROR_READ_BUFFER;
}
if (*content_marker != 0xc6) {
return BLOSC2_ERROR_DATA;
}

// Read the size of the content
int32_t content_len;
header_pos += sizeof(content_len);
if (header_len < header_pos) {
return BLOSC2_ERROR_READ_BUFFER;
}
from_big(&content_len, content_marker + 1, sizeof(content_len));
if (content_len < 0) {
return BLOSC2_ERROR_DATA;
}
metalayer->content_len = content_len;

// Finally, read the content
header_pos += content_len;
if (header_len < header_pos) {
if (header_len < offset + 1 + 4 + content_len) {
return BLOSC2_ERROR_READ_BUFFER;
}
char* content = malloc((size_t)content_len);
Expand Down

0 comments on commit 8a058b7

Please sign in to comment.