Fix integer underflow vulnerability in L3 decode.

Marcin 'Icewall' Noga of Cisco TALOS discovered that the level 3 header decoding routines were vulnerable to an integer underflow, if the 32-bit header length was less than the base level 3 header length. This could lead to an exploitable heap corruption condition. Thanks go to Marcin Noga and Regina Wilson of Cisco TALOS for reporting this vulnerability.
fragglet · Mar 17, 2016 · 6fcdb8f · 6fcdb8f
1 parent 2a6cc7f
commit 6fcdb8f
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/lib/lha_file_header.c b/lib/lha_file_header.c
@@ -351,6 +351,10 @@ static uint8_t *extend_raw_data(LHAFileHeader **header,
 	size_t new_raw_len;
 	uint8_t *result;
 
+	if (nbytes > LEVEL_3_MAX_HEADER_LEN) {
+		return NULL;
+	}
+
 	// Reallocate the header and raw_data area to be larger.
 
 	new_raw_len = RAW_DATA_LEN(header) + nbytes;
@@ -797,7 +801,8 @@ static int decode_level3_header(LHAFileHeader **header, LHAInputStream *stream)
 
 	header_len = lha_decode_uint32(&RAW_DATA(header, 24));
 
-	if (header_len > LEVEL_3_MAX_HEADER_LEN) {
+	if (header_len > LEVEL_3_MAX_HEADER_LEN
+	 || header_len < RAW_DATA_LEN(header)) {
 		return 0;
 	}