Skip to content
Browse files

Fix integer underflow vulnerability in L3 decode.

Marcin 'Icewall' Noga of Cisco TALOS discovered that the level 3 header
decoding routines were vulnerable to an integer underflow, if the 32-bit
header length was less than the base level 3 header length. This could
lead to an exploitable heap corruption condition.

Thanks go to Marcin Noga and Regina Wilson of Cisco TALOS for reporting
this vulnerability.
  • Loading branch information...
fragglet committed Mar 17, 2016
1 parent 2a6cc7f commit 6fcdb8f1f538b9d63e63a5fa199c5514a15d4564
Showing with 6 additions and 1 deletion.
  1. +6 −1 lib/lha_file_header.c
@@ -351,6 +351,10 @@ static uint8_t *extend_raw_data(LHAFileHeader **header,
size_t new_raw_len;
uint8_t *result;

if (nbytes > LEVEL_3_MAX_HEADER_LEN) {
return NULL;

// Reallocate the header and raw_data area to be larger.

new_raw_len = RAW_DATA_LEN(header) + nbytes;
@@ -797,7 +801,8 @@ static int decode_level3_header(LHAFileHeader **header, LHAInputStream *stream)

header_len = lha_decode_uint32(&RAW_DATA(header, 24));

if (header_len > LEVEL_3_MAX_HEADER_LEN) {
if (header_len > LEVEL_3_MAX_HEADER_LEN
|| header_len < RAW_DATA_LEN(header)) {
return 0;

0 comments on commit 6fcdb8f

Please sign in to comment.
You can’t perform that action at this time.