Skip to content

Commit 1aec04d

Browse files
committed
Fix bounds checks again.
1 parent 67d1521 commit 1aec04d

File tree

1 file changed

+11
-10
lines changed

1 file changed

+11
-10
lines changed

Diff for: src/cdf.c

+11-10
Original file line numberDiff line numberDiff line change
@@ -35,7 +35,7 @@
3535
#include "file.h"
3636

3737
#ifndef lint
38-
FILE_RCSID("@(#)$File: cdf.c,v 1.48 2012/02/17 05:27:45 christos Exp $")
38+
FILE_RCSID("@(#)$File: cdf.c,v 1.49 2012/02/20 20:04:37 christos Exp $")
3939
#endif
4040

4141
#include <assert.h>
@@ -75,6 +75,7 @@ static union {
7575
#define CDF_TOLE2(x) ((uint16_t)(NEED_SWAP ? _cdf_tole2(x) : (uint16_t)(x)))
7676
#define CDF_GETUINT32(x, y) cdf_getuint32(x, y)
7777

78+
7879
/*
7980
* swap a short
8081
*/
@@ -351,13 +352,13 @@ ssize_t
351352
cdf_read_short_sector(const cdf_stream_t *sst, void *buf, size_t offs,
352353
size_t len, const cdf_header_t *h, cdf_secid_t id)
353354
{
354-
size_t ss = CDF_SEC_SIZE(h);
355+
size_t ss = CDF_SHORT_SEC_SIZE(h);
355356
size_t pos = CDF_SHORT_SEC_POS(h, id);
356357
assert(ss == len);
357-
if (pos > ss * sst->sst_len) {
358+
if (pos > CDF_SEC_SIZE(h) * sst->sst_len) {
358359
DPRINTF(("Out of bounds read %" SIZE_T_FORMAT "u > %"
359360
SIZE_T_FORMAT "u\n",
360-
pos, ss * sst->sst_len));
361+
pos, CDF_SEC_SIZE(h) * sst->sst_len));
361362
return -1;
362363
}
363364
(void)memcpy(((char *)buf) + offs,
@@ -529,7 +530,7 @@ cdf_read_short_sector_chain(const cdf_header_t *h,
529530
const cdf_sat_t *ssat, const cdf_stream_t *sst,
530531
cdf_secid_t sid, size_t len, cdf_stream_t *scn)
531532
{
532-
size_t ss = CDF_SEC_SIZE(h), i, j;
533+
size_t ss = CDF_SHORT_SEC_SIZE(h), i, j;
533534
scn->sst_len = cdf_count_chain(ssat, sid, CDF_SEC_SIZE(h));
534535
scn->sst_dirlen = len;
535536

@@ -798,18 +799,18 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
798799
if (cdf_check_stream_offset(sst, h, e, 0, __LINE__) == -1)
799800
goto out;
800801
for (i = 0; i < sh.sh_properties; i++) {
802+
size_t ofs = CDF_GETUINT32(p, (i << 1) + 1);
801803
q = (const uint8_t *)(const void *)
802-
((const char *)(const void *)p +
803-
CDF_GETUINT32(p, (i << 1) + 1)) - 2 * sizeof(uint32_t);
804+
((const char *)(const void *)p + ofs
805+
- 2 * sizeof(uint32_t));
804806
if (q > e) {
805807
DPRINTF(("Ran of the end %p > %p\n", q, e));
806808
goto out;
807809
}
808810
inp[i].pi_id = CDF_GETUINT32(p, i << 1);
809811
inp[i].pi_type = CDF_GETUINT32(q, 0);
810-
DPRINTF(("%" SIZE_T_FORMAT "u) id=%x type=%x offs=0x%tx,0x%x\n", i,
811-
inp[i].pi_id, inp[i].pi_type, q - p,
812-
CDF_GETUINT32(p, (i << 1) + 1)));
812+
DPRINTF(("%" SIZE_T_FORMAT "u) id=%x type=%x offs=0x%tx,0x%x\n",
813+
i, inp[i].pi_id, inp[i].pi_type, q - p, offs));
813814
if (inp[i].pi_type & CDF_VECTOR) {
814815
nelements = CDF_GETUINT32(q, 1);
815816
o = 2;

0 commit comments

Comments
 (0)