Skip to content

Commit 6fcdb8f

Browse files
committed
Fix integer underflow vulnerability in L3 decode.
Marcin 'Icewall' Noga of Cisco TALOS discovered that the level 3 header decoding routines were vulnerable to an integer underflow, if the 32-bit header length was less than the base level 3 header length. This could lead to an exploitable heap corruption condition. Thanks go to Marcin Noga and Regina Wilson of Cisco TALOS for reporting this vulnerability.
1 parent 2a6cc7f commit 6fcdb8f

File tree

1 file changed

+6
-1
lines changed

1 file changed

+6
-1
lines changed

Diff for: lib/lha_file_header.c

+6-1
Original file line numberDiff line numberDiff line change
@@ -351,6 +351,10 @@ static uint8_t *extend_raw_data(LHAFileHeader **header,
351351
size_t new_raw_len;
352352
uint8_t *result;
353353

354+
if (nbytes > LEVEL_3_MAX_HEADER_LEN) {
355+
return NULL;
356+
}
357+
354358
// Reallocate the header and raw_data area to be larger.
355359

356360
new_raw_len = RAW_DATA_LEN(header) + nbytes;
@@ -797,7 +801,8 @@ static int decode_level3_header(LHAFileHeader **header, LHAInputStream *stream)
797801

798802
header_len = lha_decode_uint32(&RAW_DATA(header, 24));
799803

800-
if (header_len > LEVEL_3_MAX_HEADER_LEN) {
804+
if (header_len > LEVEL_3_MAX_HEADER_LEN
805+
|| header_len < RAW_DATA_LEN(header)) {
801806
return 0;
802807
}
803808

0 commit comments

Comments
 (0)